📚 Documentation: setup https

[kiloki-official]

💭 Description

Hi, I could not find in your documentation how to set up an https endpoint on an Ubuntu server. I have already set up my 443 port for my ssl certificate. How can I allow an appwrite endpoint on an SSL url (e.g. port 444). Thanks

👀 Have you spent some time to check if this issue has been raised before?

• I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

• I have read the Code of Conduct

[eldadfux]

Appwrite supports auto generation of SSL certificates using LetsEncrypt's CertBot. CertBot only support SSL on port 443. If your Appwrite instance have problems issuing a new certificate, you can use the following gist to debug the issue: https://gist.github.com/eldadfux/eb3ed1c4e5f43b7f7259469dd29312c5

[jenniestrongbow]

Hi, thanks for your quick reply. Is there docs that deal with how to isntall appwrite on a server that already has https on port 443? I absolutely LOVE AppWrite (I moved from Firebase to AppWrite, and it's easier to setup than Parse), but it really needs more docs. Thanks

[rustdevbtw]

@jenniestrongbow As per my experience, there's a way to install Appwrite on a server that already has ports 80 and 443 occupied. In my project, I had Apache installed on my server. I've installed Appwrite on Port 5500 (non-SSL) and Port 5501 (SSL) just select that during setup and select localhost as host. Then, once the Server is up and running, set up an Apache vHosts. Now, enable vHosts in Apache by running:

sudo a2enmod vhost_alias

After that, add a new vHost for Appwrite by editing the /etc/apache2/extra/httpd-vhosts.conf, add the following code to the end of the file:

<VirtualHost *:80>
    ServerAdmin yourname@gmail.com
    DocumentRoot "{YOUR_APPWRITE_DIR}"
    ServerName appwrite.example.com
    ErrorLog "{YOUR_APPWRITE_DIR}/error.log"
    CustomLog "{YOUR_APPWRITE_DIR}/access.log" common
    ProxyPass "/" "http://localhost:5500/"
    ProxyPassReverse "/" "http://localhost:5500/"
</VirtualHost>

After that, add an A record in your DNS Provider with the target as your IP Address (if you use Cloudflare, make sure to disable the Cloudflare Proxy).
Then, for SSL install Certbot by running:

sudo apt-get install python-certbot-apache

Then, enable HTTPS by running the following command:

certbot --apache -d appwrite.example.com

Then the last and most important step, restart Apache:

sudo apachectl restart

The command may differ a bit, you can also restart apache by running the command:

sudo systemctl restart apache2

If you're using NGINX, there's also something similar available but I don't have experience with that so just Google about that!
If you're using Apache2 and having issues with the above steps, feel free to reach out!

[jenniestrongbow]

Absolutely awesome!! Thanks a million. I'll try that and let you know if I succeeded.

[heromiyo]

For nginx do the following:

cd /etc/nginx/sites-available

sudo touch appwrite.example.com // replace with own domain you created A record

sudo vi appwrite.example.com

paste the following:
replace {{}} with actual values

server {

    root {{APPWRITE_DIR}};

    # Add index.php to the list if you are using PHP
    index index.html index.htm index.php;

    server_name {{YOUR_DOMAIN_HERE}}; 


        location / {
    proxy_pass http://localhost:{{YOUR_CUSTOM_PORT}}/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

}

Then symlink:

sudo ln -s /etc/nginx/sites-available/appwrite.example.com /etc/nginx/sites-enabled/

confirm nginx confirm:
sudo nginx -t

reload nginx conf:

sudo service nginx reload

install certbot:

sudo apt install certbot python3-certbot-nginx

obtain the ssl certificate:

sudo certbot --nginx -d appwrite.example.com

[rustdevbtw]

@jenniestrongbow Did my solution work?

[jenniestrongbow]

Hi Rajdeep, sorry I've been busy on so many other things. I just tried now, and https does not work. I installed appwrite on port 85. https on 444.

I'm using Ubuntu.

• What is the default {YOUR_APPWRITE_DIR} ? I installed AppWrite with all the default options
• Do I need to put the .conf file inside the /extra folder?

