zoraxy icon indicating copy to clipboard operation
zoraxy copied to clipboard
verified publisher icon tobychui

[HELP] Default Website certificate error

Open alexkiddddd opened this issue 9 months ago • 5 comments

Hi there, I have the default website configured to redirect to another website if zoraxy is hit with a unknown host but when I put my ip or an unknown address that hits zoraxy it shows me a certificate error, only when I accept the certificate it makes the redirection.

I am using zoraxy on docker and apart from that everything works great!

alexkiddddd avatar May 16 '25 14:05 alexkiddddd

Hey @alexkiddddd

You will need to upload a valid certificate to the fallback certificate section in order to use default site with https. If nothing is uploaded there, it will use the default build-in self-signed certificate. This certificate should contains CN fields that covers all the possible hostnames that might reach your server.

For a more "correct" approach, you can also purchase a certificate that covers something like *.example.com and upload it to the certificate store in the TLS / SSL tab.

tobychui avatar May 17 '25 03:05 tobychui

Thanks for the quick answer! I only have the lets encrypt certificate, I had used nginx proxy manager and the redirect function didn't need any additional certificate, is there any way to achieve the same with zoraxy?

alexkiddddd avatar May 17 '25 09:05 alexkiddddd

@alexkiddddd I guess NPM do that in HTTP instead of HTTPS (i.e. your browser request the HTTP site and nginx reply with redirection to a new site with HTTPS protocol in the URL. Zoraxy do it the other way round, you connect to HTTP, got response from server asking for switching to HTTPS then redirect to the target URL, so the redirection cant be spoofed)

You can use the ACME tool to get a wildcard certificate that matches your domains, for example, *.example.com, and put it in the TLS / SSL certificate store (if you use the internal ACME tool it should be automatically placed there, or you might need to upload it manually if you use 3rd party DNS challenge tools). Note that the Zoraxy DNS challenger currently is a bit buggy so it might not work with all DNS service provider in the list.

tobychui avatar May 17 '25 09:05 tobychui

So I went down a rabbit hole, the ddns I use doesn't support wildcard certificates, i have registered a ddns on desec.io and they support wildcard, the default website section on zoraxy works but now I can't create ssl certificates for my subdomains because i have to create a dns entry for * but I can't get it to work. I already have a A record pointing to my ip and I have created a CNAME record with *.mydomain.dedyn.io pointing to mydomain.dedyn.io but zoraxy can't create the certificate. What am I doing wrong?

Thanks

EDIT: I have bought a domain from OVH to ease my pain but now I am struggling with the DNS challenge on zoraxy, do I have to create some sort of API?

EDIT 2: I have successfuly installed the wildcard certificate on zoraxy but the default website doesn't use it, also, when I add proxy rules they will not use the wildcard certificate but instead try to create a new certificate. What am I doing wrong?

Sorry for the wall of text!

alexkiddddd avatar May 20 '25 14:05 alexkiddddd

I have bought a domain from OVH to ease my pain but now I am struggling with the DNS challenge on zoraxy, do I have to create some sort of API?

I have no idea about specific DNS service providers.

I have successfuly installed the wildcard certificate on zoraxy but the default website doesn't use it, also, when I add proxy rules they will not use the wildcard certificate but instead try to create a new certificate. What am I doing wrong?

You need to provide more context other than "not working". But have you tried uploading the cert to the fallback certificate form instead?

tobychui avatar Jun 15 '25 12:06 tobychui