🐛 Bug Report: Certificate Worker Uses Old Domain

[ItzNotABug]

👟 Reproduction steps

1. Open your .env & update the _APP_DOMAIN & _APP_DOMAIN_TARGET to something other than the current domain.
   Example - Previous: stack.abc.com, New: api.abc.com.

2. Restart appwrite stack with docker compose up -d

3. You should probably receive a broken email
   See - 🐛 Bug Report: SSL Certificate Failure Emails Are Broken #7968

4. Log the certificate worker via - docker logs appwrite-worker-certificates

   [Worker] Worker 0 is ready!
   Worker certificates  started
   [Job] Received Job (661a5a72d74801.82305276).
   [Job] (661a5a72d74801.82305276) successfully run.
   [Job] Received Job (661a5a72d75144.71278799).
   Cannot renew domain (stack.abc.com) on attempt no. 2 certificate: Failed to verify domain DNS records.
   [Job] (661a5a72d75144.71278799) failed to run.
   [Job] (661a5a72d75144.71278799) Failed to verify domain DNS records.
   [Error] Type: Exception
   [Error] Message: Failed to verify domain DNS records.
   [Error] File: /usr/src/code/src/Appwrite/Platform/Workers/Certificates.php
   [Error] Line: 286
   

A manual docker exec appwrite ssl execution is required to generate a valid SSL.

👍 Expected behavior

Automatically fetch the new domain and issue an SSL Certificate.

👎 Actual Behavior

Old domain is used.

🎲 Appwrite version

Version 1.5.x

💻 Operating system

Linux

🧱 Your Environment

Ubuntu 22.04

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[stnguyen90]

@ItzNotABug, thanks for raising this issue! 🙏🏼 I think the worker logs are fine as the certificate probably wasn't able to generate before so it's going to try again. There should be a new certificate job triggered for the new domain via

appwrite/app/controllers/general.php

Lines 410 to 463 in c7bdcda

	$domain = $request->getHostname();
	$domains = Config::getParam('domains', []);
	if (!array_key_exists($domain, $domains)) {
	$domain = new Domain(!empty($domain) ? $domain : '');
	if (empty($domain->get()) || !$domain->isKnown() || $domain->isTest()) {
	$domains[$domain->get()] = false;
	Console::warning($domain->get() . ' is not a publicly accessible domain. Skipping SSL certificate generation.');
	} elseif (str_starts_with($request->getURI(), '/.well-known/acme-challenge')) {
	Console::warning('Skipping SSL certificates generation on ACME challenge.');
	} else {
	Authorization::disable();
	$envDomain = System::getEnv('_APP_DOMAIN', '');
	$mainDomain = null;
	if (!empty($envDomain) && $envDomain !== 'localhost') {
	$mainDomain = $envDomain;
	} else {
	$domainDocument = $dbForConsole->findOne('rules', [Query::orderAsc('$id')]);
	$mainDomain = $domainDocument ? $domainDocument->getAttribute('domain') : $domain->get();
	}
	if ($mainDomain !== $domain->get()) {
	Console::warning($domain->get() . ' is not a main domain. Skipping SSL certificate generation.');
	} else {
	$domainDocument = $dbForConsole->findOne('rules', [
	Query::equal('domain', [$domain->get()])
	]);
	if (!$domainDocument) {
	$domainDocument = new Document([
	'domain' => $domain->get(),
	'resourceType' => 'api',
	'status' => 'verifying',
	'projectId' => 'console',
	'projectInternalId' => 'console'
	]);
	$domainDocument = $dbForConsole->createDocument('rules', $domainDocument);
	Console::info('Issuing a TLS certificate for the main domain (' . $domain->get() . ') in a few seconds...');
	$queueForCertificates
	->setDomain($domainDocument)
	->setSkipRenewCheck(true)
	->trigger();
	}
	}
	$domains[$domain->get()] = true;
	Authorization::reset(); // ensure authorization is re-enabled
	}
	Config::setParam('domains', $domains);
	}

1. What do the appwrite logs show?
2. What's the _console_rules table have?

[ItzNotABug]

@stnguyen90
I guess it would be a better idea to check for the domain before retrying?
I mean if it doesn't match with the one in .env, there shouldn't be a check for DNS and no issuing an SSL.

Regarding the logs, I'll check and report back.