🐛 Bug Report: Cannot renew domain

[mauricev]

👟 Reproduction steps

Run sudo docker compose logs appwrite-worker-certificates

👍 Expected behavior

Certificate should renew regardless of its current status. Who is even checking this? Why?

👎 Actual Behavior

This server is behind a cloudflare firewall, so the certificate cannot on its own be renewed. I have to manually disable it and then run sudo docker compose logs appwrite-worker-certificates to renew certificate. I want the renewal to take this place on a given day to coincide with another server on this same VM. Instead, I am greeted with this message:

appwrite-worker-certificates  | Cannot renew domain (aquarius-appwrite-at-peredalab.org) on attempt no. 2 certificate: Renew isn't required.
appwrite-worker-certificates  | [Job] (6647d0b15b3ea1.18956011) failed to run.
appwrite-worker-certificates  | [Job] (6647d0b15b3ea1.18956011) Renew isn't required.
appwrite-worker-certificates  | [Error] Type: Exception
appwrite-worker-certificates  | [Error] Message: Renew isn't required.
appwrite-worker-certificates  | [Error] File: /usr/src/code/src/Appwrite/Platform/Workers/Certificates.php
appwrite-worker-certificates  | [Error] Line: 152

There is also no way to check the certificate's status on appwrite.

🎲 Appwrite version

Version 1.5.x

💻 Operating system

Linux

🧱 Your Environment

No response

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[stnguyen90]

@mauricev, thanks for creating this issue!

First, running docker compose logs appwrite-worker-certificates doesn't generate certificates; it only outputs the logs from the worker.

Secondly, since you have cloudflare in front of Appwrite, there's no need for Appwrite to generate certificates. You can just disable the worker.

Is there anything else you need or can this be closed?

[mauricev]

You're saying that the communication between cloudflare and appwrite doesn't require a certificate? How does this communication happen then?

[mauricev]

According to this, https://forumweb.hosting/22401-difference-between-flexible-full-and-full-strict-in-cloudflare.html, this is not correct. I have it Full (strict) which requires appwrite have a valid certificate.

[stnguyen90]

@mauricev, full should be fine because, by default, traefik serves a self signed certificate.

[mauricev]

This doesn't seem to be happening

appwrite-worker-certificates  | [Error] Type: Exception
appwrite-worker-certificates  | [Error] Message: Failed to issue a certificate with message: Saving debug log to /var/log/letsencrypt/letsencrypt.log
appwrite-worker-certificates  | Plugins selected: Authenticator webroot, Installer None
appwrite-worker-certificates  | Performing the following challenges:
appwrite-worker-certificates  | http-01 challenge for aquarius-appwrite-at-peredalab.org
appwrite-worker-certificates  | Using the webroot path /storage/certificates for all unmatched domains.
appwrite-worker-certificates  | Waiting for verification...
appwrite-worker-certificates  | Challenge failed for domain aquarius-appwrite-at-peredalab.org
appwrite-worker-certificates  | http-01 challenge for aquarius-appwrite-at-peredalab.org
appwrite-worker-certificates  | Cleaning up challenges
appwrite-worker-certificates  | Some challenges have failed.
appwrite-worker-certificates  | Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
appwrite-worker-certificates  | 

[mauricev]

For whatever strange reason, the traefik container wasn't running. All appears to be well now. Thank you.