Hardware: VPS 4Gb, plenty of storage, 2 cores YunoHost version: 3.8.4.8 I have access to my server : Through SSH Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
Description of my issue
I installed YunoHost on a few Debian 9 system. I configured YunHost via https:// as instructed. The site is configured for my custom domain.
If I access the newly installed site via the IP address, I get the certificate warning. If I accept the warning and continue, I can get to the site (admin or main site).
If I access the site via the domain name, I get the certificate warning, but I’m not given the option to accept the warning and I can’t get to the site. The warning I get is:
mydomain.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
I’ll answer my own question for anyone else who hits this. I browsed through the admin site (first time installing YunoHost) but clearly I didn’t look closely through every menu item.
Click Domains
Click your domain name
Click SSL Certificate
Click the button to generate the Let’s Encrypt certificate
Certificates are “papers” which are delivered by “certification autoritate”, which are trusted firms or associations. The certificate contains a public key generated by your server, and SIGNED by the certifcation autoritate which has delivered this certificate.
When a navigator comes to your website through HTTPS (TLS/SSL tunnel), it check among the public keys of certification autoritates it knows.
If found : OK.
If not found, the navigator tries a last thing : it checks whether the certification isn’t self-signed : it means that it is signed by the own key which is on the certificate. It is called “self-signed certifcate”. By default, this certificate is used on domain listed on yunohost.
But, navigators doesn’t like this sort of certificate, and that causes the problem.
However, if you want some security on your domain, you can enforce them using DNSSEC for signing your name domain, and even DANE in order to use other than the certifcation autoritate.
I also discovered that if I create a subdomain in YunoHost, I can’t create a LetsEncrypt certificate for it until I run the diagnostic first. Weird but not a problem.