Let's Encrypt stopped, won't start

tomoqv · November 8, 2017, 10:51am

I keep getting e-mails saying:
“Your certificate (or certificates) for the names listed below will expire in
0 days (on 09 Nov 17 09:57 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.”

Description	Manage certificate from Let's Encrypt
Version	1.2
State	stopped
Boot	auto
Auto update	   yes
Uses host network  no	
Builds locally	   no
Detached	   no

Is the renewal problem related to that my Let’s Encrypt addon won’t start in hass.io? Is there anything else I can do?

Thanks!

tomoqv · November 8, 2017, 3:02pm

The Let’s Encrypt log shows this:

starting version 3.2.2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /data/letsencrypt/renewal/[mydomain].duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for [mydomain].duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /data/letsencrypt/renewal/[mydomain].duckdns.org.conf produced an unexpected error: Failed authorization procedure. [mydomain].duckdns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested [lots of numbers and letters].acme.invalid from [IP address]:443. Received 2 certificate(s), first certificate had names "[mydomain].duckdns.org". Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /data/letsencrypt/live/[mydomain].duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: [mydomain].duckdns.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   [lots of numbers and letters].acme.invalid
   from [IP address]:443. Received 2 certificate(s), first
   certificate had names "[mydomain].duckdns.org"
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

Chris_Lawton · November 8, 2017, 5:55pm

I had a similar problem. I checked the DuckDNS config in Hass.io and it had the accept_terms to false.

Changed that to true and restarted Home assistant, and my certificate was successfully regenerated.

Maybe that helps.

 "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },

tomoqv · November 8, 2017, 7:37pm

Thanks @Chris_Lawton, I had already changed “accept_terms” to true in DuckDNS. Do you know if I need the Let’s Encrypt addon at all? It seems to be integrated in the DuckDNS addon somehow. I guess I will see tomorrow if this works or not, but the Let’s Encrypt addon cannot be started on my install anyway.

Chris_Lawton · November 8, 2017, 8:41pm

I do have the Let’s Encrypt addon installed. It’s set to auto boot and it has my email and duckDNS domain in its settings. It says ‘stopped’ but I presume it kicked in at boot up.

I also previously had tried uninstalling and reinstalling Let’s Encrypt. I read that somewhere. So maybe in the unprofessional random series of events I tried, something helped.

I am pretty new to this as you maybe can tell.

tomoqv · November 9, 2017, 4:40pm

Ok, now I am presented with the fact that I can’t log back into HA with the probable cause that I haven’t been able to renew my Let’s Encrypt certificate.

I need help now!

silvrr · November 9, 2017, 4:45pm

Have you tried accessing from inside your network and using the local IP address of your HA instance. Use HTTP not HTTPS in the address and click through the notification that the connection isn’t secure.

tomoqv · November 9, 2017, 4:48pm

Yes, and http:// just gives med “Connection failed”. I can still access my RPi hass.io through ssh though, so I guess I need a Docker command line way of renewing the cert.

LaurensBot · November 9, 2017, 4:56pm

With an invalid cert you should still be able to access your site. Alternatively use the direct ip with HTTPS.

Once you are back on the system remove your LE and DuckDNS addons (make a copy of the config first) and follow this guide: https://home-assistant.io/blog/2017/09/27/effortless-encryption-with-lets-encrypt-and-duckdns/

tomoqv · November 9, 2017, 5:03pm

Ok, back in. Will try that now. Have made a backup of configuration.yaml.

tomoqv · November 9, 2017, 5:18pm

Ok, I uninstalled both of the addons and reinstalled only DuckDNS and rebooted my RPi. When it came back up again, I could login again. However, the LE addon was still there. I thought I only needed the DuckDNS addon?

gohassgo · November 9, 2017, 6:27pm

That’s right… My DuckDNS add-on settings look like this:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "/ssl/fullchain.pem",
    "keyfile": "/ssl/privkey.pem"
  },
  "token": "put-your-duckdns-token-here",
  "domains": [
    "putyoursubdomainnamehere.duckdns.org"
  ],
  "seconds": 3600
}

tomoqv · November 9, 2017, 6:58pm

Thanks, my config file looks the same, except that I don’t have the path “/ssl/” before the .pem files and I have seconds: 300 instead of 3600

I guess I should just go ahead an uninstall the LE addon once again then, and see if I can get rid of it.

tomoqv · November 14, 2017, 8:34am

I think I got it working correctly now. However, I think it needs to be stated more clearly that the new DuckDNS addon deprecates the need for the Let’s Encrypt addon.