Here is my content of the file (XXX replaces my real domain name):

<VirtualHost *:80>
ServerAdmin yourname@gmail.com
DocumentRoot "/usr/src/code/appwrite"
ServerName XXX.com
#ErrorLog "{YOUR_APPWRITE_DIR}/error.log"
#CustomLog "{YOUR_APPWRITE_DIR}/access.log" common
ProxyPass "/" "http://localhost:85/"
ProxyPassReverse "/" "http://localhost:85/"

Thanks

[jenniestrongbow]

I think that one of the issues is that I don't know how to install appwrite on a subdomain. I can only access it on http://[XXX].com:85

[rustdevbtw]

1. {YOUR_APPWRITE_DIR} is the dir where you've used the Appwrite installation script. But it's optional
2. 444 is the default HTTPS port so it won't work.
3. I'll recommend using 5500 for HTTP and 5501 for HTTPS as they're not the default port anywhere.
4. You'll need to add an A record in the domain for your IP (use @ for root domain and subdomain's name for subdomain).
5. You'll need to generate a certificate with certbot --apache -d {YOUR_DOMAIN}

[rustdevbtw]

You'll need to edit the httpd-vhosts.conf file is found under the extra folder of apache dir.
HTTPS is handled on other file and it's automatically edited when you use certbot.

[jenniestrongbow]

Thanks for your quick reply.

I managed to install it on a subdomain. http://appwrite[XXX].com works fine. To do this, I edited my custom .conf file I created for my domain (I host several domain names on the same server). I didn't have any extra folder in my apache2.

My default https is 443. I set 44 as my appwrite https.

I entered the certbot command you suggested and I did not see any error.

However https://appwrite[XXX].com doesn't work.

Can you please help?

[jenniestrongbow]

Progress, I entered the certbot command for my subdomain and https://appwrite.[XXX].com/ now works, but it does not point to my appwrite server. http://appwrite.[XXX].com/ does though.

[rustdevbtw]

What output you could see from certbot?

[jenniestrongbow]

Congratulations! You have successfully enabled https://appwrite.[XXX].com

---

IMPORTANT NOTES:

• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/appwrite.[XXX].com/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/appwrite.[XXX].com/privkey.pem
  Your certificate will expire on 2022-03-28. To obtain a new or
  tweaked version of this certificate in the future, simply run
  certbot again with the "certonly" option. To non-interactively
  renew all of your certificates, run "certbot renew"

• If you like Certbot, please consider supporting our work by:

  Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
  Donating to EFF: https://eff.org/donate-le

[rustdevbtw]

That means everything is successful: Domain pointing, Proxying, vHosts, Certbot. So what's the issue now?

[jenniestrongbow]

https://appwrite.[XXX].com/ points to my homepage
https://appwrite.[XXX].com/console 404 error

When http://appwrite.[XXX].com or http://appwrite.[XXX].com/console work fine

[rustdevbtw]

You can't access your console on Domain.

[rustdevbtw]

You can only use it as endpoint.

[jenniestrongbow]

I'm confused. I can access my console using my domain on http.

What I really want to do is create an endpoint that works on https. But nothing I tried works.

[rustdevbtw]

You can access your console with your IP (and port) as well. Can you try to use https://appwrite.[XXX].com/v1 as the endpoint in your code?

[jenniestrongbow]

Actually, now every time I want to access http://[XXX].com, it redirects me to https://[XXX].com with a "Your connection is not private" (NET::ERR_CERT_COMMON_NAME_INVALID).

It's like it's not even using the SSL certificate I created initially before using certbot.

[jenniestrongbow]

The only thing that work is http://appwrite.[XXX].com/. It shows the console. Nothing else works.

[jenniestrongbow]

Is it because I added the confirguration to my domain name .conf file?

[jenniestrongbow]

The other thing that works is http://[XXX].com:85/ . It shows my console too.

[jenniestrongbow]

Is it because I added the configuration below to my domain name .conf and not to the extra folder?

<VirtualHost *:80>
ServerAdmin yourname@gmail.com
DocumentRoot "/usr/src/code/appwrite"
ServerName appwrite.XXX.com
#ErrorLog "{YOUR_APPWRITE_DIR}/error.log"
#CustomLog "{YOUR_APPWRITE_DIR}/access.log" common
ProxyPass "/" "http://localhost:85/"
ProxyPassReverse "/" "http://localhost:85/"

[jenniestrongbow]

I made a mistake. Now...

https://appwrite.[XXX].com/ points to my homepage
https://appwrite.[XXX].com/console 404 error

When http://appwrite.[XXX].com or http://appwrite.[XXX].com/console work fine

[rustdevbtw]

https://appwrite.[XXX].com/ should redirect to /console

[jenniestrongbow]

Nope, it stays on the main website.

[rustdevbtw]

So you're using appwrite.[XXX].com for your main website? I think you're using both Appwrite and your website on the same subdomain

[jenniestrongbow]

yes, unfortunately.

What I want is:

http://[XXX].com and https://[XXX].com to lead to my main domain's content.
and https://appwrite.[XXX].com/console and https://appwrite.[XXX].com/v1 to point to my console and endpoint respectively.

