How to get ssl working with my domain and coolify
I followed all the steps for deploying with coolify. its working at the http endpoint, but, i'm getting these errors between the client and server:
api.mydomain.xyz/auth/me:1 Failed to load resource: net::ERR_CERT_AUTHORITY_INVALID. I'm using porkbun for my domain, i've installed the A-records for the client and server. What could i be missing?
11 Replies
Hi @Captain Incredible. I'm kapa.ai, your friendly support bot. I will try to answer your question by searching through the knowledge base. :wave:
----------------------
I'm sorry, but the knowledge sources provided do not contain specific information about configuring SSL certificates or resolving SSL issues when deploying a Wasp app with Coolify. The sources do cover SSL and custom domain setup for Fly.io and Heroku, including setting DNS records and environment variables, but there is no mention of Coolify or troubleshooting SSL errors like ERR_CERT_AUTHORITY_INVALID in that context.
Based on the information available, here are some general steps that are often required for SSL to work with custom domains (as seen in the Fly.io docs):
1. Ensure you have added the correct A and AAAA records for your domain, as instructed by your deployment platform.
2. Make sure your deployment platform (in this case, Coolify) is configured to issue and use a valid SSL certificate for your domain.
3. Set the correct environment variable (such as WASP_WEB_CLIENT_URL) to match your domain with HTTPS, which is important for CORS and client-server communication.
However, since there is no documentation or community discussion about Coolify and SSL in the provided sources, I cannot give you a Coolify-specific solution or confirm the exact steps required for your setup.
If you need further help, I recommend checking Coolify's documentation or support channels for SSL setup instructions, or asking in the Wasp community for anyone with experience deploying to Coolify.
If you have questions about Fly.io or Heroku SSL setup, I can provide detailed steps from the sources. Let me know if you'd like that information!
----------------------
Note: you can ask me a follow up question by @ mentioning me again :speech_balloon:
----------------------
Sorry @Captain Incredible, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist:
Perhaps try again in 15mins?
@kapa.ai I didn't add a AAAA record, just two A records like the guide mentioned: https://gist.github.com/infomiho/ad6fade7396498ae32a931ca563a4524
Let me check the knowledge base for you again. One moment! :books:
----------------------
Based on the knowledge sources, when setting up SSL for a custom domain (for example, on Fly.io), you are typically instructed to add both an A record and an AAAA record to your DNS provider, not just A records. The AAAA record is important for IPv6 support and, in some cases, for the SSL certificate to be issued and validated correctly.
From a real-world troubleshooting example, a user experienced SSL issues until they added both the A and AAAA records as instructed by the deployment platform. After adding the missing AAAA record and recreating the certificate, the SSL issue was resolved. Here’s a summary of the steps that worked for them:
1. Remove the old certificate (if any).
2. Create a new certificate for your domain.
3. Add both the A and AAAA records to your DNS provider as instructed by your deployment platform.
4. Monitor the certificate issuance process.
5. Repeat for any subdomains as needed (using CNAME for subdomains)
see discussion. Even though your guide may have only mentioned A records, the knowledge sources suggest that omitting the AAAA record can cause SSL certificate issues, such as the ERR_CERT_AUTHORITY_INVALID error you’re seeing. Recommendation:
Add the AAAA record for your domain as provided by your deployment platform (Coolify or otherwise). This should help resolve the SSL certificate authority error. If you continue to have issues, double-check that your deployment platform has successfully issued an SSL certificate for your domain and that your environment variables (like WASP_WEB_CLIENT_URL) are set to use the HTTPS version of your domain. Let me know if you need more details or if you’re using a specific platform like Fly.io, as I can provide more targeted steps for that scenario. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Captain Incredible, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
see discussion. Even though your guide may have only mentioned A records, the knowledge sources suggest that omitting the AAAA record can cause SSL certificate issues, such as the ERR_CERT_AUTHORITY_INVALID error you’re seeing. Recommendation:
Add the AAAA record for your domain as provided by your deployment platform (Coolify or otherwise). This should help resolve the SSL certificate authority error. If you continue to have issues, double-check that your deployment platform has successfully issued an SSL certificate for your domain and that your environment variables (like WASP_WEB_CLIENT_URL) are set to use the HTTPS version of your domain. Let me know if you need more details or if you’re using a specific platform like Fly.io, as I can provide more targeted steps for that scenario. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Captain Incredible, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
@kapa.ai i'm just using IPV4 for my public addresses, i shouldn't need an ipv6 record, i see the last step is to setup with cloudflare, but shouldn't the client and server still work over http for their jwt communication?
