DuckDns / Let's Encrypt Addon: Expired Certificate

Hi !
I’m using the DuckDns/Let’s Encrypt AddOn. It’s worked good for a while…
But since few days, my certificate became expired.
The addon seems to renew the certificate (saw it in a log that the certificate were valid until 2019), but it’s still seen as expired (with always the same old date - October 5 -) by the browsers.
I tried to remove/reinstall the addon, remove the fullchain.pem, etc, but nothing worked.

Anyone got this issue ?

My configuration of the addon:

  {
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "xxxxxxxx",
  "domains": [
    "mydomain.duckdns.org"
  ],
  "seconds": 300
}

and from my configuration.yaml:

http: 
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Thanks for your help :pray:

I have had exactly this issue just now.

Any joy with finding a solution?

Solved the problem, by reading this post :

After that, I restarted Hassio, then restarted the Add-on, and it’s working now \o/

Glad you got sorted!

I’m still having the same problem though. The browser still thinks my certificate expired this morning.

Followed the steps, but nothing has changed :frowning:

Just managed to sort it following another guideline:

3 Likes

Hi!

Thanks for the guide. I followed all the steps, but I’m still struggling with the issue. Now, according to Hassio, my cert is valid:

  • Checking domain name(s) of existing cert… unchanged.
  • Checking expire date of existing cert…
  • Valid till Feb 5 17:46:44 2019 GMT (Longer than 30 days). Skipping renew!

But on the browser I see the cert expired on Nov. 3.

Any ideas? Thanks

I fixe it!

In the addon config I needed to remove the “/ssl/” from “certfile” and “keyfile”:

“lets_encrypt”: {
“accept_terms”: true,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”

Hope it helps!

I get the message in the duckdns add-on log that it is skipping renew as my certificate is valid until march but the browser shows it expires in 10 days. My certificate files were created in Dec so march would be 90 days. I don’t have /ssl/ in the config.

I suspect the duckdns add-on using the file dates and the browser is using another date. Only way I can think of that this happened is when I restored a snapshot. Is there a way to force a renewal?

Delete and reinstall the addon.

Just done that, also cleared SSL directory. I watched the add-on make new files in SSL directory dated today but the browser still shows Jan 10th expiry date. Maybe the browser cached the certificate? Checked in incognito mode, expiry date in April, looks like it does.

1 Like

maybe you’ve to remove the old certificate from your web explorer too.
hope this helps!

also you have to check if your internal dns is mapping ip and names correctly, if that the case… mine from outside i could access without puting the port socket… but when from inside i ve to put not only the https part of the address but the 8123 port.

My certificate expired and I couldn’t do anything, not even access with HTTP instead of HTTPS.

So I made a script that updates and restart the LetsEncrypt and DuckDNS addons. In my case the DuckDNS addon unblocked the situation.

#!/bin/bash

is_user_root () { [ "${EUID:-$(id -u)}" -eq 0 ]; }

if is_user_root; then
    echo "Certbot renew..."
    certbot renew

    echo "Refreshing updates..."
    ha refresh-updates
    
    echo "Updating Letsencrypt addon..."
    ha addons update core_letsencrypt
    
    echo "Restarting Letsencrypt addon..."
    ha addons restart core_letsencrypt
    
    echo "Updating DuckDNS addon..."
    ha addons update core_duckdns
    
    echo "Restarting DuckDNS addon..."
    ha addons restart core_duckdns
    
    echo "Restarting core (be patient)..."
    ha core restart
    
    echo "Done!"
else
    echo "Must be executed by priviledged account!" >&2
    exit 1
fi

DuckDNS includes LetsEncrypt. You do not need to install the LetsEncrypt add-on.

You just have to accept the terms in the DuckDNS addon configuration.

lets_encrypt:
  accept_terms: true