[rustdevbtw]

Are you sure that there is no extra folder in apache2 dir?

[jenniestrongbow]

Yes, there was none when I started.

[rustdevbtw]

Can you show me the output of sudo apachectl -d DUMP_VHOSTS?

[jenniestrongbow]

apache2: Could not open configuration file DUMP_VHOSTS/apache2.conf: No such file or directory
Action '-d DUMP_VHOSTS' failed.

[rustdevbtw]

Try sudo apachectl -s

[rustdevbtw]

Or, sudo apache2ctl -s

[jenniestrongbow]

FYI, I'm new to Ubuntu. I'm more of a Windows user.

This worked: sudo apachectl -S

[DOMAIN2] is the one I'm trying to setup appwrite SSL on.

AH00112: Warning: DocumentRoot [/var/www/[DOMAIN1]/public_html/api] does not exist
AH00112: Warning: DocumentRoot [/usr/src/code/appwrite] does not exist
AH00112: Warning: DocumentRoot [/usr/src/code/appwrite] does not exist
VirtualHost configuration:
*:443 is a NameVirtualHost
default server [DOMAIN2].com (/etc/apache2/sites-enabled/[DOMAIN2]-le-ssl.conf:2)
port 443 namevhost [DOMAIN2].com (/etc/apache2/sites-enabled/[DOMAIN2]-le-ssl.conf:2)
alias www.[DOMAIN2].com
alias appwrite.[DOMAIN2].com
port 443 namevhost kiloki.europe-west4-a.c.shining-lamp-325808.internal (/etc/apache2/sites-enabled/[DOMAIN2]-ssl.conf:1)
*:80 is a NameVirtualHost
default server kiloki.europe-west4-a.c.shining-lamp-325808.internal (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost kiloki.europe-west4-a.c.shining-lamp-325808.internal (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost [DOMAIN2].co (/etc/apache2/sites-enabled/[DOMAIN1].conf:1)
alias www.[DOMAIN2].co
port 80 namevhost api.[DOMAIN2].co (/etc/apache2/sites-enabled/[DOMAIN1].conf:13)
alias api.[DOMAIN2].co
port 80 namevhost appwrite.[DOMAIN2].com (/etc/apache2/sites-enabled/[DOMAIN2]-le-ssl.conf:21)
port 80 namevhost [DOMAIN2].com (/etc/apache2/sites-enabled/[DOMAIN2].conf:1)
alias www.[DOMAIN2].com
port 80 namevhost api.[DOMAIN2].com (/etc/apache2/sites-enabled/[DOMAIN2].conf:17)
alias api.[DOMAIN2].com
port 80 namevhost appwrite.[DOMAIN2].com (/etc/apache2/sites-enabled/[DOMAIN2].conf:30)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33

[rustdevbtw]

Can you try to restart Apache with sudo apachectl restart?

[rustdevbtw]

And why you've set www.[DOMAIN2].com as an Alias to your Appwrite instance? It can cause issues.

[jenniestrongbow]

I restarted apache countless times.

I need the www do redirect to my main domain, when appwrite.[DOMAIN2].com should redirect to my appwrite installation.

[rustdevbtw]

If you're either proxying appwrite.[DOMAIN2].com and www.[DOMAIN2].com to your main domain or proxying both to your Appwrite Installation. www.[DOMAIN2].com is an alias of your Appwrite vHosts.

[jenniestrongbow]

Ok, I'll restart everything from scratch. I reverted my config to its original state. I'll let you know. Thanks a MILLION for your patience!!

[rustdevbtw]

Ok, let me know once you're done!

[jenniestrongbow]

I think that what I'm trying to do is a lot simpler than I thought.

My first problem is that I can't setup a subdomain on SSL. Once I've done that, I guess I can use the proxypass functions.

But I'm struggling to setup a subdomain on SSL. I'll read about it and try to complete my task here. Thanks

[jenniestrongbow]

Hi, thanks to your help, I finally managed to make appwrite available on https.

I always bought SSL certificates from Godaddy. I didn't know I could use Certbot!!!

The key for me was to remove the conf file I created for my domain and start fresh following your example. I also had to add a vritual host (to the same file) for 443.

This allowed me to access appwrite via a subdomain on https while my main website works too.

I could also create my own endpoint!!

Thanks

[jenniestrongbow]

Actually, when I add an endpoint, the console keeps showing in progress.

