Lets Encrypt issues

Hi Petro, not sure if this in response to me but I’m not using DDNS - or have I missed something?

Or does anyone have any suggestions to try to solve Let’s Encrypt not getting a response please?

Yeah, I thought this was a different thread. If you are using Let’s Encrypt, I’ve always had to forward 443 to 443 just to update the cert. According to @DavidFW1960, that’s not the case anymore. Whatever is required is what you need to port forward. Once the cert goes through, you need to turn on 443 to 8123 again.

How do I see what ports are open whilst the Let’s Encrypt add-on docker container is running? When the LE add-on is waiting for cert confirmation there is no response on port 80 using a port scanner - should there be?

I don’t think it’s a router issue as 8123 is working, plus the duckdns add-on works - just not the stand-alone LE add-on which I want for my personal domain.

If you’re on Hassio, when I renewed my certificate recently I had to delete the addon and reinstall it before it would work. I’m running the stand-alone lets encrypt addon in Hassio.

Thanks for responding. Yes I’ve tried reinstalling and even starting again from scratch, writing a new image to the sdcard. Same error sadly.

Given everything I’ve tried I’m wondering if it could be something to do with the new resinos image which I’d updated to before my cert expired, so will try to find an older version and try it all again…

Hello,

could you guys confirm I can achieve what I want before I start with this? All I want to accomplish is to limit the traffic to and from HA so that only encrypted traffic is allowed but I really don’t want to connect from outside my network to HA through a port forwarding because I’ve chosen the VPN route instead.

I tried the duckdns add-on to no avail, but I can’t really put my finger on what is wrong with what duckdns makes to the system. In a nutshell, when I had duckdns successfully setup I could connect to HA from the LAN and the Internet (which I don’t want), and if I enabled the firewall on port 443 (thus disabling remote access over https), then my PC could still connect with HA over https but my smartphones would stop accessing it.

Not sure if I explained myself correctly :frowning:

So you don’t want it to communicate to the outside world but you want to communicate to your phone… which is in the outside world?

Well yes it is, but my phone does connect back to my local network over VPN. My desired scenario would be to enable and restrict traffic to fully encrypted https traffic to and from HA, without needing to enable access to Internet. When my phone is away from my network, I VPN back into the local network through a VPN device that I own.

I just moved my HA from an rpi4 to ubuntu 18.04lts server.

PFsense - moved the IP from rpi4 to ubuntu server.
Attempted to create the new files with:

sudo docker run -it --rm -p 80:80 --name certbot -v "/etc/letsencrypt:/etc/letsencrypt"  -v "/var/lib/letsencrypt:/var/lib/letsencrypt" certbot/certbot certonly  --standalone  --email [email protected]  -d here.duckdns.org

Recevied the following:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for here.duckdns.org
Waiting for verification...
Challenge failed for domain here.duckdns.org
http-01 challenge for here.duckdns.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: here.duckdns.org
   Type:   connection
   Detail: Fetching
   http://here.duckdns.org/.well-known/acme-challenge/OGCzamVHPlJAL90rzLUI_UM-3CdqbVKvViW2bzTjAd4:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Also tried the add on: LetsEncrypt. That what worked on the rpi4 version. Same error.

Log file:

cat /var/log/letsencrypt/letsencrypt.log
cat: /var/log/letsencrypt/letsencrypt.log: No such file or directory

Thoughts?

I’m getting this as well on a fresh copy of 0.111.1.

[19:15:47] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hass.mydomain.com
Waiting for verification...
Challenge failed for domain hass.mydomain.com
http-01 challenge for hass.mydomain.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: hass.mydomain.com
   Type:   connection
   Detail: Fetching
   http://hass.mydomain.com/.well-known/acme-challenge/U8WLR-vZw7oRVGR0aIiSMQZPoKNh0Pv5U7dsllGyKqA:
   Timeout during connect (likely firewall problem)
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

I have an 80:80 port forward set up on my router and my domain name is resolving.

Update: This is showing in the Supervisor log:

20-06-14 22:22:58 INFO (SyncWorker_1) [supervisor.docker.interface] Clean addon_core_letsencrypt application
20-06-14 22:22:58 ERROR (SyncWorker_1) [supervisor.docker] Can't start addon_core_letsencrypt: 500 Server Error: Internal Server Error ("driver failed programming external connectivity on endpoint addon_core_letsencrypt (1ee6c837f11511b417796c741415508c9f943ee85cb51856e2b33744b30ab281): Error starting userland proxy: listen tcp 0.0.0.0:8123: bind: address already in use")

Any ideas?

For me opening Port 80 again fixed the problem. Had to renew my certifcate as well

If you need port 80 you are using http validation not dns validation

Sorry stupid questions.

What is the difference? How would i change to dns validation?

Its a different way of proving you control a domain that doesnt require you to open an insecure port. How you configure it dependa on the letsencrypt addon you use

Port 80 is plain text hence insecure but port 443 (https) is more secure as it is encrypted but require a certificate. To get a certificate you will need to declare/add DNS information which will vary depending on your setup.

Long story short, opening port 80 overall is a not a great idea overall.

I use the DuckDNS addon (which then uses Let’s Encrypt).
Is this feature supported by the addon?

Get that.
You maybe have a tutorial/an example how to set this up with home assistant?

Thanks

Yes it is.

There are many tutorials written for this one, try this one -Setting Up DuckDNS in Home-Assistant.IO | by Ferry Djaja | Medium

I have already done all the steps mentioned in this tutorials when setting up duckdns about 2 years ago.
Couldnt find anything about the renewing of certificates. Neither about “dns validation”