unable to register allowed origin

[minhster99]

Hi, I'm attempting to register a domain I own https://robee.click but it says

Domain must be registered with a certificate authority.

What does this mean exactly? It's hosted on AWS and has a valid certificate.

[derekargueta]

Checking this internally, may be that the Amazon root CA is not in the list of checked authorities.

[derekargueta]

Yeah the Amazon Root CA is not supported, the certificate will need to have been issued from one of these CAs: https://developer.visa.com/pages/trusted_certifying_authorities

[jbanyer]

@derekargueta I have successfully registered an app and configured Allowed Origin URLs including https://app.chqtest.net, which uses an Amazon CA cert. This was done some time ago.

I just tried editing the list of Allowed Origin URLs to add https://api.chqtest.net, which uses the same Amazon CA cert, and it worked.

Does this CA restriction only apply when creating a new app?

[minhster99]

@jbanyer my https://robee.click site is failing on update. I just attempted your site and it worked. I checked the root CA on yours vs mine and it is slightly different. The CN on mine is Amazon RSA 2048 M02 , and yours is Amazon RSA 2048 M01

@derekargueta any chance we could add the newer AWS root cert as trusted too?

[jbanyer]

@derekargueta I'll add my 2c: it would be very inconvenient if Amazon CAs are not accepted. AWS provides a very frictionless mechanism for adding and rotating certs when using their services, and I'm guessing a large number of Tesla API customers are going to use them by default. Cheers.

[llamafilm]

FWIW, I got the exact same error message for a different reason: My webserver was listening for HTTPS on a nonstandard port. When I changed it to 443 this error went away.

[DaveTBlake]

Having difficulty getting with my SSL, perhaps little wonder since the CA is not on that short list of acceptable providers. But is domain validation enough, or is Tesla expecting organisation validation level certification too?

[minhster99]

Does anyone know which of the acceptable CAs provide free SSL certs? This is a personal project and not sure I am willing to spend a few hundred bucks per year.

[llamafilm]

Lets Encrypt works for me

[minhster99]

@llamafilm I just tried LetsEncrypt but I'm still getting the invalid domain error. Is there something on the Tesla side caching the old cert perhaps?

btw the root CA is ISRG, I don't see it on the acceptable CA list provided.

[llamafilm]

Not sure. Maybe they don't allow the .click TLD ?

[minhster99]

@llamafilm can you give me an example site you got working with LetsEncrypt? I'll compare the certs to see if there's a difference.

.click domain happened to be the cheapest which is why I got it.

[llamafilm]

Mine is working with https://tesla.llamafilm.com

[minhster99]

I've got something working. The answer is to have a .com domain and this will work with the AWS signed certificate as well. LetEncrypt is not required.

@derekargueta I think you should improve the error message because it is currently misleading. Although I don't know why you wouldn't accept any domain as long as it exists. fyi .com domain costs about 4x more than .click domains

[paky79]

I have the same issue here because at the moment I'm running HA with Duckdns+nginx and duckdns is not recognized as allowed origin Does it mean that I should buy .com DNS and move everything in cloudflare? I saw that Tesla proxy requires anyway nginx. How to solve?

[martinzitka]

Same issue here. I have a self-hosted IPv6-only app on a .net domain with Letsencrypt certificate:

Validation of the Origin and Redirect URLs failed with "Domain must be registered with a certificate authority".

Please let me know if you want me to send more info on my set-up to troubleshoot the issue.

[handya]

I'm having the same issue on update, using a .app domain and cloudflare for the cert. I added it a few weeks ago and it worked no problem now when I'm trying to update I get "Domain must be registered with a certificate authority".

I thought it was an issue with .app as others have mentioned but I tried my other .app domains and they worked, not sure why it's suddenly not liking my existing domain.

Update: I've tried again and its working now.

[getget1980]

Hello, same problem here, self-hosted domain, with .fr domain name, and using GeoTrust - powered by DigiCert certificate.

Certificate is delivered by Encryption Everywhere DV TLS CA - G2 which seems to be on the VISA list ...

[kiberxx]

Hello, facing the same error with "com" TLD and LetsEncrypt certificate. Does anyone know the trick how to make it work? On top of the comments above it is not clear what exactly is the problem. https://vdubinskii.mooo.com/

[getget1980]

It worked with Let's encrypt, so for me the problem was GeoTrust - powered by DigiCert certificate.

[kiberxx]

Yeah, exactly, checked the domain mentioned above with letsEncrypt cert and don't see a significant difference. They use wildcard cert and have a CNAME record, no CAA records. Weird, maybe it is due to I am using freedns. I don't want to play with the paid domains until the issue is clear.

[KevM]

I just ran into this issue today. My domain (hosted by Vercel) has a valid cert issued by Let's Encrypt.

[Sebazzz]

Also running into this issue, certificate issued by Let's Encrypt E6, with ISRG Root X1 as root.

