Heres the custom domain I'm testing with

Heres the custom domain I'm testing with: https://dash.00darksi.de/
75 Replies
Chaika
Chaika•5mo ago
time to thread
x03
x03OP•5mo ago
You're right xD
Chaika
Chaika•5mo ago
@x03 that's a cname to tsar.app?
x03
x03OP•5mo ago
Yep
x03
x03OP•5mo ago
No description
Chaika
Chaika•5mo ago
cool, and under SSL/TLS -> Custom Hostnames, status is?
x03
x03OP•5mo ago
Okay good catch This one actually isnt added to my SaaS thing idk why i never got a "cross user banned" error though oh its on the same CF account thats why
Chaika
Chaika•5mo ago
if on same account there is magic to make that work without saas yup
x03
x03OP•5mo ago
should i add it to the SaaS thing
Chaika
Chaika•5mo ago
easiest way to fix
x03
x03OP•5mo ago
Alright let me add it and validate it Also an FYI, I added a client's domain like 30 mins ago and it threw SSL errors But I'll continue with my darkside domain for testing the TXT verfication is taking a minute
Chaika
Chaika•5mo ago
ps. you don't need the prevalidation as long as the cname exists and isn't being flattened (like not on apex)
x03
x03OP•5mo ago
Okay finally worked
x03
x03OP•5mo ago
No description
x03
x03OP•5mo ago
https://dash.00darksi.de/ Still throwing SSL error Just like the other client domain that I added to the SaaS list
Chaika
Chaika•5mo ago
if you do `curl -vvv -k --resolve dash.00darksi.de:443:127.0.0.1 https://dash.00darksi.de/ we want the app.tsar.co cert to be served, curl will think invalid but Cf should be fine with that
x03
x03OP•5mo ago
No description
x03
x03OP•5mo ago
What does this mean 😨
Chaika
Chaika•5mo ago
I'd have to retest sometime later to be 100% sure, but I tested this kind of setup before, and it was like this: Host header forwarded to origin, origin should respond with normal cert (tsar.app) - even w/ full (strict) it's fine as long as it matches the target In other words, Traefik should be serving the tsar.app cert by default, not it's default. In nginx I would do this with a default server block, in traefik I would google their docs for information
x03
x03OP•5mo ago
Hmm I see, I could try to do some research into this and mess with some Traefik config settings Traefik has some sort of config setup that allows the passing of Cloudflare tokens Maybe that could be what's missing to serve cloudflare approved certs You'd set a flag like: --certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare And define an ENV variable like: CLOUDFLARE_DNS_API_TOKEN=* Not sure if it's related but I'll try it
Chaika
Chaika•5mo ago
I don't imagine that's related and you don't need certs for each customer, just to serve the tsar.app ones by default
x03
x03OP•5mo ago
Yeah you're correct, doing the stuff I sent above does not work Hmm @Chaika Would using a cloudflare certificate instead of a LetsEncrypt certificate for my server fix this issue?
x03
x03OP•5mo ago
I found an article: https://blog.marcosalonso.dev/traefik-https-cloudflare/ But I dont know if this would help with my problem
Marcos Alonso - Blog
How to setup Traefik proxy instance with HTTPS via Cloudflare Certi...
This post will show you how to set up a Traefik Proxy instance with SSL encryption (HTTPS) using Cloudflare certificates. All this using Docker containers and with the help of the Docker Compose tool. Cloudflare setup Making your domain configurable with Cloudflare First, you must have a domain name and
Chaika
Chaika•5mo ago
Both would work equally well for your website and fail equally when they don't get served to the custom hostname's requests
x03
x03OP•5mo ago
Hmm okay so the issue is my traefik config, not the cert
Chaika
Chaika•5mo ago
the issue isn't the certificate but your configuration not serving it by default. I'd look for a way in traefik to have a default server block/execution/certficiates, sometimes called wildcard yup
x03
x03OP•5mo ago
Okay I'll try and find some info on this
Chaika
Chaika•5mo ago
if easier, and you just wanted to test that sort of setup first, you could try making an explicit config for dash.00darksi.de serving tscar.app's certificates just as a quick test
x03
x03OP•5mo ago
Here's my Traefik config:
version: '3.8'
networks:
coolify:
external: true
services:
traefik:
container_name: coolify-proxy
image: 'traefik:v2.11'
restart: unless-stopped
extra_hosts:
- 'host.docker.internal:host-gateway'
networks:
- coolify
ports:
- '80:80'
- '443:443'
- '8080:8080'
healthcheck:
test: 'wget -qO- http://localhost:80/ping || exit 1'
interval: 4s
timeout: 2s
retries: 5
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
- '/data/coolify/proxy:/traefik'
command:
