certificate expiration notice for domain

[Hannahleer]

Hello, I recently switched my network to netmaker.
I chose to use my own domain name during the installation process using the nm-quick.sh script.
However yesterday I received an email notification "Let's Encrypt certificate expiration notice for domain", telling me that [xxx.netmaker.example.com ] the domain name is about to expire.

I want to know if the certificate expires and affects the current network channel? And how to renew these certificates if necessary?

Thanks!!

[abhishek9686]

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

[Hannahleer]

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

It's v0.20.6 release

[abhishek9686]

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

It's v0.20.6 release

alright as I mentioned remove the tls /root/certs/fullchain.pem /root/certs/privkey.pem from caddyfile and restart caddy

[Hannahleer]

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

It's v0.20.6 release

alright as I mentioned remove the tls /root/certs/fullchain.pem /root/certs/privkey.pem from caddyfile and restart caddy

I have removed the tls from caddyfile and restart caddy. but i can't open the netmaker web ui now.

[abhishek9686]

@Hannahleer for a while now to overcome rate limiting issues netmaker used to manage certs via caddy, was this server created before v0.21.1 release, I think would think it was since it was a recent release. can you remove these cert references in your Caddy file tls /root/certs/fullchain.pem /root/certs/privkey.pem, and restart caddy container

It's v0.20.6 release

alright as I mentioned remove the tls /root/certs/fullchain.pem /root/certs/privkey.pem from caddyfile and restart caddy

I have removed the tls from caddyfile and restart caddy. but i can't open the netmaker web ui now.

can you paste logs from caddy?

[Hannahleer]

caddy.log.txt

It has been restarted for a while, there are a lot of logs, sorry

[Hannahleer]

caddy.log.txt

It has been restarted for a while, there are a lot of logs, sorry

@abhishek9686

[abhishek9686]

run these following. commands
docker stop caddy && docker rm caddy
docker volume rm root_caddy_data && docker volume rm root_caddy_conf
docker-compose up -d

[Hannahleer]

@abhishek9686 there seems still some problem, thanks

caddylog.txt

Caddyfile:

# Dashboard
https://dashboard.{$NM_DOMAIN} {
        # Apply basic security headers
        header {
                # Enable cross origin access to *.{$NM_DOMAIN}
                Access-Control-Allow-Origin *.{$NM_DOMAIN}
                # Enable HTTP Strict Transport Security (HSTS)
                Strict-Transport-Security "max-age=31536000;"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Disallow the site to be rendered within a frame on a foreign domain (clickjacking protection)
                X-Frame-Options "SAMEORIGIN"
                # Prevent search engines from indexing
                X-Robots-Tag "none"
                # Remove the server name
                -Server
        }

        reverse_proxy http://netmaker-ui
}

# API
https://api.{$NM_DOMAIN} {
        tls /root/certs/fullchain.pem /root/certs/privkey.pem
        reverse_proxy http://netmaker:8081
}

# TURN
https://turn.{$NM_DOMAIN} {
        tls /root/certs/fullchain.pem /root/certs/privkey.pem
        reverse_proxy host.docker.internal:3479
}

# TURN API
https://turnapi.{$NM_DOMAIN} {
        tls /root/certs/fullchain.pem /root/certs/privkey.pem
        reverse_proxy http://host.docker.internal:8089
}

# MQ
wss://broker.{$NM_DOMAIN} {
        tls /root/certs/fullchain.pem /root/certs/privkey.pem
        reverse_proxy ws://mq:8883 # For EMQX websockets use `reverse_proxy ws://mq:8083`
}

[Hannahleer]

I just noticed should i have remove all tls /root/certs/fullchain.pem /root/certs/privkey.pemfrom caddyfile?

I only removed the first one,sorry

[Hannahleer]

and https should change to http?

[abhishek9686]

I just noticed should i have remove all tls /root/certs/fullchain.pem /root/certs/privkey.pemfrom caddyfile?

I only removed the first one,sorry

yes you need to remove all and restart the container

[Hannahleer]

I just noticed should i have remove all tls /root/certs/fullchain.pem /root/certs/privkey.pemfrom caddyfile?
I only removed the first one,sorry

yes you need to remove all and restart the container
caddylog.txt

I removed all tls and restart, but it's not work
logs show seem like firewall problem, but it's local public ip and all traffic allow

[Hannahleer]

I just noticed should i have remove all tls /root/certs/fullchain.pem /root/certs/privkey.pemfrom caddyfile?
I only removed the first one,sorry

yes you need to remove all and restart the container
caddylog.txt

I removed all tls and restart, but it didn't work logs show seem like firewall problem, but it's local public ip and all traffic allow

@abhishek9686

[Hannahleer]

@abhishek9686 I have disabled the HSTS config, it's still not work.

header {
                # Enable cross origin access to *.{$NM_DOMAIN}
                Access-Control-Allow-Origin *.{$NM_DOMAIN}
                # Enable HTTP Strict Transport Security (HSTS)
                #Strict-Transport-Security "max-age=31536000;"
                # Enable cross-site filter (XSS) and tell browser to block detected attacks
                X-XSS-Protection "1; mode=block"
                # Disallow the site to be rendered within a frame on a foreign domain (clickjacking protection)
                X-Frame-Options "SAMEORIGIN"
                # Prevent search engines from indexing
                X-Robots-Tag "none"
                # Remove the server name
                -Server
        }

caddylog.txt

[matanper]

@abhishek9686
I also have this problem, I tried your suggestion and I'm getting:

Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: loading certificates: open /root/certs/fullchain.pem: no such file or directory

seems like netmaker is missing a way to reissue expired certificates

[matanper]

The problem for me was a bug in the nm-certs.sh script, although I don't see it in the repository anymore so maybe it was replaced by something else.
Anyway the bug was using unneeded quotes around $CERTBOT_PARAMS

./zerossl-bot.sh "$CERTBOT_PARAMS"

changed to:

./zerossl-bot.sh $CERTBOT_PARAMS

not sure how it worked before but now everything back to normal

[abhishek9686]

@abhishek9686 I also have this problem, I tried your suggestion and I'm getting:

Error: loading initial config: loading new config: loading http app module: provision http: getting tls app: loading tls app module: provision tls: loading certificates: open /root/certs/fullchain.pem: no such file or directory

seems like netmaker is missing a way to reissue expired certificates

did you remove the references from the caddy file?

[wendellli99]

I'm hitting this issue too. Besides deleting all the lines of tls /root/certs/fullchain.pem /root/certs/privkey.pem from Caddyfile, do we also need to remove the two .pem files themselves?

[melm]

I hit this Issue too. Its from when they deprecated that nm-cert script I think. #2611

This thread was mostly red herrings from that change.

The fix for me was to replace my Caddyfile and my docker-compose with the ones from the latest release then:
docker-compose down
docker-compose pull
docker-compose up -d

And it was working again.

https://github.com/gravitl/netmaker/blob/master/compose/docker-compose.yml
https://github.com/gravitl/netmaker/blob/master/docker/Caddyfile