Codeberg/Community
60
387
Fork
You've already forked Community
12

Custom domain TLS cert not issued 24h+ after deploy (pages-server/git-pages migration stall) #2655

Closed
opened 2026年05月18日 18:03:10 +02:00 by germ501 · 13 comments

Symptom

Custom domain HTTPS cert never issued. HTTP serves a 302 to HTTPS correctly, but the TLS handshake fails with tlsv1 alert internal error. The default codeberg.page URL works fine.

$ curl -sSI https://andygarcia.me/
curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error
$ curl -sSI http://andygarcia.me/
HTTP/1.1 302 Found
location: https://andygarcia.me/

Deployed 2026年05月17日, still failing as of 2026年05月18日 (>24h, well past the normal 1-3 min provisioning window and past the typical hours-long backoff after a failed validation).

Configuration

  • Repo: https://codeberg.org/germ501/pages (public)
  • Deployment branch: pages (contains site + .domains file with single line andygarcia.me)
  • DNS at Cloudflare (DNS-only, gray cloud, proxy off):
    • A 217.197.84.141
    • AAAA 2a0a:4580:103f:c0de::2
    • TXT germ501.codeberg.page
  • No CAA records (Let's Encrypt allowed by default)
  • Domain binding is recognized: germ501.codeberg.page 307-redirects to https://andygarcia.me/?, so .domains and TXT are parsed correctly.

Apparent cause: migration stall

Response headers from germ501.codeberg.page show both:

server: pages-server
server: git-pages (git-pages)

This matches the pages-server → git-pages migration symptom described in:

Already verified (please skip these in triage)

  • DNS records correct and globally propagated (verified via dig + 1.1.1.1)
  • No CAA records blocking issuance
  • .well-known/acme-challenge/<random> returning 503 is normal Caddy behavior (docs.codeberg.org does the same), not the cause
  • Repo is public (private repos silently break pages-server fetch)
  • Repo name has no dots; previous andygarcia.me repo was renamed to pages to fix TXT parsing and wildcard-cert matching
  • Cloudflare proxy is off on all relevant records
  • An empty commit on pages (3252131) did not nudge cert issuance

Ask

Could an admin force a cert provisioning retry for andygarcia.me, or confirm whether this domain's binding is stuck on the legacy pages-server during the migration? Happy to provide any further diagnostics.

## Symptom Custom domain HTTPS cert never issued. HTTP serves a 302 to HTTPS correctly, but the TLS handshake fails with `tlsv1 alert internal error`. The default codeberg.page URL works fine. ``` $ curl -sSI https://andygarcia.me/ curl: (35) OpenSSL/3.0.13: error:0A000438:SSL routines::tlsv1 alert internal error $ curl -sSI http://andygarcia.me/ HTTP/1.1 302 Found location: https://andygarcia.me/ ``` Deployed 2026年05月17日, still failing as of 2026年05月18日 (>24h, well past the normal 1-3 min provisioning window and past the typical hours-long backoff after a failed validation). ## Configuration - Repo: https://codeberg.org/germ501/pages (public) - Deployment branch: `pages` (contains site + `.domains` file with single line `andygarcia.me`) - DNS at Cloudflare (DNS-only, gray cloud, proxy off): - A 217.197.84.141 - AAAA 2a0a:4580:103f:c0de::2 - TXT germ501.codeberg.page - No CAA records (Let's Encrypt allowed by default) - Domain binding is recognized: `germ501.codeberg.page` 307-redirects to `https://andygarcia.me/?`, so `.domains` and TXT are parsed correctly. ## Apparent cause: migration stall Response headers from `germ501.codeberg.page` show *both*: ``` server: pages-server server: git-pages (git-pages) ``` This matches the pages-server → git-pages migration symptom described in: - Codeberg/Community#2528 (same symptom: TLS internal_error on custom domain, codeberg.page URL works) - Codeberg/Community#2422 - Codeberg/pages-server#444 ## Already verified (please skip these in triage) - DNS records correct and globally propagated (verified via dig + 1.1.1.1) - No CAA records blocking issuance - `.well-known/acme-challenge/<random>` returning 503 is normal Caddy behavior (docs.codeberg.org does the same), not the cause - Repo is public (private repos silently break pages-server fetch) - Repo name has no dots; previous `andygarcia.me` repo was renamed to `pages` to fix TXT parsing and wildcard-cert matching - Cloudflare proxy is off on all relevant records - An empty commit on `pages` (3252131) did not nudge cert issuance ## Ask Could an admin force a cert provisioning retry for andygarcia.me, or confirm whether this domain's binding is stuck on the legacy pages-server during the migration? Happy to provide any further diagnostics.
germ501 changed title from (削除) Custom domain TLS cert not issued 24h+ after deploy — pages-server/git-pages migration stall (削除ここまで) to Custom domain TLS cert not issued 24h+ after deploy (pages-server/git-pages migration stall) 2026年05月18日 18:03:25 +02:00