• set env variables as follows:
  _APP_DOMAIN=[domain].com
  _APP_DOMAIN_TARGET=[domain].com
• added a CNAME for appwrite.[domain].com and aw.[domain].com
• domain validated
• added the following endpoings: https://aw.[domain].com and https://appwrite.[domain].com

TLS are still "in progress" for both.

Can you pls tell me what's wrong?

Thanks

[rustdevbtw]

You're using vHosts because you already have Port 80 and 443 occupied by Apache. So, they're doing the proxying for you and Certificate is also generated by Certbot for that vHost. So, Appwrite requires you to run it on Port 80 (non-SSL) and 443 (SSL) to generate Certificates as Certbot challenges can only be passed on these ports. So the there are 2 options: Run Appwrite on Port 80 and 443 OR Use vHosts AND use vHosts only.

[rustdevbtw]

You can't use both Appwrite's custom domain feature and vHosts together.

[rustdevbtw]

I got the same issue with Appwrite and vHosts saved me.

[jenniestrongbow]

I'm sure it makes sense to you :-) But not to me. :-)

I removed the .conf file I created for my domain. Here is the conf cerbot created. Am I correct in assuming I'm only using virtual hosts? Do I need to change the ports of Appwrite (in my case 85/444)? Thanks:

`
<VirtualHost *:443>
ServerAdmin admin@[DOMAIN].com
ServerName [DOMAIN].com
ServerAlias www.[DOMAIN].com
DocumentRoot /var/www/[DOMAIN]/public_html
<Directory /var/www/[DOMAIN]/public_html>
Options -Indexes +FollowSymLinks
AllowOverride All
Require all granted

RewriteEngine on

Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias [DOMAIN].com
SSLCertificateFile /etc/letsencrypt/live/[DOMAIN].com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[DOMAIN].com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerAdmin admin@[DOMAIN].com
	ServerName [DOMAIN].com
	ServerAlias appwrite.[DOMAIN].com
	DocumentRoot /var/www/[DOMAIN]/public_html
	<Directory /var/www/[DOMAIN]/public_html>
	        Options -Indexes +FollowSymLinks
	        AllowOverride All
	        Require all granted
	</Directory>
RewriteEngine on

ProxyPass "/" "http://localhost:85/"
ProxyPassReverse "/" "http://localhost:85/"
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias appwrite.[DOMAIN].com
SSLCertificateFile /etc/letsencrypt/live/[DOMAIN].com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/[DOMAIN].com/privkey.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>`

[jenniestrongbow]

If I setup AppWrite on port s 80/443, does it mean the entire domain must be dedicated to AppWrite? Or can I also use it to serve my main website?

[rustdevbtw]

If you set up Appwrite on Ports 80/443 then your entire server isn't fully dedicated to Appwrite. You can't set up other vHosts or use Apache but you can still run Python/Node.js apps on other ports and access them directly without pointing to any Domain. As per what I can see, it is proxying port 85 (make sure you can access Appwrite on this port) to both [DOMAIN].com and appwrite.[DOMAIN].com so do you want to use Appwrite on your Root Domain as well? If not, change ServerName to appwrite.[DOMAIN].com and remove ServerAlias.

[jenniestrongbow]

Thanks for your help, I made the changes you mentioned. I removed references to serveralias. I didn't see any change.

Can you please tell me:

• How do I make the https://appwrite.[domain].com/v1 endpoint work?
• The question above implies the following one: How can I create my own endpoints? The ones I created are still marked as "TLS in progress".

In a nutshell, I want all the appwrite functionalities (console and endpoint) to work on https://appwrite.[domain].com. And the rest of my website to work on https://[domain].com or other subdomains. At the moment, only my console works on https://appwrite.[domain].com.

It should be easy to do and well documented but that's not the case unfortunately. I'm aware I'm a newbie to Linux though, but I doubt I'm the only one.

Thanks

[rustdevbtw]

1. Once your Appwrite instance is pointed to that domain, you can make it work.
2. The "TLS in progress" is because it couldn't generate certificates with Certbot. This is also my case and the reason is Appwrite instance is not in 80 (non-SSL) and 443 (SSL). The possible fix is to not add Domain within Appwrite console, instead point your Appwrite instance to your domain with vHosts.

When I set up vHosts, the API endpoint was working with HTTPS but in the Console, I can see Login Page though it was just saying "Incorrect Credentials" for some reason and the possible fix is to use Console by visiting http://ip:port/console.

vHosts (in Apache) setup is the only way to run Appwrite on the domain without running it in the default port.

[eldadfux]

We have added more docs for Appwrite certificates here: https://appwrite.io/docs/certificates - this page also include instructions for debugging issues.

[BugProg]

Thank you a lot @Rajdeep-TG ! It works great !