Cant Get LetsEncrypt to renew

HackerJL · March 24, 2021, 2:25am

Alright, so Ive been successfully running and happy with HA for a few months, but see my cert is running out in a few weeks. It won’t renew, errors out saying it can’t get the challenge, so I think Im setup wrong.

domain: ha.domain.com (obviously changed)

Port Forwarding:
I have port 80 turned off - tried turning on as well, no change
I have port 8123 forwarded to the internal IP and port 8123
I have port 443 forwarded to the internal IP and port 8123

Its all working nicely.

Config in Letsencrypt supervisor add-on is setup. Says Container 80/tcp and host box filled in to: 443. All looks good.

DNS is good, A records are setup and working nicely. Technically speaking, everything is perfect except for LetEncrypt.

Logs show:

[14:12:26] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ha.domain.com (changed)
Waiting for verification...
Challenge failed for domain ha.domain.com (changed)
http-01 challenge for ha.domain.com (changed)
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: ha.domain.com (changed)
   Type:   connection
   Detail: Fetching
   http://ha.domain.com/.well-known/acme-challenge/UKY5vnCio2K9apJUASyUvVZFv0be44SZKlema1zg-ZM:
   Connection refused
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

DavidFW1960 · March 24, 2021, 7:17am

Connection refused means probably you are using the http challenge and port 80 is closed. You may also have been rate limited which could explain why it won’t renew with 80 forwarded…

HackerJL · March 25, 2021, 12:26am

Yup, I get the rate limiting, that comes up later if I try too much.

I have 80 port forwarded through, and still same error. My concern here is that my HA is setup on 8123, and 443 is being forwarded to 8123 and HA is configured that the external setup is to be https://ha.domain.com.
Any other thoughts?

HackerJL · March 25, 2021, 12:29am

And as soon as I post, I figured it out.

Port 80 was being forwarded, but the configuration was set:
Says Container 80/tcp and host box filled in to: 443.

I changed that to 80 so 80 was passing through 100%. All good now.

Putting this in here for future searches.

DavidFW1960 · March 25, 2021, 2:24am

Yeah needs to be 80-80. Glad you sorted it out