Hi,

We currently have the same problem. Repository is https://codeberg.org/PIA/pages and the target domain is https://about.participatory-archives.ch/. I've added the domain to the .domains file in the page branch of the repo.

curl -sSI https://about.participatory-archives.ch/
curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
Hi, We currently have the same problem. Repository is https://codeberg.org/PIA/pages and the target domain is https://about.participatory-archives.ch/. I've added the domain to the .domains file in the page branch of the repo. ```bash curl -sSI https://about.participatory-archives.ch/ curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error ```

@germ501

  1. If you use an LLM to debug an issue it is considered polite to disclose that.
  2. The .domains file is no longer used. Git-pages uses DNS as the source of truth for authorization and TLS certificate issuance.
  3. How did you deploy the site exactly? You need to set up a webhook. I didn't see any POST or PUT requests for this domain in the last 24h.
  4. The redirect from germ501.codeberg.page to andygarcia.me is done by legacy pages-server. If you want to retain control of the redirect you will need to set up webhooks to deploy to both domains, and include a Netlify compatible _redirects file with e.g. //germ501.codeberg.page/* https://andygarcia.me/:splat. (Don't worry about deploying the same site to both domains, it doesn't take much resources.)
  5. Git-pages does work with private repositories, but it requires deployment via Forgejo Actions.

@faebser

  1. The .domains file is no longer used. Git-pages uses DNS as the source of truth for authorization and TLS certificate issuance.
  2. You need to set up a webhook. I didn't see any POST or PUT requests for this domain in the last 24h.
@germ501 1. If you use an LLM to debug an issue it is considered polite to disclose that. 2. The `.domains` file is no longer used. Git-pages uses DNS as the source of truth for authorization and TLS certificate issuance. 3. How did you deploy the site exactly? You need to [set up a webhook](https://docs.codeberg.org/codeberg-pages/migrating-from-pages-v2/#direct-migration-of-pages-sites-using-a-webhook). I didn't see any POST or PUT requests for this domain in the last 24h. 4. The redirect from germ501.codeberg.page to andygarcia.me is done by legacy pages-server. If you want to retain control of the redirect you will need to set up webhooks to deploy to *both domains*, and include a Netlify compatible `_redirects` file with e.g. `//germ501.codeberg.page/* https://andygarcia.me/:splat`. (Don't worry about deploying the same site to both domains, it doesn't take much resources.) 5. Git-pages does work with private repositories, but it requires deployment via Forgejo Actions. @faebser 1. The `.domains` file is no longer used. Git-pages uses DNS as the source of truth for authorization and TLS certificate issuance. 2. You need to [set up a webhook](https://docs.codeberg.org/codeberg-pages/migrating-from-pages-v2/#direct-migration-of-pages-sites-using-a-webhook). I didn't see any POST or PUT requests for this domain in the last 24h.
Author
Copy link

