Heres the custom domain I'm testing with
Heres the custom domain I'm testing with:
https://dash.00darksi.de/75 Replies
time to thread
You're right xD
@x03 that's a cname to tsar.app?
Yep
cool, and under SSL/TLS -> Custom Hostnames, status is?
Okay good catch
This one actually isnt added to my SaaS thing
idk why i never got a "cross user banned" error though
oh its on the same CF account
thats why
if on same account there is magic to make that work without saas
yup
should i add it
to the SaaS thing
easiest way to fix
Alright let me add it and validate it
Also an FYI, I added a client's domain like 30 mins ago and it threw SSL errors
But I'll continue with my darkside domain for testing
the TXT verfication is taking a minute
ps. you don't need the prevalidation as long as the cname exists and isn't being flattened (like not on apex)
Okay finally worked
https://dash.00darksi.de/
Still throwing SSL error
Just like the other client domain that I added to the SaaS list
if you do
`curl -vvv -k --resolve dash.00darksi.de:443:127.0.0.1 https://dash.00darksi.de/
we want the app.tsar.co cert to be served, curl will think invalid but Cf should be fine with that
What does this mean 😨
I'd have to retest sometime later to be 100% sure, but I tested this kind of setup before, and it was like this: Host header forwarded to origin, origin should respond with normal cert (tsar.app) - even w/ full (strict) it's fine as long as it matches the target
In other words, Traefik should be serving the tsar.app cert by default, not it's default. In nginx I would do this with a default server block, in traefik I would google their docs for information
Hmm I see, I could try to do some research into this and mess with some Traefik config settings
Traefik has some sort of config setup that allows the passing of Cloudflare tokens
Maybe that could be what's missing to serve cloudflare approved certs
You'd set a flag like:
--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare
And define an ENV variable like: CLOUDFLARE_DNS_API_TOKEN=*
Not sure if it's related but I'll try itI don't imagine that's related and you don't need certs for each customer, just to serve the tsar.app ones by default
Yeah you're correct, doing the stuff I sent above does not work
Hmm
@Chaika Would using a cloudflare certificate instead of a LetsEncrypt certificate for my server fix this issue?
I found an article: https://blog.marcosalonso.dev/traefik-https-cloudflare/
But I dont know if this would help with my problem
Marcos Alonso - Blog
How to setup Traefik proxy instance with HTTPS via Cloudflare Certi...
This post will show you how to set up a Traefik Proxy instance with SSL encryption (HTTPS) using Cloudflare certificates. All this using Docker containers and with the help of the Docker Compose tool.
Cloudflare setup
Making your domain configurable with Cloudflare
First, you must have a domain name and
Both would work equally well for your website and fail equally when they don't get served to the custom hostname's requests
Hmm okay so the issue is my traefik config, not the cert
the issue isn't the certificate but your configuration not serving it by default. I'd look for a way in traefik to have a default server block/execution/certficiates, sometimes called wildcard
yup
Okay I'll try and find some info on this
if easier, and you just wanted to test that sort of setup first, you could try making an explicit config for
dash.00darksi.de serving tscar.app's certificates just as a quick testHere's my Traefik config:
Do you know which setting lets me point
dash.00darksi.de to the tsar.app cert? Also how do I even reference the certificate that I needI do not use traefik, docker (very much) or coolify lol
it might be easier to find a way to mark one of them as a default
Alright I'll try to do that
https://doc.traefik.io/traefik/https/tls/#default-certificate some info about default certs/configs there
Traefik TLS Documentation - Traefik
Learn how to configure the transport layer security (TLS) connection in Traefik Proxy. Read the technical documentation.
looks interesting, lots of magic with auto tls though
is this an actual production/deployed app? If not I would probably try that. Otherwise I'd say be very very careful or setup a separate testing env lol
It's deployed but no one's using it yet xD
So we're good to test anything we need
safe to break
yep
I've seen a user recommend me this:
I'm going to try both that and the stuff you sent
that wouldn't really work tho
Cloudflare provider is DNS, you're not going to have DNS control over all your clients (I assume?)
