no I don’t have it
pi@raspberrypi:~/letsencrypt $ sudo service nginx stop
Failed to stop nginx.service: Unit nginx.service not loaded.
pi@raspberrypi:~/letsencrypt $
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto renew --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt renew --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/red.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for red.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/red.duckdns.org.conf produced an unexpected error: Failed authorization procedure. red.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 79.53.222.221:443 for TLS-SNI-01 challenge. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/red.duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: red.duckdns.org
Type: connection
Detail: Failed to connect to 79.53.xxx.xxx:443 for TLS-SNI-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
pi@raspberrypi:~/letsencrypt $Try adding using certonly instead of renew. I don’t use the older letsencrypt-auto package that you have, so I’m sorry I can’t give you the exact command by trying on my own system first; but try swapping “renew” with “certonly”, while keeping home-assistant shutdown. If that doesn’t work, try both renew and certonly (or maybe --certonly)
tried this, now which option 1 or 2??
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):i installed it in december … is already old?!
Hmm, try using renew in conjunction with certonly?
2 may work, but it seems like it’s not renewing but rather requesting new certs, which is odd since it should see the old certs. I don’t use letsencrypt with hass directly but rather nginx, so I’m not sure how this will end up.
tried this
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly renew --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly renew --email [email protected]
usage:
letsencrypt-auto [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: unrecognized arguments: certonly
pi@raspberrypi:~/letsencrypt $Alright. You may need to wait for somebody who has letsencrypt certs installed directly on hass, like you do, to help troubleshoot.
You can try option 2 with ./letsencrypt-auto certonly --email [email protected] - it may prompt for renewal or new later in the script.
nope
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):xxx.duckdns.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxx.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. xxx.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 79.53.222.xxx:xxx for TLS-SNI-01 challenge
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: xxx.duckdns.org
Type: connection
Detail: Failed to connect to 79.53.xxx.xxx:443 for TLS-SNI-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
pi@raspberrypi:~/letsencrypt $
Ok. This error is because it can’t reach the temporary server letsencrypt is turning on in order to validate renewal. It’s a different error than the first one you had. Two paths:
-
Turn home-assistant back on and then wait for somebody to come along and help you on the first error
-
You likely have ports forwarded on your router. Maybe, for example, port 443 going to the HASS port (8123)? This means that letsecnrypt cannot reach the temporary validation server on port 443 on the actual server. So, temporarily on your router forward port 443 to 443 of the hass server, instead of 443 to 8123 of the hass server. Re-run the command, and see if it works.
I did this (not your point 1, HASS is still stopped), took out port forward from 443 to 8123
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):xxx.duckdns.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxx.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure.xxx.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 79.53.2xxx:443 for TLS-SNI-01 challenge
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: xxx.duckdns.org
Type: connection
Detail: Failed to connect to 79.53.xxx.xxx:443 for TLS-SNI-01
challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
pi@raspberrypi:~/letsencrypt $
Did you take out the forward entirely? You still need to forward, just from port 443 to port 443 of the hass server (i.e. 192.168.1.5 or whatever it is.
1 Like
forgot that above. All good now?
pi@raspberrypi:~/letsencrypt $ ./letsencrypt-auto certonly --email [email protected]
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --email [email protected]
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Place files in webroot directory (webroot)
2: Spin up a temporary webserver (standalone)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):xxx.duckdns.org
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for xxx.duckdns.org
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.duckdns.org/fullchain.pem. Your cert
will expire on 2017-05-31. To obtain a new or tweaked version of
this certificate in the future, simply run letsencrypt-auto again.
To non-interactively renew *all* of your certificates, run
"letsencrypt-auto renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
pi@raspberrypi:~/letsencrypt $
Yep, should be good. Now re-forward on your router port 443 to 8123, turn on Hass again, and you should be in business.
thanks! working now
Hi. I have this same issue, port 443 -> 8123, which must be quite common.
Is there some way we can achieve this renewal without having to change a router port forward, run the renewal, then reset the port forward?
I’d like to automate the process as much as possible… that’s why we’re all here, right? 
2 Likes
I think the issue is that we need certbot to support doing the renewal on a different port, not 443, since that’s forwarded for HA. So for auto-renew to work we need to be able to get it to use a different port and then set up another forwarding rule on the router just to be used for the renewals. It seems that when we could use http-01 this renewal was done on port 80. However since we now have to use tls-sni-01 this only works on 443, see: https://community.letsencrypt.org/t/how-to-specify-a-port-different-from-443-for-the-dvsni-challenge/12753
So long as there’s nothing else stopping you, you can use http-01 on port 80 without issue, see my detailed guide in the docs.
Thus, permanently:
80 - 80
443 - 8123
Auto renewals and no buggering about 
where, which one?