I am using hass.io and suddenly have noticed Lets Encrypt issues in the log:
starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <redacted>
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <redacted> (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://<redacted>/.well-known/acme-challenge/GWXtzjnffXIFAkKKYFOPskB9VILBFUSYSq1LxF07PpY: Error getting validation data
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: <redacted>
Type: connection
Detail: Fetching
http://<redacted>/.well-known/acme-challenge/GWXtzjnffXIFAkKKYFOPskB9VILBFUSYSq1LxF07PpY:
Error getting validation data
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I have checked my DNS A record nothing has changed. My router still has the 8123 port redirection. My setup for Lets Encrypt has not changed:
It’s trying to get a new cert. You need to port forward hassio_ip:443 to 443 for renew. Once the renew goes through, swap it back to hassio_ip:8123 to 443.
You can’t, you won’t be able to access home assistant. Always will need to swap the redirection.
I’m at like ~60/90 days right now on this DuckDNS setup in hassio with nginx. I have no idea what my cert process is but people lead me to believe that I don’t need to do any port forward swapping. If that truly is the case, you may want to try that combo:
DuckDNS add on.
NGinx add on.
This allows me to keep the 443 -> 443 on my router at all times and I have access to HA
starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <redacted>
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <redacted> (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://<redacted>/.well-known/acme-challenge/1_NNEhbOL6PDiXwFjCU_l9rUVDTnp62pyG0uPp47XFk: Error getting validation data
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: <redacted>
Type: connection
Detail: Fetching
http://<redacted>/.well-known/acme-challenge/1_NNEhbOL6PDiXwFjCU_l9rUVDTnp62pyG0uPp47XFk:
Error getting validation data
you reset your router to let the changes take place? Some routers require that, some don’t. Mine doesn’t but I need to wait a few minutes to let the changes occur.
I’ve always had to do this when using just lets encrypt. It depends on your router. I no longer have to do this (I think), now that i’m using a proxy.
I’m using the duckDNS add on too, but i’m using a proxy. I have NO clue if its going to work… I’m hoping it will. My 3 months is up around aprilish.
In regards to the Let’s encrypt stuff, my previous install of hass (not hassio) required me to swap the port forward when renewing the cert. It was super annoying. I’m assuming that it’s the same for hass.io. You know what happens when you assume though…
Any other suggestions for this issue please, as I’m getting this same issue on two fresh hassio installs?
Ports 80 -> 80 and 443 -> 443 are configured for port forwarding.
starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hassio.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. hassio.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://hassio.domain.com/.well-known/acme-challenge/nOCezyvlzLMMOz6oVc78l05IOMiImCW_5CziZ7_98S8: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: hassio.domain.com
Type: connection
Detail: Fetching
http://hassio.domain.com/.well-known/acme-challenge/nOCezyvlzLMMOz6oVc78l05IOMiImCW_5CziZ7_98S8:
Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /data/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Zone is OK as I can access the domain on 8123 both internally and externally.
Default config for initial install on Pi 3.
I’ve had it working previously which is annoying!
I had this when I tried to renew recently. Ended up removing the addin and reinstalling it. When I did that, the ports section under options config in the addon only had port 80. Also, note, letsencrypt doesn’t use 443 for authentication anymore.
…so is it meant to have something else? Mine is the default:
Container:
80/tcp
Host:
80
Thanks, good to know.
I’d previously re-installed the add-on (multiple times!) before giving up and doing a complete format and fresh “out of the box” hassio install + Let’s Encrypt and Samba add-ons (currently stopped). So much time burnt on something so small…
Does anyone know if this add-on is going to support the DNS-01 challenge like the DuckDNS add-on?
FYI, if DDNS doesn’t update it, you can install letsencrypt, update, and uninstall. That’s what I did originally (Not knowing what to do), and it worked fine after I moved back to DDNS.