Oh okay, I'll try what you sent then
Nope, you're right
I would probably change that a bit though, one sec
You're just using normal let's encrypt resolver with http validation, looks like?
I assume so, I think that's the Coolify default
Ill show you my container labels
1 sec
Those aren't my global Traefik settings, but just for the .app container
it's weird though because I swear you couldn't do wildcards over http challenges 'cept you clearly from earlier testing have a wildcard LE cert
Yep I do lmao
That took so long to figure out
Just adding this to the container traefik labels didn't do anything
I'll try this as well
I would remove that. Yea I realized after you're not using the cloudflare resolver at all
(I would also restart the container if you didn't already)
Yep its restarting now
And I removed the initial 3 labels
LETS GO
its worked
TSAR
Modern backend framework for software developers.
Thank you so much
I need to study all this SSL and reverse proxy stuff when I get freetime
Its super complicated but very interesting
Traefik makes it way more complicated with all it's automations
well. it also makes stuff way easier, that isn't cert related
you give and you get
Yep
Switching to Cloudflare's Origin Certs may not be a bad idea long run since Let's Encrypt may fail without you noticing and Origin Certs are for 15 years, but that's something to decide later
I'll 100% look into that later, since that's not urgent I'll have more time to do my own research and not require someone to walk me through it like this situation xD
anyway I'll end this with one piece of advice: This setup only works because you're using CF. If you removed CF, you'd need to issue certs for each customer. (which is what cf for saas is taking care for you)
Proxied CNAMEs in CF's Cert logic work if the certificate responded to contain either the actual hostname, or the target of the cname. fun stuff
Wow that's great
I guess the SaaS thing makes certificates for all the customers
It does yea, you can see that in the custom hostname status
I looked into it a little and its cool
it uses http validation by default
idk what type of product you're aiming for, but worth mentioning maybe, if you have customers who ever want to use their apex (example.com) and not a subdomain, you'd need to force them to add the prevalidation first, and then the Cname. Otherwise for subdomains they can just CNAME and nothing else
(and that apex setup would only work if they use a DNS Provider that supports CNAME/ALIAS records/ANAME at root, otherwise would need Enterprise's Apex Proxying to get a static IP if they're using a dns provider which doesn't support those special record types and want to put it on their apex)
Oh I see, well the product is similar to Sellix, where users host some sort of content on their app, and then their customers can access that content via <app_id>.tsar.app, <vanity>.tsar.app, or custom domain
It's possible that people use their root domain though
yea, which again would be possible as long as their dns provider supports cname/alias/aname records (Called different things, all meaning the same) at root
I think the SaaS already does do prevalidations
even for subdomains
I was asked to do a TXT record thing
It tells you to add the txt but you don't need to
you can just cname and wait
Oh I see
If you try to do that on the root though it won't work, because CNAMEs aren't supported on the root per RFCs, so every dns provider who supports that is actually flattening them (into A/AAAA records) which removes identifying info
So those SaaS text records need to be added for the root to work?
You need to add the prevalidation txt record to be added and verified, and then tell them to add the cname, is how that works on root
I'll look into CF api to see how I can automate that, I've seen other services do the TXT record verification before so I'm sure I can figure it out.
The Custom Hostnames API responds back with the challenge record
and then you can continue to query for updates and such. It's not a bad api
*If your customer is using CF they can CNAME on Root and skip that whole validation stuff still
Oh that's great
Oh wait thats crazy
So no txt record if they're using CF?
You don't need the txt record for verification on subdomains of any provider, or on root if they're using CF
Alright that's some really valuable information, thanks! I'd like to keep this thread here so I can reference this info for later
CF cheats because on their own dns they can see the raw cname target even on root
That sounds super handy
I'll advise my users to use CF for quicker setup then
Ever use Pages Custom Domains or R2 Custom Domains? That's exactly what it does/uses. HTTP Validation w/ CF For SaaS
I've used Pages
It does feel like magic