Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Document SSL certs for function domains #1627

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

Document SSL certs for function domains #1627

Changes from all commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
29ba0ac
draft ssl cert section
ebenezerdon Jan 3, 2025
cfbc9e1
update ssl certs doc
ebenezerdon Jan 6, 2025
3962639
Update with specific config
ebenezerdon Jan 6, 2025
c2dc43e
Update text
ebenezerdon Jan 8, 2025
0309e3a
Add existing content
ebenezerdon Jan 10, 2025
b7d8ebb
Include partial
ebenezerdon Jan 10, 2025
f7ddf93
Update partial position
ebenezerdon Jan 10, 2025
db27c15
Merge branch 'main' into ssl-certs-doc
ebenezerdon Jan 10, 2025
3fcd4d4
Merge branch 'main' into ssl-certs-doc
ebenezerdon Jan 10, 2025
d7519ee
Merge branch 'main' into ssl-certs-doc
ebenezerdon Jan 10, 2025
e97b126
Merge branch 'main' into ssl-certs-doc
ebenezerdon Jan 14, 2025
a7a9dd3
Merge branch 'main' into ssl-certs-doc
ebenezerdon Jan 14, 2025
a79080d
Merge branch 'main' into ssl-certs-doc
adityaoberai Jan 15, 2025
be8d81c
Merge branch 'main' into ssl-certs-doc
ebenezerdon Jan 17, 2025
49e92f6
Merge branch 'main' into ssl-certs-doc
ebenezerdon Jan 27, 2025
f463707
Merge branch 'main' into ssl-certs-doc
ebenezerdon Jan 28, 2025
97b05d5
add wildcard info
ebenezerdon Feb 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
99 changes: 98 additions & 1 deletion src/routes/docs/advanced/self-hosting/functions/+page.markdoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,4 +129,101 @@ You can find a full list of supported runtimes [here](/docs/products/functions/r

You can also configure the maximum timeout that can be set on individual Appwrite Functions. The maximum configurable timeout can be increased by changing the `_APP_FUNCTIONS_TIMEOUT` environment variable. This environment variable changes the configurable maximum but does not alter existing configurations of individual functions.

{% partial file="update-variables.md" /%}
{% partial file="update-variables.md" /%}

# SSL certificates for Function domains {% #ssl-certificates %}

Before setting up SSL certificates, ensure you have configured your DNS settings properly. You'll need to create a CNAME record that points your wildcard function domain (e.g. `*.functions.appwrite.myapp.com`) to your Appwrite domain.

Appwrite does not handle certificates for function domains (e.g. `6772722a00331315adc3.functions.appwrite.myapp.com`)
out of the box, since they require wildcard certificates.
There are two ways to handle certificate generation.

## Manual certificate generation

The simplest way to generate certificates for function domains is to use the Appwrite SSL command.

```bash
docker compose exec appwrite ssl --domain="6772722a00331315adc3.appwrite.myapp.com"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you think we need to mention something somewhere to say they need a CNAME DNS record that points *.appwrite.myapp.com to their appwrite domain?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stnguyen90 Yes, what do you think about the update?

```

The certificate should be generated within a few seconds.
If you encounter any issues, you can check the certificate worker logs.

```bash
docker compose logs appwrite-worker-certificates
```

Note that you'll need to run this command for each function domain, and repeat it every time you create a new function.
If you have many functions or frequently create new ones, consider using the automated certificate generation method below.

## Automated certificate generation

For automated certificate generation, Appwrite uses Traefik's DNS Challenge feature.
This is required for wildcard certificates (like `*.functions.appwrite.myapp.com`)
because Let's Encrypt uses the DNS-01 challenge to validate wildcard domain ownership.

### Using DNS challenge with DigitalOcean
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason why we chose to provide the steps for DigitalOcean over others or non at all?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Matej suggested we add an example for Digitalocean (as we have experience with them) and then link to Traefik docs for the others.

Should I add for others, or just link to them all?


To configure Traefik for automated certificate generation with DigitalOcean,
you need to modify your `docker-compose.yml`:

1. Add the following under the `traefik` service's `command` section.

```yaml
command:
# ... existing commands ...
- --certificatesresolvers.digitalocean.acme.dnschallenge=true
- --certificatesresolvers.digitalocean.acme.dnschallenge.provider=digitalocean
- --certificatesresolvers.digitalocean.acme.email=$_APP_SYSTEM_SECURITY_EMAIL_ADDRESS
- --certificatesresolvers.digitalocean.acme.storage=/storage/certificates/digitalocean.json
```

2. Add environment variables under the `traefik` service.

```yaml
environment:
- DO_AUTH_TOKEN=$_APP_DOMAIN_DO_TOKEN
```

3. Add the following `labels` under the `appwrite` service.

```yaml
labels:
# ... existing labels ...
- traefik.http.routers.appwrite_api_https.tls.certresolver=digitalocean
- traefik.http.routers.appwrite_api_https.tls.domains[0].main=$_APP_DOMAIN_FUNCTIONS
- traefik.http.routers.appwrite_api_https.tls.domains[0].sans=*.$_APP_DOMAIN_FUNCTIONS
```

4. Ensure these environment variables are properly configured in your `.env` file before proceeding:
- `_APP_SYSTEM_SECURITY_EMAIL_ADDRESS` must be set to a valid email for Let's Encrypt notifications
- `_APP_DOMAIN_FUNCTIONS` must be correctly set to your function domain (e.g., `functions.example.com`)
- `_APP_DOMAIN_DO_TOKEN` must be set to a valid DigitalOcean API token (generate this in the DigitalOcean Console)

5. Apply the changes.

```bash
docker compose up -d --force-recreate
```

### Troubleshooting DNS Propagation

If certificate generation fails, first check the Traefik logs to identify the specific issue.

```bash
docker compose logs traefik
```

A common issue is DNS propagation delays. If the logs show DNS verification failures, you can configure longer timeouts in your `docker-compose.yml` under the `traefik` service.

```yaml
environment:
- DO_AUTH_TOKEN=$_APP_DOMAIN_DO_TOKEN
- DO_POLLING_INTERVAL=1m
- DO_PROPAGATION_TIMEOUT=1h
```

Note: Let's Encrypt has strict rate limits for certificate requests. If you encounter rate limit errors in the logs, you may need to wait a few hours before trying again.

For other DNS providers, refer to [Traefik's DNS providers documentation](https://doc.traefik.io/traefik/https/acme/#providers).