- '--ping=true'
- '--ping.entrypoint=http'
- '--api.dashboard=true'
- '--api.insecure=false'
- '--entrypoints.http.address=:80'
- '--entrypoints.https.address=:443'
- '--entrypoints.http.http.encodequerysemicolons=true'
- '--entryPoints.http.http2.maxConcurrentStreams=50'
- '--entrypoints.https.http.encodequerysemicolons=true'
- '--entryPoints.https.http2.maxConcurrentStreams=50'
- '--providers.docker.exposedbydefault=false'
- '--providers.file.directory=/traefik/dynamic/'
- '--providers.file.watch=true'
- '--certificatesresolvers.letsencrypt.acme.httpchallenge=true'
- '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'
- '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http'
- '--providers.docker=true'
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.service=api@internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
- coolify.managed=true
version: '3.8'
networks:
coolify:
external: true
services:
traefik:
container_name: coolify-proxy
image: 'traefik:v2.11'
restart: unless-stopped
extra_hosts:
- 'host.docker.internal:host-gateway'
networks:
- coolify
ports:
- '80:80'
- '443:443'
- '8080:8080'
healthcheck:
test: 'wget -qO- http://localhost:80/ping || exit 1'
interval: 4s
timeout: 2s
retries: 5
volumes:
- '/var/run/docker.sock:/var/run/docker.sock:ro'
- '/data/coolify/proxy:/traefik'
command:
- '--ping=true'
- '--ping.entrypoint=http'
- '--api.dashboard=true'
- '--api.insecure=false'
- '--entrypoints.http.address=:80'
- '--entrypoints.https.address=:443'
- '--entrypoints.http.http.encodequerysemicolons=true'
- '--entryPoints.http.http2.maxConcurrentStreams=50'
- '--entrypoints.https.http.encodequerysemicolons=true'
- '--entryPoints.https.http2.maxConcurrentStreams=50'
- '--providers.docker.exposedbydefault=false'
- '--providers.file.directory=/traefik/dynamic/'
- '--providers.file.watch=true'
- '--certificatesresolvers.letsencrypt.acme.httpchallenge=true'
- '--certificatesresolvers.letsencrypt.acme.storage=/traefik/acme.json'
- '--certificatesresolvers.letsencrypt.acme.httpchallenge.entrypoint=http'
- '--providers.docker=true'
labels:
- traefik.enable=true
- traefik.http.routers.traefik.entrypoints=http
- traefik.http.routers.traefik.service=api@internal
- traefik.http.services.traefik.loadbalancer.server.port=8080
- coolify.managed=true
Do you know which setting lets me point dash.00darksi.de to the tsar.app cert? Also how do I even reference the certificate that I need
Chaika
Chaika•5mo ago
I do not use traefik, docker (very much) or coolify lol it might be easier to find a way to mark one of them as a default
x03
x03OP•5mo ago
Alright I'll try to do that
Chaika
Chaika•5mo ago
https://doc.traefik.io/traefik/https/tls/#default-certificate some info about default certs/configs there
Traefik TLS Documentation - Traefik
Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation.
Chaika
Chaika•5mo ago
labels:
- "traefik.tls.stores.default.defaultgeneratedcert.resolver=cloudflare"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org
labels:
- "traefik.tls.stores.default.defaultgeneratedcert.resolver=cloudflare"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.main=example.org"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=foo.example.org, bar.example.org
looks interesting, lots of magic with auto tls though is this an actual production/deployed app? If not I would probably try that. Otherwise I'd say be very very careful or setup a separate testing env lol
x03
x03OP•5mo ago
It's deployed but no one's using it yet xD So we're good to test anything we need
Chaika
Chaika•5mo ago
safe to break
x03
x03OP•5mo ago
yep I've seen a user recommend me this:
- traefik.http.routers.traefik.tls.domains[0].main=dash.00darksi.de
- traefik.http.routers.traefik.tls.domains[0].sans=dash.00darksi.de
- certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
- traefik.http.routers.traefik.tls.domains[0].main=dash.00darksi.de
- traefik.http.routers.traefik.tls.domains[0].sans=dash.00darksi.de
- certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
I'm going to try both that and the stuff you sent
Chaika
Chaika•5mo ago
that wouldn't really work tho Cloudflare provider is DNS, you're not going to have DNS control over all your clients (I assume?)
x03
x03OP•5mo ago
Oh okay, I'll try what you sent then Nope, you're right
Chaika
Chaika•5mo ago
I would probably change that a bit though, one sec You're just using normal let's encrypt resolver with http validation, looks like?
x03
x03OP•5mo ago
I assume so, I think that's the Coolify default Ill show you my container labels 1 sec
# Enable Traefik
traefik.enable=true

