Lets Encrypt issues


#9

Yep waited for ages now. Same.
Rebooted router. Same.


#10

I’ve never had to do this and mine renews fine.


#11

I’ve always had to do this when using just lets encrypt. It depends on your router. I no longer have to do this (I think), now that i’m using a proxy.


#12

Did your internal IP for HA change?


#13

Sorted. I had the 443 redirection but you need the port 80 one as well.

Thanks for your help.


#14

My bad, I’m using the duckDNS add-on and that renews Let’s Encrypt certs fine without any other action, you’re just using Let’s Encrypt?


#15

Yup. Let’s Encrypt on hass.io


#16

I’m using the duckDNS add on too, but i’m using a proxy. I have NO clue if its going to work… I’m hoping it will. My 3 months is up around aprilish.

In regards to the Let’s encrypt stuff, my previous install of hass (not hassio) required me to swap the port forward when renewing the cert. It was super annoying. I’m assuming that it’s the same for hass.io. You know what happens when you assume though…


#17

Any other suggestions for this issue please, as I’m getting this same issue on two fresh hassio installs?

Ports 80 -> 80 and 443 -> 443 are configured for port forwarding.

starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hassio.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. hassio.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://hassio.domain.com/.well-known/acme-challenge/nOCezyvlzLMMOz6oVc78l05IOMiImCW_5CziZ7_98S8: Timeout
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: hassio.domain.com
   Type:   connection
   Detail: Fetching
   http://hassio.domain.com/.well-known/acme-challenge/nOCezyvlzLMMOz6oVc78l05IOMiImCW_5CziZ7_98S8:
   Timeout
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /data/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

Zone is OK as I can access the domain on 8123 both internally and externally.

Default config for initial install on Pi 3.

I’ve had it working previously which is annoying!


#18

I had this when I tried to renew recently. Ended up removing the addin and reinstalling it. When I did that, the ports section under options config in the addon only had port 80. Also, note, letsencrypt doesn’t use 443 for authentication anymore.


#19

…so is it meant to have something else? Mine is the default:

Container:

80/tcp

Host:

80

Thanks, good to know.

I’d previously re-installed the add-on (multiple times!) before giving up and doing a complete format and fresh “out of the box” hassio install + Let’s Encrypt and Samba add-ons (currently stopped). So much time burnt on something so small… :weary:

Does anyone know if this add-on is going to support the DNS-01 challenge like the DuckDNS add-on?


#20

FYI, if DDNS doesn’t update it, you can install letsencrypt, update, and uninstall. That’s what I did originally (Not knowing what to do), and it worked fine after I moved back to DDNS.


#21

Hi Petro, not sure if this in response to me but I’m not using DDNS - or have I missed something?

Or does anyone have any suggestions to try to solve Let’s Encrypt not getting a response please?


#22

Yeah, I thought this was a different thread. If you are using Let’s Encrypt, I’ve always had to forward 443 to 443 just to update the cert. According to @DavidFW1960, that’s not the case anymore. Whatever is required is what you need to port forward. Once the cert goes through, you need to turn on 443 to 8123 again.


#23

How do I see what ports are open whilst the Let’s Encrypt add-on docker container is running? When the LE add-on is waiting for cert confirmation there is no response on port 80 using a port scanner - should there be?

I don’t think it’s a router issue as 8123 is working, plus the duckdns add-on works - just not the stand-alone LE add-on which I want for my personal domain.


#24

If you’re on Hassio, when I renewed my certificate recently I had to delete the addon and reinstall it before it would work. I’m running the stand-alone lets encrypt addon in Hassio.


#25

Thanks for responding. Yes I’ve tried reinstalling and even starting again from scratch, writing a new image to the sdcard. Same error sadly.

Given everything I’ve tried I’m wondering if it could be something to do with the new resinos image which I’d updated to before my cert expired, so will try to find an older version and try it all again…


#26

Hello,

could you guys confirm I can achieve what I want before I start with this? All I want to accomplish is to limit the traffic to and from HA so that only encrypted traffic is allowed but I really don’t want to connect from outside my network to HA through a port forwarding because I’ve chosen the VPN route instead.

I tried the duckdns add-on to no avail, but I can’t really put my finger on what is wrong with what duckdns makes to the system. In a nutshell, when I had duckdns successfully setup I could connect to HA from the LAN and the Internet (which I don’t want), and if I enabled the firewall on port 443 (thus disabling remote access over https), then my PC could still connect with HA over https but my smartphones would stop accessing it.

Not sure if I explained myself correctly :frowning:


Community Hass.io Add-on: motionEye
#27

So you don’t want it to communicate to the outside world but you want to communicate to your phone… which is in the outside world?


#28

Well yes it is, but my phone does connect back to my local network over VPN. My desired scenario would be to enable and restrict traffic to fully encrypted https traffic to and from HA, without needing to enable access to Internet. When my phone is away from my network, I VPN back into the local network through a VPN device that I own.