#Getting ✗ Error self-signed certificate in CLI

I am trying to login in CLI and getting ✗ Error self-signed certificate

pref.json is

{
    "endpoint": "https://abc.example.com/",
    "cookie": "",
    "key": "",
    "selfSigned": "true"
}

server version 1.3.71
cli version 2.0.2

it seems, SSL is not yet generated for some reason 👀 , it have been quite a while...

Certificate seems to have been generated still it showing SSL is not there

The certificate is not trusted because it is self-signed.
 
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

selfSigned need to be boolean

"selfSigned": true instead of "selfSigned": "true"

seems still not working,

✗ Error Not Found

Don't you forgot v1 at end of endpoint ?

yaa right

thank you

any idea about the SSL part?

Check you'r CNAME config

those seems fine

does SSL needs to be enabled for parent domain only then on child domain SSL gets enabled?

It doesn't sounds like a requirement

What are the logs of:

docker logs appwrite 
docker logs appwrite-worker-certificates

Check list:

• Have you added the domain as a custom domain to any of your projects?
• Check the logs again after running docker exec -it appwrite ssl

checking it

Have you added the domain as a custom domain to any of your projects?
Nope

Check the logs again after running docker exec -it appwrite ssl
checking ...

So first add it

Then run the ssl command

mmm, in the logs seeing this,

Cannot renew domain (appwrite.mobc.com) on attempt no. 3 certificate: Failed to issue a certificate with message: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

What version of Appwrite you have?

1.3.7

I didn't faced this issue when deployed earlier for anther sub-domain for some reason facing only for this

Sometime when the challenges don't pass

Its best to wait like an hour and retry,

mm, actually I treid this like 6 hr ago

Ohh

And you didn't run the SSL now?

nope, still haven't got it enabled for some reason

I mean this command again

oh you mean, after running the command should wait for min 1hr or so?

I ran that just 5min or so ago

Ohh
So I meant run it again after 1 hour yes

👍

Add this volumes to appwrite-worker-certificates on docker-compose file

- ./le_log:/var/log/letsencrypt

And run it again. You can look at log message

Or on appwrite container ? Not knows, you need to try it ^^
NB: Create le_log folder before ofc

seems some issue with Redis?

Fatal error: Uncaught RedisException: socket error on read socket in /usr/src/code/vendor/colinmollenhour/credis/Client.php:1334
Stack trace:
#0 /usr/src/code/vendor/colinmollenhour/credis/Client.php(1334): Redis->ping()
#1 /usr/src/code/vendor/resque/php-resque/lib/Resque/Redis.php(265): Credis_Client->__call('ping', Array)
#2 /usr/src/code/vendor/resque/php-resque/lib/Resque/Worker.php(180): Resque_Redis->__call('ping', Array)
#3 /usr/src/code/vendor/resque/php-resque/bin/resque(185): Resque_Worker->work('1', false)
#4 {main}

Next CredisException: socket error on read socket in /usr/src/code/vendor/colinmollenhour/credis/Client.php:1351
Stack trace:
#0 /usr/src/code/vendor/resque/php-resque/lib/Resque/Redis.php(265): Credis_Client->__call('ping', Array)
#1 /usr/src/code/vendor/resque/php-resque/lib/Resque/Worker.php(180): Resque_Redis->__call('ping', Array)
#2 /usr/src/code/vendor/resque/php-resque/bin/resque(185): Resque_Worker->work('1', false)
#3 {main}

Next Resque_RedisException: Error communicating with Redis: socket error on read socket in /usr/src/code/vendor/resque/php-resque/lib/Resque/Redis.php:268
Stack trace:
#0 /usr/src/code/vendor/resque/php-resque/lib/Resque/Worker.php(180): Resque_Redis->__call('ping', Array)
#1 /usr/src/code/vendor/resque/php-resque/bin/resque(185): Resque_Worker->work('1', false)
#2 {main}
  thrown in /usr/src/code/vendor/resque/php-resque/lib/Resque/Redis.php on line 268

where do you suggest to create that le_log folder ?

On same folder than your docker compose file

you mean inside appwrite folder?

Yes

umm, still doesn't seems to solve it

Do you see you domain here?

ls /var/lib/docker/volumes/appwrite_appwrite-certificates/_data

Do you have new logs in:

• appwrite
• appwrite-worker-certificates

checking..

~/appwrite$ sudo ls /var/lib/docker/volumes/appwrite_appwrite-certificates/_data

this prints nothing

So you have no certificates.

btw, Why you don't want that domain to be your main Appwrite domain?

ya, it have been not generated

you mean root domain?

Yes, for Appwrite

umm, because there would be static website page so...

Yes, but it won't interfere.

What I mean is that you'll still use that sub-domain but that would be your main domain of Appwrite

Is this make sense?

but doesn't console will open when try to vist root domain 👀

Nope.

Only the domain that points to Appwrite

mm, so you are saying when user will try to vist appwrite.xyz.com to open console but if user vist xyz.com it will open static website ?

Exactly

What I suggest is

1. Remove the custom domain from Appwrite console.
2. Add A record of your sub-domain points to Appwrite

Then follow all the steps here: #1113876456779554826 message

I mean I did tried it

With _APP_DOMAIN and _APP_DOMAIN_TARGET?

one min will share ss

I guess same as yestraday

Okay

Now, see if you get an error on other containers?

Cannot renew domain (appwrite.monofyi.com) on attempt no. 8 certificate: Failed to issue a certificate with message: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

sorry I didn't get other containers? part

Are you using Cloudflare in front of your Appwrite?

yaa, as DNS config

I mean for root domain

Mmm,
Okay and what is your ssl settings?

btw it seems I found in AWS server inboud TCP for port 80 is not added

Okay,

So it can be on strict until you've set the SSL

Here's what you can do

Edit the A record

Remove the Proxied switch
Then access your domain to see it's accessbile without cloudflare.

Then run SSL generation again.

Make sure to disable it

done let try

When it done
You can get it back to Proxied
But, I still not sure you can use Full (strict) so you can use just Full

after ruuning the ssl command on appwrite folder still getting this

I guess I might need to enable prot 80 for TCP in-bound on AWS

Enable it anyhow yes, so letsencrypt can pass the challange under http

enabled it still diff

Which container producted this output?

sudo docker logs appwrite-worker-certificates this command

Okay,
If you now accessing your Appwrite in incognito, as browser save some SSL cache

Do you have SSL?

I didn't tried access it in the incognito

So try and lmn

I mean it doesn't even open

This is your domain?
appwrite.monofyi.com

with public IP I can access the console

yap

In my computer you have a valid Let's Encrypt certificate

yaa, I just noticed I can now on phone but seems not opening on laptop

seems some cache issue

btw, if you want to see the logs of the file, you can run

 docker exec appwrite-worker-certificates cat /var/log/letsencrypt/letsencrypt.log

thank you, yaa seems now good... it seems the TCP needed to be enabled and also on Cloud-Flair proxy that be disabled

You can turn on Cloudflare proxy

I guess I can now remove the port 80 right?

But change to full

I think it has to be opened one in 90 days when the next challenge occurs.

oh, right mm

thank you again