Let me check the knowledge base for you again. One moment! :books:
----------------------
Based on the knowledge sources, there is no explicit requirement in Wasp's documentation that you must have an AAAA (IPv6) record for your app to work—especially if you are only using IPv4 addresses. The need for an AAAA record is mentioned in the context of Fly.io and SSL certificate issuance, but this is specific to their platform and not a general Wasp requirement. If your deployment platform (such as Coolify) and DNS provider only support IPv4, you should be able to operate with just A records, as long as the platform does not require otherwise.
Regarding HTTP vs. HTTPS for client-server JWT communication:
Wasp apps are designed to work over HTTP in development, but for production, secure communication (HTTPS) is strongly recommended, especially for authentication endpoints (like those handling JWTs). Some platforms and browsers may block or warn about insecure (HTTP) requests, particularly for authentication, and some features (like cookies with the Secure flag) require HTTPS. However, the knowledge sources do not state that JWT communication between client and server is impossible over HTTP; it is just not recommended for production due to security concerns. If you are seeing SSL errors (like ERR_CERT_AUTHORITY_INVALID), it means the browser is expecting a valid HTTPS certificate but is not finding one. This is unrelated to whether you have an AAAA record, unless your platform specifically requires it for certificate issuance. If you are using Cloudflare as a proxy, you may also need to ensure SSL is set up correctly there. In summary: - You do not strictly need an AAAA record if you are only using IPv4, unless your deployment platform requires it. - JWT communication can technically work over HTTP, but it is not secure or recommended for production. - If you are using Cloudflare, make sure your SSL settings are correct and that your certificates are valid. The knowledge sources do not provide more specific guidance for Coolify or Cloudflare in this context, so if you continue to have issues, you may need to consult their documentation or support channels. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Captain Incredible, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
Wasp apps are designed to work over HTTP in development, but for production, secure communication (HTTPS) is strongly recommended, especially for authentication endpoints (like those handling JWTs). Some platforms and browsers may block or warn about insecure (HTTP) requests, particularly for authentication, and some features (like cookies with the Secure flag) require HTTPS. However, the knowledge sources do not state that JWT communication between client and server is impossible over HTTP; it is just not recommended for production due to security concerns. If you are seeing SSL errors (like ERR_CERT_AUTHORITY_INVALID), it means the browser is expecting a valid HTTPS certificate but is not finding one. This is unrelated to whether you have an AAAA record, unless your platform specifically requires it for certificate issuance. If you are using Cloudflare as a proxy, you may also need to ensure SSL is set up correctly there. In summary: - You do not strictly need an AAAA record if you are only using IPv4, unless your deployment platform requires it. - JWT communication can technically work over HTTP, but it is not secure or recommended for production. - If you are using Cloudflare, make sure your SSL settings are correct and that your certificates are valid. The knowledge sources do not provide more specific guidance for Coolify or Cloudflare in this context, so if you continue to have issues, you may need to consult their documentation or support channels. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ---------------------- Sorry @Captain Incredible, I seem to be having a bit of trouble. Don't worry though, I've pinged my support and they will try to fix me up! :technologist: Perhaps try again in 15mins?
Hi @Captain Incredible it is Coolify's cloud, not the self-hosted, right? I never used Coolify. But I think you need to follow https://coolify.io/docs/knowledge-base/dns-configuration
Coolify Docs
Self hosting with superpowers: An open-source & self-hostable Heroku / Netlify / Vercel alternative.
Follow the step for Single Domain and Wildcard Domains.
To do that, you need to know your domain name and public IP address from porkbun
For self-hosted, you can follow the guide in https://gist.github.com/infomiho/ad6fade7396498ae32a931ca563a4524.
Make sure that you change WASP_WEB_CLIENT_URL and WASP_SERVER_URL to your domain name
Thanks. I think I just missed the end of the guide where he mentions ssl through cloud flare.
Hey @Captain Incredible, did you get everything working?
Anything you still need help with?
Nope all good. Thanks!
Wohooo @Captain Incredible, you just became a Waspeteer level 5!