Thank you for the response. Apologies for not disclosing LLM use, I have spinal cord and brain injury that makes typing very slow as result of MS (numb hands basically), I will do my best to type myself what is going in

I added a Forgejo webhook on germ501/pages with target URL https://andygarcia.me/ and branch filter pages, then pushed an empty commit to pages (38e284d : hash for push) to fire it. Roughly 10 minutes after the push, curl -sSI https://andygarcia.me/ still returns tlsv1 alert internal error, and HTTP continues to 302-redirect to HTTPS via the legacy pages-server. Is the slow provisioning expected here or did I configure something wrong?

Thank you for the response. Apologies for not disclosing LLM use, I have spinal cord and brain injury that makes typing very slow as result of MS (numb hands basically), I will do my best to type myself what is going in I added a Forgejo webhook on germ501/pages with target URL https://andygarcia.me/ and branch filter pages, then pushed an empty commit to pages (38e284d : hash for push) to fire it. Roughly 10 minutes after the push, curl -sSI https://andygarcia.me/ still returns tlsv1 alert internal error, and HTTP continues to 302-redirect to HTTPS via the legacy pages-server. Is the slow provisioning expected here or did I configure something wrong?

I'm sorry to hear about MS. To clarify, I was only requesting disclosure (in the context of the Codeberg community support tracker at least).

The deploy should happen nearly instantaneously, within seconds. I'm looking into it.

I'm sorry to hear about MS. To clarify, I was only requesting disclosure (in the context of the Codeberg community support tracker at least). The deploy should happen nearly instantaneously, within seconds. I'm looking into it.

Ah right! You've hit an issue that is unfortunately not explained in the documentation yet. The webhook needs to be configured with the http:// scheme for the initial deploy. After that you can leave it at that or change it to https:// scheme.

Ah right! You've hit an issue that is unfortunately not explained in the documentation yet. The webhook needs to be configured with the `http://` scheme for the initial deploy. After that you can leave it at that or change it to `https://` scheme.
Author
Copy link

I tried the http:// scheme and the webhook still fails with Post "https://andygarcia.me/": remote error: tls: internal error, with the final URL showing https://. I even deleted the old one, created a new one; same thing.

I tried the http:// scheme and the webhook still fails with Post "https://andygarcia.me/": remote error: tls: internal error, with the final URL showing https://. I even deleted the old one, created a new one; same thing.

This is a regression in Codeberg's configuration that I wasn't aware of. I manually triggered the initial deploy for you. Your webhook should work fine going forward (with either scheme); please go ahead and confirm that. Sorry about the issues.

This is a regression in Codeberg's configuration that I wasn't aware of. I manually triggered the initial deploy for you. Your webhook should work fine going forward (with either scheme); please go ahead and confirm that. Sorry about the issues.

For other people who may be hitting the same issue, here is how you can manually trigger a webhook request to a git-pages instance:

$ curl -X POST https://codeberg.page -H 'Host: example.org' -H 'X-Forgejo-Event: push' --json '{"ref":"refs/heads/pages","repository":{"clone_url":"https://codeberg.org/example/pages.git"}}'
created

The URL being https://codeberg.page is working around the regression I mentioned earlier. Fill in your own values for Host: and clone_url and it should work.

If you're trying to deploy to a non-root site, e.g. for a project.git repository, the URL needs to be altered in a non-intuitive way:

$ curl -X POST https://codeberg.page/project -H 'Host: example.org' -H 'X-Forgejo-Event: push' --json '{"ref":"refs/heads/pages","repository":{"clone_url":"https://codeberg.org/example/project.git"}}'
created

(What happens here is that codeberg.page is used to make the connection, but then the Host: value replaces that part of the URL for the actual HTTP request.)

