Hass.io LetsEncrypt Auto-Renewal error

JSCSJSCS · October 17, 2017, 4:44pm

I am confused about the new auto-renewal, Lets Encrypt/DuckDNS changes. I have both enabled in Hass.io v 55.2.
The logs for the Hass.io Let’s Encrypt show an auto-renewal error.

starting version 3.2.2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /data/letsencrypt/renewal/XXXX.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for XXXX.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /data/letsencrypt/renewal/XXXX.duckdns.org.conf produced an unexpected error: Failed authorization procedure. XXXX.duckdns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 294c59af4d40ccb620191322819XXXX1f84e.fcdcca5999d41de0b885c67ab29929bb.acme.invalid from 134.144.235.58:443. Received 2 certificate(s), first certificate had names "XXXX.duckdns.org". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /data/letsencrypt/live/XXXX.duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: XXXX.duckdns.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   294c59af4d40ccb62019XXXX13228191f84e.fcdcca5999d41de0b885c67ab29929bb.acme.invalid
   from 134.144.235.58:443. Received 2 certificate(s), first
   certificate had names "XXXX.duckdns.org"
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Orgath · October 17, 2017, 8:44pm

I have exactly the same problem.

Bobby_Nobble · October 17, 2017, 9:06pm

You only use one of them, if your using DuckDNS just install the DuckDNS one and it will look after letsencrypt too OR if using your own domain or a different DNS service install letsencrypt.

nalipaz · October 17, 2017, 9:45pm

If you need another DNS service whilst still using letsencrypt you can look at my addon, it works with any Dynamic DNS service provider. You can even use it in lieu of the DuckDNS addon if you are having trouble with it specifically or just prefer to use letsencrypt addon separately.

JSCSJSCS · October 18, 2017, 5:16pm

So since I have both installed now, I should uninstall LetsEncrypt component and remove the settings in configuration.yaml file under the http: heading? Is there anything special I need to do to DuckDNS? I don’t have any configuration.yaml setting for duckdns. It was installed with he handy hass.io installer.

The information at https://home-assistant.io/components/duckdns/ is very sparse and so not very helpful.

Bobby_Nobble · October 18, 2017, 8:39pm

Yep, get rid of the letsencrypt one but you’re looking at the wrong info, this is the hass.io one…

github.com

home-assistant/hassio-addons/blob/master/duckdns/README.md

# Home Assistant Add-on: DuckDNS

Automatically update your Duck DNS IP address with integrated HTTPS support via Let's Encrypt.

![Supports aarch64 Architecture][aarch64-shield] ![Supports amd64 Architecture][amd64-shield] ![Supports armhf Architecture][armhf-shield] ![Supports armv7 Architecture][armv7-shield] ![Supports i386 Architecture][i386-shield]

## About

[Duck DNS][duckdns] is a free service that points a DNS (sub-domains of duckdns.org) to an IP of your choice. This add-on includes support for Let’s Encrypt and automatically creates and renews your certificates. You need to sign up for a Duck DNS account before using this add-on.

[aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
[amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg
[armv7-shield]: https://img.shields.io/badge/armv7-yes-green.svg
[i386-shield]: https://img.shields.io/badge/i386-yes-green.svg
[duckdns]: https://duckdns.org

Despite what it says everyone seems to need port 443 forwarded to 8123 on their router.

JSCSJSCS · October 18, 2017, 9:48pm

Thanks. I tried putting the letsencrypt part of the json entries like the link you so kindly provided, but after saving, a restart makes it go back to the way it was.

JSCSJSCS · October 21, 2017, 5:14pm

For future reference, My DuckDNS addon was at version 0.6. It was set for AutoUpdate. I could not get it to accept the new letsencrypt parameters. I uninstalled DuckDNS and reinstalled it. The version was changed to 1.0 and the letsencrypt parameters were already added. I just needed to update the nulls with my token and domain. It looks like it is working. No errors yet in the logs.