Hi,

I get “SSL renewal failed” mails, but cannot find more info why this fails. Where can I look?
I added some redirects, maybe there is a problem.

www.domain.com points to CDN
CDN to www2.domain.com on Hetzner-Server managed by cleavr.
domain.com points to Hetzner-Server, where I made a dummy site with ssl and redirect the traffic to www.domain.com (Saw to late, that there are settings to add domain to ssl certificate and aliasnames. Mybe I change to that settings.)

In www2.domain.com/header/redirect.conf:

# Redirect all http traffic to https
server {
    listen 80;
    listen [::]:80;
    server_name www.www2.domain.com www2.domain.com;
    return 301 https://$host$request_uri;
}

# Redirect www.www2.domain.com to www2.domain.com
server {
  include /etc/nginx/cleavr-conf/www2.domain.com/server.conf;
  server_name www.www2.domain.com;
  return 301 $scheme://www2.domain.com$request_uri;
}

/woka.com/header/redirect.conf:

# Redirect all http traffic to https

server {
    listen 80;
    listen [::]:80;
    server_name domain.com;
    return 301 https://www.domain.com$request_uri;
}

# Redirect www.domain.com to domain.com
server {
  include /etc/nginx/cleavr-conf/domain.com/server.conf;
  server_name domain.com;
  return 301 $scheme://www.domain.com$request_uri;
}

The site is in production cert valid until Tue, 21 Feb 2023 20:50:35 GMT
Thanks for help

Hello @romanw,

You can add additional domains to the Site > Aliases section so that if the DNS record is pointing to the server, then NGINX will know which site the alias relates to.

To then add SSL cert, go to Site > SSL Certificates and then you can edit the cert and add the alias domains in the ‘Alternate’ domains section.

To see SSL errors, from this same section you can click on the SSL ellipsis menu and then click on ‘Check Status’ to see if there are any issues with adding / renewing SSL.

I hope that helps and please let us know if you run across any issues or you have any follow up questions.

Forgot one more thing - there are also SSL Lets Encrypt logs available in Server > Logs section.

Thanks @amiedema. That helped. I deleted my workaround site and added the alias Domain domain.com to www2.domain.com site and domain.com as alternate domain to ssl certificate. Renewing of the cert faild, but the error message i saw then gave the hint, that I had a typo in the AAAA DNS record. It seems that I added the ipv6 entry after requesting the first ssl-cert.

But now how can I redirect domain.com (Alias Domain) to www.domain.com (CDN Domain)?
In the nginx-config of www2.domain.com, i added:

server {
  server_name domain.com;
  return 301 $scheme://www.domain.com$request_uri;
}

But this is not working.

It is working.
Only if the browser loaded a https://www.domain.com/en/page/ page and I delete the “www.” out of the address line and hit enter https://domain.com/en/page/ is shown. If I write https://domain.com/en/page/ into the address line and hit enter, it redirects to https://www.domain.com/en/page/.
If I not only delete the “www.”, but also changing the protocoll to http, the redirect works, but only in edge, not in Firefox.
I think I can live with that. But If anyone has an idea why this is so … welcome!

Hi @romanw we setup redirects based on how the domain was entered for the site during creation. If non-www, then Cleavr will add redirects from www to non-www. If domain was setup with www, then Cleavr adds redirects from non-www to www. If it’s feasible, you might consider removing the site and then re-adding with www.

Where is this done for the alias domain? I couldn’t find it in the config. I saw the redirect for www.www2.domain.com to www2.domain.com in the heder/redirects.conf, but not for the alias. For the main domain this works www.www2.domain.com has to be redirected to www2.domain.com. But because the www subdomain of domain.com is pointing to the CDN, I will not get a ssl cert for www.domain.com and if I change the alias domain domain.com to www.domain.com without changing the ssl cert, the browser shows a cert error for domain.com.

Site: www.www2.domain.com redirect to www2.woka.com = correct
Alias: www.domain.com redirect to domain.com = should be disabled
alias domain.com should redirect to www.domain.com on the CDN picking the cleavr site www2.domain.com

If I would forget the www2.domain.com site and make a cleavr site www.domain.com, the redirect from domain.com to www.domain.com would work, but I will not get a ssl cert, because www.domain.com is pointing to the CDN not the cleavr site.

adding this works to redirect to www.domain.com, if domain.com is written in the address field of the Browser:

server {
  server_name domain.com;
  return 301 $scheme://www.domain.com$request_uri;
}

If I remove the www in the addressbar of a loaded page and hit enter, the redirect does not work (why?), except I also remove the trailing slash, as I have the following later in my location /-config:

server {
  server_name domain.com;
  return 301 $scheme://www.domain.com$request_uri;
}

server {
  server_name www2.domain.com domain.com;
  root /home/cleavr/www2.domain.com/current;
  [...]
  location / {
     [...]
     rewrite ^([^.]*[^/])$ https://www.domain.com$1/ permanent;
  }
  [...]
}

The propability, that someone is removing the www in the address bar is against zero, I think. And if, there is a canonical tag on the page.

Sorry - I wasn’t clear on the alias being redirected. We don’t add any www/non-www redirects for alias domains, so those would need to be added in a similar way as what you see for the main domain. Such as, create a separate header file for the alias redirect:

server {
  include /etc/nginx/cleavr-conf/www.example.com/server.conf;
  server_name example.com;
  return 301 $scheme://www.example.com$request_uri;
}

Should still work if you remove the www after loading, at least it does for my test site. It could be that there is something else going on in app, nginx config, etc for the trailing slash.

Also, keep in mind any sub-domain passing through the server should also be added to the SSL as an alt domain; otherwise, users may get a browser error.

I’m not sure if this completely answers your questions.