# Define middlewares
traefik.http.middlewares.gzip.compress=true

# HTTPS router for all domains and subdomains
traefik.http.routers.https-router.entryPoints=https
traefik.http.routers.https-router.middlewares=gzip
traefik.http.routers.https-router.rule=HostRegexp(`{host:.+}`) && !Host(`tsar.dev`, `tsar.net`)
traefik.http.routers.https-router.service=https-service
traefik.http.routers.https-router.tls.certresolver=letsencrypt
traefik.http.routers.https-router.tls=true

# Custom jawn
traefik.tls.stores.default.defaultgeneratedcert.resolver=cloudflare
traefik.tls.stores.default.defaultgeneratedcert.domain.main=dash.00darksi.de
traefik.tls.stores.default.defaultgeneratedcert.domain.sans=dash.00darksi.de

# Service configuration
traefik.http.services.https-service.loadbalancer.server.port=3000
# Enable Traefik
traefik.enable=true

# Define middlewares
traefik.http.middlewares.gzip.compress=true

# HTTPS router for all domains and subdomains
traefik.http.routers.https-router.entryPoints=https
traefik.http.routers.https-router.middlewares=gzip
traefik.http.routers.https-router.rule=HostRegexp(`{host:.+}`) && !Host(`tsar.dev`, `tsar.net`)
traefik.http.routers.https-router.service=https-service
traefik.http.routers.https-router.tls.certresolver=letsencrypt
traefik.http.routers.https-router.tls=true

# Custom jawn
traefik.tls.stores.default.defaultgeneratedcert.resolver=cloudflare
traefik.tls.stores.default.defaultgeneratedcert.domain.main=dash.00darksi.de
traefik.tls.stores.default.defaultgeneratedcert.domain.sans=dash.00darksi.de