[jmcollin78]

Hello same problem here with a domain in .fr and a Let's Encrypt certificate:

[getget1980]

Today it's not working anymore (without any changes)... I'm starting to being bored by all this stiff ....

[KevM]

My plan is to email support I’ll be needing this down the road.

On Tue, Jun 11, 2024, at 3:25 PM, getget1980 wrote:

Today it's not working anymore (without any changes)... I'm starting to being bored by all this stiff ....

— Reply to this email directly, view it on GitHub https://github.com/teslamotors/vehicle-command/issues/159#issuecomment-2161550205, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAMHJMVA3RIZ4JVH7OPXDZG5MLHAVCNFSM6AAAAABCUR5LXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCNRRGU2TAMRQGU. You are receiving this because you commented.Message ID: @.***>

[jmcollin78]

I wrote an email to the support at this address: fleetapisupport@tesla.com I think you can also do the same to hope thinks will change. I don't see any reason to refuse domain if signed with a valid certificate and root ca.

[sethterashima]

This scope of this issue tracker is limited to the Golang code in this repository. As @jmcollin78 suggests, please reach out to the Fleet API support team: https://developer.tesla.com/docs/fleet-api#help-and-support.

[KevM]

Reached out a week ago and still have not heard from them.

On Fri, Jun 21, 2024, at 4:54 PM, sethterashima wrote:

This scope of this issue tracker is limited to the Golang code in this repository. As @jmcollin78 https://github.com/jmcollin78 suggests, please reach out to the Fleet API support team: https://developer.tesla.com/docs/fleet-api#help-and-support.

— Reply to this email directly, view it on GitHub https://github.com/teslamotors/vehicle-command/issues/159#issuecomment-2183512892, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAMHOZCL3V3Z5QJ3IWMF3ZISOJLAVCNFSM6AAAAABCUR5LXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBTGUYTEOBZGI. You are receiving this because you commented.Message ID: @.***>

[jmcollin78]

No news also.

[ThomasAlxDmy]

Hey All,

We officially added support for Let's encrypt. I've checked some of the URLs in this issue: most certs are expired. Please renew them and try again. Also Common Name (CN) in the certificate must match URL.

If you are having issue with Let's encrypt and your certs are valid add your URL to this issue so we can debug and see what's going on. Thank you!

[minhster99]

Hi @ThomasAlxDmy

I am the original poster of this issue. Here are my findings

URL	CA	Working
robee.click	AWS	No
robee.click	LetsEncrypt	No
tesla.llamafilm.com	LetsEncrpt	Yes
robee2.com	AWS	Yes

Based on the above, both AWS and LetsEncrypt already works however it seems to require a .com domain. If you relax this requirement, it would likely solve a whole bunch of issues for everyone else here.

ps I've taken down robee.click since it wasn't working.

[KevM]

What’s weird is on the past I’ve registered a non .com domain without issue. (.rodeo for testing)

On Mon, Jun 24, 2024, at 8:38 PM, minhster99 wrote:

Hi @ThomasAlxDmy https://github.com/ThomasAlxDmy

I am the original poster of this issue. Here are my findings

URL CA Working robee.click AWS No robee.click LetsEncrypt No tesla.llamafilm.com LetsEncrpt Yes robee2.com AWS Yes Based on the above, both AWS and LetsEncrypt already works however it seems to require a .com domain. If you relax this requirement, it would likely solve a whole bunch of issues for everyone else here.

— Reply to this email directly, view it on GitHub https://github.com/teslamotors/vehicle-command/issues/159#issuecomment-2187758266, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAAMHLAAJFZCJ5MGXQXCSLZJDC2HAVCNFSM6AAAAABCUR5LXCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCOBXG42TQMRWGY. You are receiving this because you commented.Message ID: @.***>

[ThomasAlxDmy]

Yup if set up properly it should work now. Most common issues we've seen:

1. certs are expired.
2. Common Name (CN) in the certificate not matching the URL

[timcantryn]

I can confirm it's not working on a .be domain with unexpired cert with correct CN, is it possible to get a confirmation whether the allowed domains are limited to the .com TLD or if there are certain unallowed TLD's? Thanks!

[jmcollin78]

Hello, great new I can confirm it is now working with my .fr domain. Thanks for the fix

[firefixmaarten]

I can confirm it's not working on a .be domain with unexpired cert with correct CN, is it possible to get a confirmation whether the allowed domains are limited to the .com TLD or if there are certain unallowed TLD's? Thanks!

It works with tesla.maartenvandenbranden.be. I just got It working. Let's encrypt works or at least my specific root works:

[Jopand]

It is NOT working on valid .synology.me, .mywire.org and *.duckdns.org domains 🤔

[acanturgut]

My firebase hosted site not pass the validation as well. It looks super random my opinion.

[timcantryn]

In my case I still get the error on beforementioned .be domain, it does seem to be quite random.

