Migration to 2021.7 breaks Lets Encrypt

rajkedda · July 10, 2021, 12:10pm

I currently have 2021.6.6 installed and works fine with DuckDNS and LetsEncrypt. If I upgrade to .7 and nothing else is changed, LetsEncrypt AddOn does not start. Looked at the release notes to see if there are any breaking changes, did not see/notice. If anyone has encountered it and has a suggestion to remedy greatly appreciated.

tom_l · July 10, 2021, 12:34pm

LetsEncrypt still working here. There were no changes to it.

Do you use a reverse proxy like NGINX?

rajkedda · July 10, 2021, 1:37pm

Yes I do have that running, without that Google TTS does not work.

tom_l · July 10, 2021, 1:42pm

See the first breaking change in the list.

Screenshot 2021-07-10 at 23-44-04 2021 7 A new entity, trigger IDs and script debugging

rajkedda · July 10, 2021, 3:39pm

Got it. Thankyou, missed the proxy use.

rajkedda · July 11, 2021, 2:58am

I followed the above instructions and added the two lines under http. It is still not working. Any suggestions?

  use_x_forwarded_for: True
  trusted_proxies:'
    - 127.0.0.1'
    - ::1'
    - 192.168.1.0/24'

tom_l · July 11, 2021, 3:01am

What is the error message in your logs?

DavidFW1960 · July 11, 2021, 3:05am

What are those doing at the end of the lines?
Also use true not True

rajkedda · July 11, 2021, 3:09am

that was an typo on my part when I was typing in the post here.
Lets Encrypt service log:
[s6-init] making user provided files available at /var/run/s6/etc…exited 0.
[s6-init] ensuring user provided files have correct perms…exited 0.
[fix-attrs.d] applying ownership & permissions fixes…
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts…
[cont-init.d] file-structure.sh: executing…
[cont-init.d] file-structure.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[23:07:26] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not yet due for renewal
Keeping the existing certificate

Certificate not yet due for renewal; no action taken.

[cont-finish.d] executing container finish scripts…
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.

rajkedda · July 11, 2021, 3:11am

My nginx ssl proxy config:

domain: RPI4.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf

tom_l · July 11, 2021, 3:25am

Your home assistant logs. It should show what proxy IP address to add.

rajkedda · July 11, 2021, 3:36am

Got it working. Thank you. It was one line I missed adding to my http config. Once I added this line and rebooted, it works fine now

    - 172.30.33.0/24

Shermo · July 17, 2021, 6:06am

I had a similar problem after upgrading, as I’m using Cloudflare to redirect my hostname to an IPV6 address nothing was getting through.

I added use_x_forwarded_for and for trusted_proxies also had to add one of the IPV6 ranges from their list here https://www.cloudflare.com/en-gb/ips/ although its possible I might need to add more if I have more issues