SSL certificate generation failed even though domain is verified

Hello, I have an Appwrite Site for which I added a custom domain. However, even though the domain is verified, the SSL certificate generation is failing. It is a subdomain. The logs show this error:

[07:33:25] Processing SSL certificate issuance. 
[07:33:25] SSL certificate issuance failed: 
DNS verification failed with resolver 8.8.8.8. Domain subdomain.domain.tld has incorrect A value 'XX.XXX.XX.XXX'.
Verify your DNS records are correctly configured and try again.
If they're correct and it still fails, please retry after sometime. DNS records can take up to 48 hours to propagate.

The thing is: the domain has a CNAME entry pointing to the main Appwrite domain, and the IP address for the A value is pointing to the same machine Appwrite is hosted on. How can I solve this error? My domain provider is godaddy, and I have added a catch-all CNAME entry * pointing to the domain Appwrite is hosted on.

I also get a success notification "Domain is verified" and I can access the Site using the custom domain added, but the certificate doesn't exist

I would like some help on this if possible!

Any help please?

hey, before we can help you, are you using the traefik shipped with the docker compose ? if yes, it's traefik that should create the certificates on demand when someone tries to reach that domain.

if not, you might need to setup your reverse proxy in a way that automaticly create certificates, when reaching, or add a wildcard cert matching (tho maybe won't work if appwrite also strict check the valid names for that certificate)

I am using traefik shipped with docker compose, but the certificates aren't being generated. I am on Appwrite 1.9.0.

Also, other Functions' certificates are being generated just fine. Could it be a quirk of using wildcard subdomains?

ye that's possible, idk if when appwrite does a dns request, if it check stricly the domain or if wildcard works. (what does the XX.XXX.XX.XXX returns ? your server IP or somthing else ?)

but i don't hink as personaly my SH setup is appwrite.example.com for API/Realtime and *.appwrite.example.com (both in DNS and traefik)

when you say you can access the website, it's just the browser showing https is broken right ? can you click on it, and view the certificate ? if it says "TRAEFIK DEFAULT CERT" then ye it's traefik not generating a certificate, and you need to check in traefik logs why it didn't work

for example this, shows that my website does have https with traefik but the domain isn't covered by any route or certresolvers

Yes, the XX.XXX.XX.XXX is my server IP, which is correct. If Wildcards work then I am not sure what is the issue with this one site

ok so ye, appwrite sees the right DNS (the wildcard one)

so ye i really think it's traefik that is not generating the certificate for you

In the browser, it shows the the TRAEFIK DEFAULT CERT like you said. The logs I pasted in the original problem are different from traefik logs? How can I check more logs on what is the error?

the logs you pasted on top looks like appwrite-api or appwrite-worker-certificate,

you would need the traefik or appwrite-traefik container logs

if you are on linux you could try docker ps -a | grep traefik to find the traefik container

then docker logs <container_id> with the ID you got just above

was you able to find the traefik container ?

I did but the logs don't show anything related to the domain that is giving an error

The last log in of 14th May, so no recent logs are there

hmm strange, if possible can you show us the compose that you have, specificly the traefik and appwrite-api services (hide anything that could leak personal data)

what i'm thinking is that maybe, there is on the appwrite-api the traefik label with tls = true or tls = {} but maybe it doesn't have a certresolver to generate the certificate from

This is my docker compose, I don't think I have changed much if anything. I appreciate the help!

ye so it's indeed missing the cert resolver

• https://appwrite.io/docs/advanced/self-hosting/configuration/sites#automated-certificate-generation
• or directly the traefik docs : https://doc.traefik.io/traefik/reference/install-configuration/tls/certificate-resolvers/acme/

also i don't think it's rellly needed to use DNS-01, you could use HTTP-01 as well, (just be sure for HTTP-01 that outside can still reach in http/80 to generate the cert)

• DNS-01 : create a temporaty TXT entry in your DNS, generate the certificate with let's encrypt (let's encrypt check the DNS entry)
• HTTP-01 : request let's encrypt to reach your server IP (from the DNS name), and check if a code is present in the webserver (in a .well-known)

http-01 is kinda the easiest to setup but kinda limited to one node, dns-01 is in a way better cuz you don't need to expose http + you can be in HA even with free traefik

hey, have you been able to dig further or maybe even fix the issue since my reply ?

Yes, your reply has been helpful and i feel I am getting somewhere, but my problem isn't fully solved yet. I am trying some things on my end first to fix it, I will get in touch with you when I won't be able to