pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto renew --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt renew --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/REDACTED.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for REDACTED.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/REDACTED.duckdns.org.conf produced an unexpected error: Failed authorization procedure. REDACTED.duckdns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 9b42956349f558d5845808672fc1de7f.6481a6c9beb2a4ff6a35d632de2b988b.acme.invalid from 79.53.222.221:443. Received 2 certificate(s), first certificate had names "REDACTED.duckdns.org". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/REDACTED.duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: REDACTED.duckdns.org
Type: unauthorized
Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
Requested
9b42956349f558d5845808672fc1de7f.6481a6c9beb2a4ff6a35d6REDACTED.acme.invalid
from 79.53.222.221:443. Received 2 certificate(s), first
certificate had names "REDACTED.duckdns.org"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
pi@raspberrypi:~/letsencrypt $
Did you shut down nginx or home-assistant, whichever is answering on port 443? Letsencrypt sets up its own little server briefly when conducting the renewal just to ensure you’re asking to renew a cert you own.
Nginx can be used to proxy home-assistant - not everybody uses it, some people do for various reasons. If you had it, you would stop it on a Linux / Rpi by entering “sudo service nginx stop”.
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto renew --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt renew --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/red.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for red.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/red.duckdns.org.conf produced an unexpected error: Failed authorization procedure. red.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 79.53.222.221:443 for TLS-SNI-01 challenge. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/red.duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: red.duckdns.org
Type: connection
Detail: Failed to connect to 79.53.xxx.xxx:443 for TLS-SNI-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
pi@raspberrypi:~/letsencrypt $
Try adding using certonly instead of renew. I don’t use the older letsencrypt-auto package that you have, so I’m sorry I can’t give you the exact command by trying on my own system first; but try swapping “renew” with “certonly”, while keeping home-assistant shutdown. If that doesn’t work, try both renew and certonly (or maybe --certonly)
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Hmm, try using renew in conjunction with certonly?
2 may work, but it seems like it’s not renewing but rather requesting new certs, which is odd since it should see the old certs. I don’t use letsencrypt with hass directly but rather nginx, so I’m not sure how this will end up.
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly renew --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly renew --email [email protected]
usage:
letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: unrecognized arguments: certonly
pi@raspberrypi:~/letsencrypt $
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):xxx.duckdns.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxx.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xxx.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 79.53.222.xxx:xxx for TLS-SNI-01 challenge
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: xxx.duckdns.org
Type: connection
Detail: Failed to connect to 79.53.xxx.xxx:443 for TLS-SNI-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
pi@raspberrypi:~/letsencrypt $
Ok. This error is because it can’t reach the temporary server letsencrypt is turning on in order to validate renewal. It’s a different error than the first one you had. Two paths:
Turn home-assistant back on and then wait for somebody to come along and help you on the first error
You likely have ports forwarded on your router. Maybe, for example, port 443 going to the HASS port (8123)? This means that letsecnrypt cannot reach the temporary validation server on port 443 on the actual server. So, temporarily on your router forward port 443 to 443 of the hass server, instead of 443 to 8123 of the hass server. Re-run the command, and see if it works.
I did this (not your point 1, HASS is still stopped), took out port forward from 443 to 8123
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):xxx.duckdns.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxx.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure.xxx.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 79.53.2xxx:443 for TLS-SNI-01 challenge
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: xxx.duckdns.org
Type: connection
Detail: Failed to connect to 79.53.xxx.xxx:443 for TLS-SNI-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
pi@raspberrypi:~/letsencrypt $
Did you take out the forward entirely? You still need to forward, just from port 443 to port 443 of the hass server (i.e. 192.168.1.5 or whatever it is.
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):xxx.duckdns.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxx.duckdns.org
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.duckdns.org/fullchain.pem. Your cert
will expire on 2017-05-31. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
pi@raspberrypi:~/letsencrypt $