The latest release of the letsencypt add-on package does not include certbot_dns_rfc2136 nor does it seem to support hmac-md5.
The error log includes…
“rfc2136: unsupported TSIG algorithm: hmac-md5.”
which seems to come from lego_bridge.cpython-313-x86_64-linux-gnu.so
My DNS only support hmac-md5. Does anyone have a fix for this?
Thx!
These are my thoughts on the issue in the event someone else encounters this problem.
() The Lego ACME client does not support hmac-md5 for DNS challenges. However, this is not a problem for Letsencrypt.
() certbot-dns-rfc2136 is a separate letsencrypt plugin that is no longer included in the home assistant addon. You can still install it into the overlay.
() I see two reasonable options to maintain these types of certificates
option 1: manage the certificates on another machine that has a more standard distribution of letsencript and copy the active certificates to haos.
option 2: manual renewal from within a docker image on haos with letsencrypt directly. Something like…
docker run --entrypoint /bin/bash -v /mnt/data/supervisor/addons/data/core_letsencrypt/letsencrypt:/data/letsencrypt -v /mnt/data/supervisor/addons/data/core_letsencrypt/dnsapikey:/data/dnsapikey -it homeassistant/amd64-addon-letsencrypt:6.2.0
ln -s /data/letsencrypt /etc/letsencrypt
certbot certificates
certbot renew
exit
(you may want to prune afterwards or add --rm)
I ran option 2 to renew my certificate, but plan to move to option 1.
HTH,
jsg