#[SOLVED] Impossible to renew SSL certificate

Do you have anything in front of Appwrite like a reverse proxy or cloudflare proxy? Is your Appwrite instance accessible via port 80?

Hello @rich linden ,
Thanks for your reply, no I don't have any proxy in front of my Appwrite server...

Yesterday I was able to access to my server with a red alert "certificate expirated" but yoday I can't access it anymore ... (ERR_CONNECTION_RESET)

Where is your server hosted? Do you have a domain?

It's hosted on Hetzner & yes I had a custom domain 🙂

connection reset seems to mean your server isn't running anymore 🧐

I tried to upgrade to Appwrite 1.3.8, then relaunch the server.
When I see logs for "worker-certificates" I only see this:

Appwrite certificates worker v1 has started
[notice] Starting worker 2dfbbfa38cc2:7:v1-certificates

When I force refresh to my website I see this window... with the error "NET::ERR_CERT_DATE_INVALID"

When I try to open certificate details I see the expiration date ("Expire le" in French) is yesterday...

PS: I upgraded my server dependencies to latest

I tried to upgrade to Appwrite 1.3.8, then relaunch the server.

What version were you on before upgrade? And did you run the migrate command after upgrading?

When I force refresh to my website I see this window... with the error "NET::ERR_CERT_DATE_INVALID"

So you're not seeing the connection reset error anymore?

When I try to open certificate details I see the expiration date ("Expire le" in French) is yesterday

This error/warning page is expected if you don't have a valid certificate

What version were you on before upgrade? And did you run the migrate command after upgrading?
I was on 1.3.7, yes I did a migration, and see no error

So you're not seeing the connection reset error anymore?
No only NET::ERR_CERT_DATE_INVALID 🙂

This error/warning page is expected if you don't have a valid certificate
Hum yeah, it seems regeneration of certificate failed...

could you please DM me your domain?

can you check this file in the certificate container?

/var/log/letsencrypt/letsencrypt.log

ℹ️ New update ℹ️
I tried to run ssl certificate generation manually using
docker-compose exec appwrite ssl

Here is the logs after:

appwrite-worker-certificates  | Appwrite certificates worker v1 has started
appwrite-worker-certificates  | [notice] Starting worker 2dfbbfa38cc2:7:v1-certificates
appwrite-worker-certificates  | [notice] Starting work on (Job{v1-certificates} | ID: 31b34d2ca3ea945502f8eda5fc35a769 | CertificatesV1 | [{"project":null,"domain":{"domain":"my-domain.com"},"skipRenewCheck":true}])
appwrite-worker-certificates  | Cannot renew domain (my-domain.com) on attempt no. 7 certificate: Failed to issue a certificate with message: Saving debug log to /var/log/letsencrypt/letsencrypt.log
appwrite-worker-certificates  | Some challenges have failed.
appwrite-worker-certificates  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
appwrite-worker-certificates  |
appwrite-worker-certificates  | [notice] (Job{v1-certificates} | ID: 31b34d2ca3ea945502f8eda5fc35a769 | CertificatesV1 | [{"project":null,"domain":{"domain":"my-domain.com"},"skipRenewCheck":true}]) has finished

Hum how I can access it ? It is under the Docker volume ?

nvm. the error is there in the logs you showed:

appwrite-worker-certificates | Some challenges have failed.

you're replacing your actual domain from these logs right? these aren't the exact logs?

Yes !

anything in the appwrite logs?

do you happen to have access logs enabled on traefik?

What do you mean, you mean logs inside the docker container appwrite-traefik ?

If yes, I see nothing at all inside ...

Ok so I think this is this log you need 🙂
docker-compose logs appwrite

Results:

appwrite  | Worker 2 started successfully
appwrite  | Worker 1 started successfully
appwrite  | Worker 3 started successfully
appwrite  | Worker 6 started successfully
appwrite  | Worker 4 started successfully
appwrite  | Worker 5 started successfully
appwrite  | Worker 7 started successfully
appwrite  | Worker 8 started successfully
appwrite  | Worker 9 started successfully
appwrite  | Worker 10 started successfully
appwrite  | Worker 11 started successfully
appwrite  | Worker 12 started successfully
appwrite  | [Setup] - Server database init started...
appwrite  | [Setup] - Creating database: appwrite...
appwrite  | [Setup] - Server database init completed...
appwrite  | Server started successfully (max payload is 6,291,456 bytes)
appwrite  | Master pid 1, manager pid 7
appwrite  | Skipping SSL certificates generation on ACME challenge.
appwrite  | Skipping SSL certificates generation on ACME challenge.
appwrite  | Skipping SSL certificates generation on ACME challenge.

so it does look like appwrite is receiving the acme challenge...

ok anything new in the certificates and appwrite logs?

yes, but, by default, the access logs are disabled so there owuldn't be much in the logs

weird....i wonder if hetzner has some block on letsencrypt 🧐

Strange it worked fine 1 week ago ...

Do you use zen or rbl or any sort of firewall or IP filtering?

Letsencrypt could have been blocked between the time your certificate was last generated and it expired

Nothing at all :/ I checked on Hetzner and I have no Firewalls...