For other people who may be hitting the same issue, here is how you can manually trigger a webhook request to a git-pages instance: ``` $ curl -X POST https://codeberg.page -H 'Host: example.org' -H 'X-Forgejo-Event: push' --json '{"ref":"refs/heads/pages","repository":{"clone_url":"https://codeberg.org/example/pages.git"}}' created ``` The URL being `https://codeberg.page` is working around the regression I mentioned earlier. Fill in your own values for `Host:` and `clone_url` and it should work. If you're trying to deploy to a non-root site, e.g. for a `project.git` repository, the URL needs to be altered in a non-intuitive way: ``` $ curl -X POST https://codeberg.page/project -H 'Host: example.org' -H 'X-Forgejo-Event: push' --json '{"ref":"refs/heads/pages","repository":{"clone_url":"https://codeberg.org/example/project.git"}}' created ``` (What happens here is that `codeberg.page` is used to make the connection, but then the `Host:` value replaces that part of the URL for the actual HTTP request.)
Author
Copy link

Thank you! I believe everything is fine now. Again, thanks for the help and quick responses.

Thank you! I believe everything is fine now. Again, thanks for the help and quick responses.

You're welcome

You're welcome

@faebser I've also triggered an initial deploy for you manually.

@faebser I've also triggered an initial deploy for you manually.

@whitequark wrote in #2655 (comment):

@faebser I've also triggered an initial deploy for you manually.

Thank you. So I can delete the domains file and simply add a webhook with the target domain https://about.participatory-archives.ch/?

I've attached a screenshot of the documentation where it says that for a custom domain one needs to use the old way. Further down it says that one needs to use a .domains file. Is that info outdated?

@whitequark wrote in https://codeberg.org/Codeberg/Community/issues/2655#issuecomment-15366005: > @faebser I've also triggered an initial deploy for you manually. Thank you. So I can delete the domains file and simply add a webhook with the target domain https://about.participatory-archives.ch/? I've attached a screenshot of the documentation where it says that for a custom domain one needs to use the old way. Further down it says that one needs to use a .domains file. Is that info outdated?

Yes and yes.

Yes and yes.
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
accessibility
Reduces accessibility and is thus a "bug" for certain user groups on Codeberg.
bug
Something is not working the way it should. Does not concern outages.
bug
infrastructure
Errors evidently caused by infrastructure malfunctions or outages
Codeberg
This issue involves Codeberg's downstream modifications and settings and/or Codeberg's structures.
contributions welcome
Please join the discussion and consider contributing a PR!
docs
No bug, but an improvement to the docs or UI description will help
duplicate
This issue or pull request already exists
enhancement
New feature
infrastructure
Involves changes to the server setups, use `bug/infrastructure` for infrastructure-related user errors.
legal
An issue directly involving legal compliance
licence / ToS
involving questions about the ToS, especially licencing compliance
please chill
we are volunteers
Please consider editing your posts and remember that there is a human on the other side. We get that you are frustrated, but it's harder for us to help you this way.
public relations
Things related to Codeberg's external communication
question
More information is needed
question
user support
This issue contains a clearly stated problem. However, it is not clear whether we have to fix anything on Codeberg's end, but we're helping them fix it and/or find the cause.
s/Forgejo
Related to Forgejo. Please also check Forgejo's issue tracker.
s/Forgejo/migration
Migration related issues in Forgejo
s/Pages
Issues related to the Codeberg Pages feature
s/Weblate
Issue is related to the Weblate instance at https://translate.codeberg.org
s/Woodpecker
Woodpecker CI related issue
security
involves improvements to the sites security
service
Add a new service to the Codeberg ecosystem (instead of implementing into Forgejo)
upstream
An open issue or pull request to an upstream repository to fix this issue (partially or completely) exists (i.e. Forgejo, Weblate, etc.)
wontfix
Codeberg's current set of contributors are not planning to spend time on delegating this issue.
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Codeberg/Community#2655
Reference in a new issue
Codeberg/Community
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?