Lets Encrypt issues

gr4z · February 27, 2018, 12:35pm

I am using hass.io and suddenly have noticed Lets Encrypt issues in the log:

starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <redacted>
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <redacted> (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://<redacted>/.well-known/acme-challenge/GWXtzjnffXIFAkKKYFOPskB9VILBFUSYSq1LxF07PpY: Error getting validation data
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: <redacted>
   Type:   connection
   Detail: Fetching
   http://<redacted>/.well-known/acme-challenge/GWXtzjnffXIFAkKKYFOPskB9VILBFUSYSq1LxF07PpY:
   Error getting validation data
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I have checked my DNS A record nothing has changed. My router still has the 8123 port redirection. My setup for Lets Encrypt has not changed:

{
  "email": "[email protected]",
  "domains": [
    "<redacted>"
  ],
  "certfile": "/ssl/fullchain.pem",
  "keyfile": "/ssl/privkey.pem"
}

Anyone else experiencing the same issue? I have tried uninstalling and reinstalling but receive the same error.

petro · February 27, 2018, 1:00pm

It’s trying to get a new cert. You need to port forward hassio_ip:443 to 443 for renew. Once the renew goes through, swap it back to hassio_ip:8123 to 443.

gr4z · February 27, 2018, 1:03pm

Thanks! Will I have to do this every 30 days?

petro · February 27, 2018, 1:04pm

Should be every 90 days

gr4z · February 27, 2018, 1:05pm

OK so it’s best to leave the 443 redirection open then?

petro · February 27, 2018, 1:08pm

You can’t, you won’t be able to access home assistant. Always will need to swap the redirection.

I’m at like ~60/90 days right now on this DuckDNS setup in hassio with nginx. I have no idea what my cert process is but people lead me to believe that I don’t need to do any port forward swapping. If that truly is the case, you may want to try that combo:

DuckDNS add on.
NGinx add on.

This allows me to keep the 443 -> 443 on my router at all times and I have access to HA

gr4z · February 27, 2018, 1:15pm

Same error even with 443 redirection:

starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for <redacted>
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <redacted> (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://<redacted>/.well-known/acme-challenge/1_NNEhbOL6PDiXwFjCU_l9rUVDTnp62pyG0uPp47XFk: Error getting validation data
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: <redacted>
   Type:   connection
   Detail: Fetching
   http://<redacted>/.well-known/acme-challenge/1_NNEhbOL6PDiXwFjCU_l9rUVDTnp62pyG0uPp47XFk:
   Error getting validation data

petro · February 27, 2018, 1:29pm

you reset your router to let the changes take place? Some routers require that, some don’t. Mine doesn’t but I need to wait a few minutes to let the changes occur.

gr4z · February 27, 2018, 1:40pm

Yep waited for ages now. Same.
Rebooted router. Same.

Bobby_Nobble · February 27, 2018, 4:11pm

I’ve never had to do this and mine renews fine.

petro · February 27, 2018, 6:57pm

I’ve always had to do this when using just lets encrypt. It depends on your router. I no longer have to do this (I think), now that i’m using a proxy.

petro · February 27, 2018, 6:58pm

Did your internal IP for HA change?

gr4z · February 27, 2018, 7:06pm

Sorted. I had the 443 redirection but you need the port 80 one as well.

Thanks for your help.

Bobby_Nobble · February 27, 2018, 7:33pm

My bad, I’m using the duckDNS add-on and that renews Let’s Encrypt certs fine without any other action, you’re just using Let’s Encrypt?

gr4z · February 27, 2018, 9:31pm

Yup. Let’s Encrypt on hass.io

petro · February 28, 2018, 10:49pm

I’m using the duckDNS add on too, but i’m using a proxy. I have NO clue if its going to work… I’m hoping it will. My 3 months is up around aprilish.

In regards to the Let’s encrypt stuff, my previous install of hass (not hassio) required me to swap the port forward when renewing the cert. It was super annoying. I’m assuming that it’s the same for hass.io. You know what happens when you assume though…

stokesy · March 27, 2018, 7:23am

Any other suggestions for this issue please, as I’m getting this same issue on two fresh hassio installs?

Ports 80 -> 80 and 443 -> 443 are configured for port forwarding.

starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hassio.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. hassio.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://hassio.domain.com/.well-known/acme-challenge/nOCezyvlzLMMOz6oVc78l05IOMiImCW_5CziZ7_98S8: Timeout
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: hassio.domain.com
   Type:   connection
   Detail: Fetching
   http://hassio.domain.com/.well-known/acme-challenge/nOCezyvlzLMMOz6oVc78l05IOMiImCW_5CziZ7_98S8:
   Timeout
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /data/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Zone is OK as I can access the domain on 8123 both internally and externally.

Default config for initial install on Pi 3.

I’ve had it working previously which is annoying!

DavidFW1960 · March 27, 2018, 7:30am

I had this when I tried to renew recently. Ended up removing the addin and reinstalling it. When I did that, the ports section under options config in the addon only had port 80. Also, note, letsencrypt doesn’t use 443 for authentication anymore.

stokesy · March 27, 2018, 9:32am

…so is it meant to have something else? Mine is the default:

Container:

80/tcp

Host:

Thanks, good to know.

I’d previously re-installed the add-on (multiple times!) before giving up and doing a complete format and fresh “out of the box” hassio install + Let’s Encrypt and Samba add-ons (currently stopped). So much time burnt on something so small…

Does anyone know if this add-on is going to support the DNS-01 challenge like the DuckDNS add-on?

petro · March 27, 2018, 11:37am

FYI, if DDNS doesn’t update it, you can install letsencrypt, update, and uninstall. That’s what I did originally (Not knowing what to do), and it worked fine after I moved back to DDNS.