Certificate updates

10 hours ago I created a wildcard certificate for my domain “paypack.rw”. It took time for the cerficate to get ready because my DNS being cloudflare was in the way with it’s proxying. Upon turning it off for a bit worked. The app itself is caddy serving as a proxy to two other apps each it’s own subdomain. Later I wanted to server something on root but I’m failing to establish a TLS connection even after deactivating everything cloudflare except DNS even though it works over http.

✗ curl -v https://paypack.rw
* Rebuilt URL to: https://paypack.rw/
*   Trying 213.188.209.3...
* TCP_NODELAY set
*   Trying 2a09:8280:1:de13:15:1d4c:cffe:d09b...
* TCP_NODELAY set
* Immediate connect fail for 2a09:8280:1:de13:15:1d4c:cffe:d09b: Network is unreachable
*   Trying 2a09:8280:1:de13:15:1d4c:cffe:d09b...
* TCP_NODELAY set
* Immediate connect fail for 2a09:8280:1:de13:15:1d4c:cffe:d09b: Network is unreachable
* Connected to paypack.rw (213.188.209.3) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, Server hello (2):
* error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied

The caddy configuration has https turned off:

{   
    debug
    
    auto_https off
    
    admin 0.0.0.0:2019
}

:80 {
    log {
       level DEBUG
       output stderr
    }
    respond "Im healthy!" 200
}

# I added this part after....
http://{$DOMAIN}, http://www.{$DOMAIN} {
   respond "Coming soon!" 200
}

http://payments.{$DOMAIN} {
    reverse_proxy payments.internal:8080
}
http://wages.{$DOMAIN} {
    reverse_proxy wages.internal:8080
}

This is not intuitive, but *.payback.rw is not a valid certificate for payback.rw. You’ll need to add payback.rw to your app explicitly to make the apex domain work.

Does that mean that on top creating a “*.paypack.rw” certificate I have to create another for “paypack.rw”? → flyctl certs create "paypack.rw" --app paypack

1 Like

Yes exactly.