# Service configuration
traefik.http.services.https-service.loadbalancer.server.port=3000
Chaika
Chaika•5mo ago
- "traefik.tls.stores.default.defaultgeneratedcert.resolver=letsencrypt"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.main=tsar.app"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=*.tsar.app
- "traefik.tls.stores.default.defaultgeneratedcert.resolver=letsencrypt"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.main=tsar.app"
- "traefik.tls.stores.default.defaultgeneratedcert.domain.sans=*.tsar.app
x03
x03OP•5mo ago
Those aren't my global Traefik settings, but just for the .app container
Chaika
Chaika•5mo ago
it's weird though because I swear you couldn't do wildcards over http challenges 'cept you clearly from earlier testing have a wildcard LE cert
x03
x03OP•5mo ago
Yep I do lmao That took so long to figure out Just adding this to the container traefik labels didn't do anything I'll try this as well
Chaika
Chaika•5mo ago
I would remove that. Yea I realized after you're not using the cloudflare resolver at all (I would also restart the container if you didn't already)
x03
x03OP•5mo ago
Yep its restarting now And I removed the initial 3 labels LETS GO its worked
x03
x03OP•5mo ago
TSAR
Modern backend framework for software developers.
x03
x03OP•5mo ago
Thank you so much I need to study all this SSL and reverse proxy stuff when I get freetime Its super complicated but very interesting
Chaika
Chaika•5mo ago
Traefik makes it way more complicated with all it's automations well. it also makes stuff way easier, that isn't cert related you give and you get
x03
x03OP•5mo ago
Yep
Chaika
Chaika•5mo ago
Switching to Cloudflare's Origin Certs may not be a bad idea long run since Let's Encrypt may fail without you noticing and Origin Certs are for 15 years, but that's something to decide later
x03
x03OP•5mo ago
I'll 100% look into that later, since that's not urgent I'll have more time to do my own research and not require someone to walk me through it like this situation xD
Chaika
Chaika•5mo ago
anyway I'll end this with one piece of advice: This setup only works because you're using CF. If you removed CF, you'd need to issue certs for each customer. (which is what cf for saas is taking care for you) Proxied CNAMEs in CF's Cert logic work if the certificate responded to contain either the actual hostname, or the target of the cname. fun stuff
x03
x03OP•5mo ago
Wow that's great I guess the SaaS thing makes certificates for all the customers
Chaika
Chaika•5mo ago
It does yea, you can see that in the custom hostname status
x03
x03OP•5mo ago
I looked into it a little and its cool
Chaika
Chaika•5mo ago
it uses http validation by default idk what type of product you're aiming for, but worth mentioning maybe, if you have customers who ever want to use their apex (example.com) and not a subdomain, you'd need to force them to add the prevalidation first, and then the Cname. Otherwise for subdomains they can just CNAME and nothing else (and that apex setup would only work if they use a DNS Provider that supports CNAME/ALIAS records/ANAME at root, otherwise would need Enterprise's Apex Proxying to get a static IP if they're using a dns provider which doesn't support those special record types and want to put it on their apex)
x03
x03OP•5mo ago
Oh I see, well the product is similar to Sellix, where users host some sort of content on their app, and then their customers can access that content via <app_id>.tsar.app, <vanity>.tsar.app, or custom domain It's possible that people use their root domain though
Chaika
Chaika•5mo ago
yea, which again would be possible as long as their dns provider supports cname/alias/aname records (Called different things, all meaning the same) at root
x03
x03OP•5mo ago
I think the SaaS already does do prevalidations even for subdomains I was asked to do a TXT record thing
Chaika
Chaika•5mo ago
It tells you to add the txt but you don't need to you can just cname and wait
x03
x03OP•5mo ago
Oh I see
Chaika
Chaika•5mo ago
If you try to do that on the root though it won't work, because CNAMEs aren't supported on the root per RFCs, so every dns provider who supports that is actually flattening them (into A/AAAA records) which removes identifying info
x03
x03OP•5mo ago
So those SaaS text records need to be added for the root to work?
Chaika
Chaika•5mo ago
You need to add the prevalidation txt record to be added and verified, and then tell them to add the cname, is how that works on root
x03
x03OP•5mo ago
I'll look into CF api to see how I can automate that, I've seen other services do the TXT record verification before so I'm sure I can figure it out.
Chaika
Chaika•5mo ago
The Custom Hostnames API responds back with the challenge record and then you can continue to query for updates and such. It's not a bad api *If your customer is using CF they can CNAME on Root and skip that whole validation stuff still
x03
x03OP•5mo ago
Oh that's great Oh wait thats crazy So no txt record if they're using CF?
Chaika
Chaika•5mo ago
You don't need the txt record for verification on subdomains of any provider, or on root if they're using CF
x03
x03OP•5mo ago
Alright that's some really valuable information, thanks! I'd like to keep this thread here so I can reference this info for later
Chaika
Chaika•5mo ago
CF cheats because on their own dns they can see the raw cname target even on root
x03
x03OP•5mo ago
That sounds super handy I'll advise my users to use CF for quicker setup then
Chaika
Chaika•5mo ago
Ever use Pages Custom Domains or R2 Custom Domains? That's exactly what it does/uses. HTTP Validation w/ CF For SaaS
x03
x03OP•5mo ago
I've used Pages It does feel like magic
Want results from more Discord servers?
Add your server