My cert isn't applying even after 2 hours

sintaxi / surge

CLI for the surge.sh CDN

https://surge.sh

2.87k stars 136 forks source link

My cert isn't applying even after 2 hours #490

Open bgoosman opened 1 year ago

bgoosman commented 1 year ago

Discussed in https://github.com/sintaxi/surge/discussions/489

^{Originally posted by **bgoosman** November 29, 2022} Navigate to https://studiofinder.art ```This server could not prove that it is studiofinder.art; its security certificate is from *.surge.sh. This may be caused by a misconfiguration or an attacker intercepting your connection.``` To apply my .pem, I ran surge ssl: ``` surge ssl domain: https://studiofinder.art pem file: surge.pem Success - the pem file has been applied ``` before that I concat'ed my fullchain.pem to my privkey.pem ``` sudo cat /etc/letsencrypt/live/studiofinder.art/fullchain.pem /etc/letsencrypt/live/studiofinder.art/privkey.pem > surge.pem ``` before that I used certbot to manually verify my domain and provision a cert with letsencrypt: ``` sudo certbot certonly --manual --preferred-challenges dns -d studiofinder.art ``` What am I doing wrong?

Now I'm running into the same thing with rehearsal.fun. Any help?

bgoosman commented 1 year ago

My web browser reports the surge.sh certificate, but surge certs reports my letsencrypt certificate (R3)

bgoosman commented 1 year ago

Today, I'm getting the correct cert! Should I be expecting the process to take hours?

mster81 commented 1 year ago

From what Broc said it may have been an issue with the certs not being applied to the edge nodes. My feeling here is that it was corrected (would default to support on that though)

My understanding is that this should be instant, as the SSL cert is installed on the server across all nodes, so it should work once applied.

My implementation is a bit different, in where I'm using the new 'encrypt' tag off the latest branch but it should be the same regardless.

sintaxi commented 1 year ago

Right now surge@0.24.0-rc.12 is the best version to use when it comes to cert management.
This is the best guide for managing certs. https://github.com/sintaxi/surge/discussions/446
Uploaded certs sometimes takes up to a day to propagate to the edge nodes (reach out if you need it done manually)
Edgenodes sometimes continue to use outdated certs for a time (new cert shows when cache is flushed).

mster81 commented 1 year ago

@sintaxi

Does the encrypt command have the same propagation time as manually doing it?

Thanks!

bgoosman commented 1 year ago

Thanks @sintaxi! I'd recommend writing #3 and #4 into the surge.sh docs. They make it sound like it should be instant. :)

sintaxi commented 1 year ago

@mster81 The encrypt command propagates the cert instantly.

mster81 commented 1 year ago

That's awesome, thanks!

mster81 commented 1 year ago

@sintaxi I was doing more testing on my account this AM and it looks like the same thing is happening, using latest RC, uploads fine but getting the same cert error.

Other question, what is the purpose of the 'preview-url' when doing a deploy? Just curios.

Thanks!