search

azukaar / Cosmos-Server

☁️ The Most Secure and Easy Selfhosted Home Server. Take control of your data and privacy without sacrificing security and stability (Authentication, anti-DDOS, anti-bot)
https://cosmos-cloud.io
Other
2.97k stars 105 forks source link

[BUG]: Letsencrypt error when moving to wildcard certificates #202

Closed sachz19 closed 4 months ago

sachz19 commented 4 months ago

What happened?

At initial setup I used subdomain specific certificates for the different servapps and proxy urls. When now changing the Letsencrypt config to wildcard, and adding an extra wildcard for the other domains I have, I get the following error: Error creating new order :: Domain name "xx.xx.xxx" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request. so basically plex.example.com and wildcard for example.com (example.com is the entry in the override option not the default root domain)

What should have happened?

Cosmos should automatically remove the subdomain specific entries in the renewal and apply the newly requested wildcard certificate.

How to reproduce the bug?

  1. initial setup letsencrypt with wildcard disabled and cloudflare API configuration
  2. Add your apps and proxy entries
  3. Confirm the certificates have been requested
  4. Change letsencrypt configuration to use wildcards, and add additional domains in override

Relevant log output

There are errors with your Let's Encrypt configuration or one of your routes, please fix them as soon as possible:
- acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:malformed :: Error creating new order :: Domain name "xx.xx.xxx" is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.

Other details

No response

System details

azukaar commented 4 months ago

You made a mistake in override (you can't ask for both *.domain.com and plex.domain.com because the wildcard already covers plex.domain.com). Unless you know why you are using the override, do not use it (leave it blank) and Cosmos will automatically use the right domains for your setup based on your proxy settings

sachz19 commented 4 months ago

I think you misread in the override the only entries were the wildcard and root domain entries (xxx.xxx,*.xxx.xxx), not subdomain entries I resolved the issue by temporarily changing to the cosmos root domain for the affected proxy URL's, renew cert with the same configuration, and change them back without error...

azukaar commented 4 months ago

Hmm maybe something did not save right away or something, I'll investigate thanks

sachz19 commented 4 months ago

Hi,

Just tested adding another subdomain (ombi.xxx.xxx) where the default domain for cosmos is (yyy.yyy) but in the wilcard config I added xxx.xxx,*.xxx.xxx, no specific sub domain and now I receive the same error.

Screenshot 2024-02-23 112328

azukaar commented 4 months ago

image image

Just retried to be sure... I changed the overwrite to xxx.xxx,*.xxx.xxx as well, and I have a bunch of URL in the proxy and did not get an error from it. Unless I misunderstood your post? What is being the black thing you hid btw, kind need this info (without your actual domain ofc)

sachz19 commented 4 months ago

The subdomain linked to a proxy url.So my root domain: example.comCosmos domain: cosmos.sfs-it.beProxy url: plex.other.comWildcard field: example.com,.example.com,other.com,.other.comThen add a proxy url radarr.other.comThen the error occurs. On 23 Feb 2024, at 12:16, Yann S. @.**> wrote: image.png (view on web) image.png (view on web) Just retried to be sure... I changed the overwrite to xxx.xxx,.xxx.xxx as well, and I have a bunch of URL in the proxy and did not get an error from it. Unless I misunderstood your post? What is being the black thing you hid btw, kind need this info (without your actual domain ofc)

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

azukaar commented 4 months ago

ok that's the info I was missing, you were trying to wildcard multiple domains. Using HTTPS, you cannot do that. That is why Cosmos is not even trying to properly create the request. You can request a single wildcard, and additional domains as non-wildcard but not multiple wildcard.

sachz19 commented 4 months ago

Aah oke I understand!Is it something that will be added in the future to be able to use multipke wildcard certificates?If not I’m able to request the certs on my firewall (multiple wildcards in 1 cert) and push to the correct location on the cosmos vm to use it.Is that an allowed usecase?On 23 Feb 2024, at 13:53, Yann S. @.***> wrote: ok that's the info I was missing, you were trying to wildcard multiple domains. Using HTTPS, you cannot do that. That is why Cosmos is not even trying to properly create the request. You can request a single wildcard, and additional domains as non-wildcard but not multiple wildcard.

—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you authored the thread.Message ID: @.***>

azukaar commented 4 months ago

Yes until I bake in support for this kind of support you can use another system (like Certbot itself) to generate the cert, and past it in the config file at /var/lib/cosmos