[acanturgut]

Contacting with Tesla fix our problem. They added it manually behalf of us.

[sgryphon]

They seem to have some limitations on which domains they accept (even if the domains are valid, have valid certs, etc.

BTW. The best cert checker I found was Qualys/SSL Labs, i.e. https://www.ssllabs.com/ssltest/analyze.html?d=tesla.gamertheory.net

All the following had Let's Encrypt certs, but only 'www' worked.

• tesla.gamertheory.net -- didn't work, note that the host is in the SAN (subject alternative name), not the CN (common name)
• tesla-auth.gamertheory.net -- didn't work, for this on the host was the common name
• www.gamertheory.net -- did work

[sethterashima]

---

As a quick sanity check, please be sure you can visit your domain using your browser. HTTP errors (404, 503, etc.) may be expected, but if you get an error that says the connection is not secure or otherwise indicates a problem with the certificate, then please get that resolved before posting here.

---

@timcantryn I see https://tesla.cantryn.be/ serves a certificate for localhost.localdomain, not tesla.cantryn.be.

@jopand can you provide specific subdomains to test?

@sgryphon tesla-auth.gamertheory.net isn't responding for HTTPS connections, I can only connect over HTTP. I'll follow up on SAN vs CN for tesla.gamertheory.net, I think that might one cause of the issue.

[timcantryn]

@sethterashima, what do you mean? This looks fine to me: Or do you not support SNI, because my default cert is different, still not localhost.localdomain though. I’ll try to setup a dedicated server to test later this week.

[sethterashima]

@timcantryn My mistake. Looks like IT doesn't like me visiting tesla.* domains that don't belong to them. :)

[sgryphon]

@sgryphon tesla-auth.gamertheory.net isn't responding for HTTPS connections, I can only connect over HTTP. I'll follow up on SAN vs CN for tesla.gamertheory.net, I think that might one cause of the issue.

Well, it does respond to HTTPS for half the internet (see 'Before' result below), but I forgot about legacy internet, and didn't set up the reverse proxy for the new host name, so was only working for IPv6.

Before:

I have now added tesla-auth to reverse proxy, so legacy connections are possible. (Note that the IPv6 address is the real address of my server; the IPv4 addresses don't belong to my server, but are a reverse proxy to allow legacy connections; this also means SNI is required because the reverse proxy is shared, plus there is worse latency (because it has to proxy)).

After (now):

Note that tesla.gamertheory.net is only IPv6, so you do need a modern internet connection to be able to access it. If a work computer is failing, try a mobile phone (or home Internet) ... or just use a checker like Qualys.

[martinzitka]

I have a similar problem to @sgryphon above: my domain is still being rejected

despite getting an A+ SSL rating:

And yes, the only reason I can think of is the fact I am running the service on Internet and not legacy internet. Honestly I had no intent running this on IPv4.

Could someone from the Tesla team please confirm that their service is currently only supported on legacy IPv4, and if so, if there are any plans to also support IPv6? Thank you!

[caglarsu]

Contacting with Tesla fix our problem. They added it manually behalf of us.

I sent an email Tesla more than a week ago and there is no respond :( We are completely stuck and cannot move forward. Very sad story for us.

[sethterashima]

@martinzitka @sgryphon When users pair the virtual key using the QR code from tesla.com/_ak/example.com, the mobile app will try to fetch your public key from example.com and verify it matches the one Tesla has on record. This way the app doesn't need to trust Tesla's servers for public key distribution. But it does mean that your website needs to be reachable by the mobile app, and so you may want to consider making your site IPv4 accessible.

I'll raise the IPv4 vs IPv6 issue with the team, but for the above reason we may want to warn users who don't support IPv4.

[sgryphon]

Okay, so if there is a mobile user whose carrier doesn't support modern connections then we may want to add some legacy support, such as an IPv4 reverse proxy (I use Cloudflare for some of my domains for this). I have a limited user base where I know there is no one in this category, but it may be relevant for some people to consider.

However Tesla may also want to consider that they fully support the current internet version, IPv6.

Most mobile carriers support IPv6, in fact some such my local carrier, Telstra in Australia, have moved to IPv6-only for consumer mobile (4 years ago) https://www.sidn.nl/en/news-and-blogs/australias-telstra-switches-mobile-users-to-ipv6-only

There are probably more IPv6-only carriers than IPv4-only carriers, at least for consumer devices. (They do have legacy support using XLAT464 with carrier-grade NAT)

Also, if you have an Apple IOS app, then all apps submitted to the App Store since 01 June 2016 (8 years ago) must support IPv6-only networks -- if your app does not support IPv6-only networks, then it may be in breach. https://developer.apple.com/support/ipv6/

It is probably good to note / give a warning if you detect a site only supports IPv6 about the way the app works if a user only has IPv4, but you should also fully support modern IPv6.