Letsencrypt certificate renewal failed

DavidFW1960 · April 23, 2018, 9:31pm

I very much doubt it! Something is seriously wrong if you can’t go to http://ip-address:8123

Chrome etc will pitch a fit about the certificate but you just click advanced and load the site anyway.

hertzz · April 23, 2018, 11:02pm

I get the following:

didn’t send any data.
ERR_EMPTY_RESPONSE

I tried hooking up the rapsberry to a monitor in order to access the wev server locally from within the raspberry but I only get a Home Assistant Logo.

What can I do? I checked and the raspberry ip is ok.

Should uninstall the Duck DNS and Letsencrypt from the config.yaml?

DavidFW1960 · April 23, 2018, 11:02pm

Which web browser?

hertzz · April 23, 2018, 11:04pm

I tried Chrome and Edge, none are working.

this hassio thing with the web page is great, untill you need to do something manually, I miss a lot the old installation method.

DavidFW1960 · April 23, 2018, 11:07pm

OK.

I just got that as well.

Try HTTPS://ip-address:8123

must be https

or https://hassio.local:8123
click advanced and then load (unsafe)

hertzz · April 23, 2018, 11:08pm

it finally worked. Thanks a lot!

Like you said, I had to go to advance and confirm I wanted to enter to a unsafe sire.

Thanks again, I hope I do not find any more issues.

Regards,

Maxi.

jansh · April 28, 2018, 10:45am

FWIW, to get auto-renewing Let’s Encrypt certs with the core_letsencrypt Hassio Addon, I am using this automation:

- id: letsencrypt-renewal
  alias: "Let's Encrypt Renewal"
  trigger:
  - platform: time
    at: '00:00:00'
  action:
  - service: hassio.addon_restart
    data:
      addon: core_letsencrypt

Edit: This has been added to the official docs now.

DavidFW1960 · April 29, 2018, 1:57am

lol!!! I was thinking just today I should make that exact same automation to start the addon every day!

DavidFW1960 · April 29, 2018, 2:05am

Just tried it and I’m seeing this error:

starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /data/letsencrypt/renewal/my-domain.duckdns.org.conf
-------------------------------------------------------------------------------
expected /data/letsencrypt/live/my-domain.duckdns.org/cert.pem to be a symlink
Renewal configuration file /data/letsencrypt/renewal/my-domain.duckdns.org.conf is broken. Skipping.
-------------------------------------------------------------------------------
0 renew failure(s), 1 parse failure(s)
No renewals were attempted.
Additionally, the following renewal configuration files were invalid: 
  /data/letsencrypt/renewal/my-domain.duckdns.org.conf (parsefail)
-------------------------------------------------------------------------------

What am I missing now?

DavidFW1960 · April 29, 2018, 2:23am

Uninstalled addon and re-installed and now I get:

starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my-domain.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my-domain.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my-domain.duckdns.org/.well-known/acme-challenge/v9tBRzv3BEDt3d6_kCay-FpN3Mk_Bz8F4n423CDs2pI: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: my-domain.duckdns.org
   Type:   connection
   Detail: Fetching
   http://my-domain.duckdns.org/.well-known/acme-challenge/v9tBRzv3BEDt3d6_kCay-FpN3Mk_Bz8F4n423CDs2pI:
   Timeout during connect (likely firewall problem)
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I have port 80 forwarded in my router to port 80 on the Pi and it renewed fine last time…

jansh · April 29, 2018, 7:19am

Looks like you’re using DuckDNS. In that case, I think you should uninstall the core_letsencrypt addon entirely and not use my automation—at least that’s what the docs say.

The DuckDNS add-on has its own ways of handling LE certificates. I am not sure if it renews automatically or not, as I was only looking into core_letsencrypt.

DavidFW1960 · April 29, 2018, 8:07am

No not using duckdns - my router handles that side of it. Just using letsencrypt addin

DavidFW1960 · April 30, 2018, 5:24am

My ISP was blocking port 80 incoming (just changed ISP) Unblocked now but too many failures so I need to wait for an hour.

DavidFW1960 · April 30, 2018, 7:00am

So it just renewed when I triggered the Automation. Weird - I still had 40 days left… have they changed that from 30 days?

cucpotn · December 4, 2018, 9:02am

Does the Letsencrypt need to use port 80? I have a problem when I set NAT in port 80 to Home Assistant, so my Google assistant will stop working.

DavidFW1960 · December 4, 2018, 9:05am

It will only work on port 80. You need to forward port 80 to port 80. Why is this going to break Google Assistant? You would need to use https:// for Google and normally that will be on port 443 or some other port forwarded to 443…

cucpotn · December 4, 2018, 9:12am

Well, I do not understand that. Port 443 is not
redirected, but I just tested it, as soon as I redirect port 80 to HA, so Google assistant stops working when I remove port forwarding 80 again, Google Assistant works again.

DavidFW1960 · December 4, 2018, 9:21am

Google Assistant needs a Https end point so how are you doing that without forwarding 443 or forwarding some other port to 443? Why are you forwarding port 80 to Home Assistant?

Feel free to provide more information about your setup but suffice to say letsencrypt will only work with port 80 unless you can setup dns validation.

cucpotn · December 4, 2018, 4:06pm

Port 80 is redirected to Letsencrypt addo-on (ie Home Assistant IP address), or is not it necessary? Sorry for my English.

DavidFW1960 · December 4, 2018, 9:33pm

No port 80 gets forwarded to port 80. With IPv4 you don’t forward a port to a specific IP address, you forward an external port to an internal port - effectively allowing a device listening on a port to be contacted from the Internet.

In a typical HA installation using LetsEncrypt you would forward port 80 to port 80 otherwise LetsEncrypt cannot renew or obtain an ssl certificate and you would also forward port 443 to port 8123 so that Home Assistant can be accessed over the internet via ssl. (That address, https://yourdomain.duckdns.org is also what you would give Google Assistant to connect to HA) If you don’t have your system setup like this then you might need to change the URL in Google Developer Console (three places it needs to be changed) and delink your app. (Assuming you’re not using Home Assistant cloud)