Creating SSL Certificate with LetsEncrypt only and Blocked port 80

Installation Home Assistant OS
1

TL:DR question, is there a way to use DNS-01 challenge with the Lets-encrypt add-in, and without DuckDNS?

Hello,

I am trying to setup my SSL certificate on my Hass.io install, but I’ve ran into a problem with the certificate generation with the LE add-in. I’ve read this post.

I have a registered domain name, and static IP address, so I don’t have a need for DuckDNS. My ISP blocks inbound port 80 to my firewall. For forwarding, I have External 443 --> hass.io (443), and External 8123 -->hass.io (8123). I have control of my DNS, so I can add any needed records for the LE DNS-01 challenge.

when I run the LE add-in, I get the error below. I’m positive its due to blocked port 80. Do I have any options on getting around the http-01 challenge, or am I stuck using DuckDNS when its not needed?

starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ha.domain.com
http-01 challenge for domain.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://domain.com/.well-known/acme-challenge/Ro-trc7vps8H19SPFm8QggyUh7W7lgr6PXEDZYH4VgY: Timeout during connect (likely firewall problem), ha.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ha.domain.com/.well-known/acme-challenge/YxPle_DUnJmso_yLRKFlao-oaEtY1uSR9KlsQfDKUAM: Timeout during connect (likely firewall problem)
 - The following errors were reported by the server:
   Domain: domain.com
   Type:   connection
   Detail: Fetching
   http://domain.com/.well-known/acme-challenge/Ro-trc7vps8H19SPFm8QggyUh7W7lgr6PXEDZYH4VgY:
   Timeout during connect (likely firewall problem)
   Domain: ha.domain.com
   Type:   connection
   Detail: Fetching
   http://ha.domain.com/.well-known/acme-challenge/YxPle_DUnJmso_yLRKFlao-oaEtY1uSR9KlsQfDKUAM:
   Timeout during connect (likely firewall problem)
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
1 Like
2

I also have this problem. Any solution?

3

Same issue here. Worked great with DuckDNS addon, but i’m not using DuckDNS domain.

4

Sorry, I did not find a solution. I just ended up using the Duck-Dns add-on. When I get a chance I’ll try setting up the Nginx add-on for a reverse proxy and add my own certificate, but seems overkill and overly complicated when the Lets Encrypt add on could do what is needed here. It would be great if the add-on could be configured to user DNS verification as an option for those of us who cant get port 80 inbound due to our ISP.

3 Likes
5

I posted how I solved the problem: ISP Blocking Port 80 SSL Certificate Solution

6

There is also the very simple solution of just buying an SSL certificate and renewing it yearly. the price has crept up a bit over the last few months from under $10 to under $20 but often it takes just a few minutes and requires no further configuration other than providing HA with the cert and full chain files.

7

I got the same error


Domain: ha.domain.com
Type: connection
Detail: Fetching
http://ha.domain.com/.well-known/acme-challenge/YxPle_DUnJmso_yLRKFlao-oaEtY1uSR9KlsQfDKUAM:
Timeout during connect (likely firewall problem)

in my case the IP Address on the Dyn DNS record was for some reason not updated.
normaly that works pretty good with my fritzbox.