Let's Encrypt - All in one Installer (help)

Hey,

I can’t install Let’s encrypt on my installation.
What webroot should I use?

“1: Enter a new webroot”

Duckdns is working…

Where is the prompt you’re referring to coming from? If it’s from something to do with LetsEncrypt (eg certbot) then provide the full name of your DuckDNS host.

Actually, if this is from certbot, don’t use the webroot plugin, but the standalone one.

Then it says this:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for myhostname.duckdns.org
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Try running it as root (eg put sudo before the command) and it’ll solve that problem. You’ll also need to forward port 80 from your router to the system you’re running certbot on.

Still got the problem when i do as root.

I use this: sudo ./certbot-auto certonly --standalone --preferred-challenges http-01 --email [email protected] -d mydomain.duckdns.org

What problem?

Maybe i’m doing it wrong. I’m using this guide: https://home-assistant.io/docs/ecosystem/certificates/lets_encrypt/

This problem:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for myhostname.duckdns.org
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

It may be that you’ve got something else using port 80, let’s have a look:

netstat -pant|egrep ":80\s|:443\s"

That’ll show any processes using port 80 or 443

This is the ouput:

pi@raspberrypi:~/letsencrypt $   netstat -pant|egrep ":80\s|:443\s"
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -
tcp        0      0 192.168.2.200:39278     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39324     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39262     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39298     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:50382     17.248.150.46:443       ESTABLISHED -
tcp        0      0 192.168.2.200:39284     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39292     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39272     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39266     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39282     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39316     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39342     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39336     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39328     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39268     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39288     192.168.2.200:80        TIME_WAIT   -
tcp        1      0 192.168.2.200:38992     173.194.221.121:443     CLOSE_WAIT  -
tcp        0      0 192.168.2.200:39338     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39294     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39312     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39280     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39346     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39256     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:51950     17.248.150.118:443      ESTABLISHED -
tcp        0      0 192.168.2.200:39304     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39274     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39318     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39340     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39306     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39332     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39326     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39290     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39322     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39308     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39296     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39260     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39302     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39314     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39334     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39258     192.168.2.200:80        TIME_WAIT   -

As root:

pi@raspberrypi:~/letsencrypt $ sudo  netstat -pant|egrep ":80\s|:443\s"
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      723/deCONZ
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      723/deCONZ
tcp        0      0 192.168.2.200:39010     52.43.46.37:443         TIME_WAIT   -
tcp        0      0 192.168.2.200:50382     17.248.150.46:443       ESTABLISHED 951/python3
tcp        0      0 192.168.2.200:39348     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39342     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39374     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39336     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39416     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39378     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39368     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39404     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39350     192.168.2.200:80        TIME_WAIT   -
tcp        1      0 192.168.2.200:38992     173.194.221.121:443     CLOSE_WAIT  951/python3
tcp        0      0 192.168.2.200:39370     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39338     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39360     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39386     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39380     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39388     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39346     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39414     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:51950     17.248.150.118:443      ESTABLISHED 951/python3
tcp        0      0 192.168.2.200:39392     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39362     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39382     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39356     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39418     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39410     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39372     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39340     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39358     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39396     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39366     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39408     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39352     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39398     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39406     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39384     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39334     192.168.2.200:80        TIME_WAIT   -
tcp        0      0 192.168.2.200:39400     192.168.2.200:80        TIME_WAIT   -

Ok, so you’ve got processes using both port 80 and port 443, that’s going to be an issue

Now let’s see what they are:

sudo netstat -pant|egrep "\.0:80\s|\.0:443\s"

Output:

pi@raspberrypi:~/letsencrypt $ sudo netstat -pant|egrep "\.0:80\s|\.0:443\s"
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      723/deCONZ
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      723/deCONZ

That’s your problem. You need to find a way to configure that to leave one of those ports alone, or you’re going to have to manually renew your LetsEncrypt certificates.

Thank you very much, I will try to get this to work.

Managed to change port of deCONZ to 9090.

Now I got this error instead:

 sudo ./certbot-auto certonly --standalone --preferred-challenges http-01 --email [email protected] -d mydomain.duckdns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mydomain.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mydomain.duckdns.org/.well-known/acme-challenge/Un4P-_A3y7DR890BLAI-412jsqFniO6YMf_pa331RE0: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain.duckdns.org
   Type:   connection
   Detail: Fetching
   http://mydomain.duckdns.org/.well-known/acme-challenge/Un4P-_1237DR890BLAI-8b4jsqFniO6YMf_pa431RE0:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Did you remember to configure a port forward on your router, forwarding port 80 to your Pi?

Yes, thats done.

But now I cant fetch the deCONZ rest api im home assistant… (since the port change on deconz)

Does anyone have any tips?

When I change port of deCONZ I can’t see my lights.

You’ll need to change the port deCONZ uses and forward those ports, or switch to controlling those lights directly from Home Assistant.