I have tried for several days to get my hass.io install to renew the Let’s Encrypt certificate without succeeding. Now I can’t log back into HA because the cert has expired. I can access my RPi through ssh, but I don’t know how to renew the cert from the command line in Docker.
Sorry for double posting, but this is urgent. Here is the original post: Let's Encrypt stopped, won't start
Same issue here… I am able to still login on my local network using the IP address and Port 8123 as follows:
https://{HASS.IO IP ADDRESS}:8123
Then just tell the browser to accept the risk when it prompts you about an SSL cert it can’t validate.
Once logged in, I consistently get this error message, but can’t find any details on how to fix online:
starting version 3.2.2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /data/letsencrypt/renewal/{MY_DOMAIN_NAME}.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for {MY_DOMAIN_NAME}
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /data/letsencrypt/renewal/{MY_DOMAIN_NAME}.conf produced an unexpected error: Failed authorization procedure. {MY_DOMAIN_NAME} (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f7a306cb9373d337e4d2b93cac73f163.e62507ce1dccc24ef67e283178f89110.acme.invalid from {MY_IP_ADDRESS}:443. Received 2 certificate(s), first certificate had names "{MY_DOMAIN_NAME}". Skipping.
1 renew failure(s), 0 parse failure(s)
All renewal attempts failed. The following certs could not be renewed:
/data/letsencrypt/live/{MY_DOMAIN_NAME}/fullchain.pem (failure)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: {MY_DOMAIN_NAME}
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
f7a306cb9373d337e4d2b93cac73f163.e62507ce1dccc24ef67e283178f89110.acme.invalid
from {MY_IP_ADDRESS}:443. Received 2 certificate(s), first certificate
had names "{MY_DOMAIN_NAME}"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Just remove the http: portion in your config file to access it for the time being.
To update your cert, you need to port forward rasberry_pi_ip:443 forwarded to 443 using tcp. Also, you should forward 80 to 80 as well, not sure if that’s needed, but it may help. Then just restart hass. If that doesn’t work, you can install the lets encrypt add-on and set it up using the same port forwards.
Once the cert is removed, remove the port forwards. At that point you’ll have to forward rasberry_pi_ip:8123 to 443 using tcp.
I had the same issue. SSL cert had expired and a previous update had locked out ssh connection.
The solution was simple.
I added a port forwarding rule in my router, forwarding port 443 to the hassio, which allowed the cert to renew.
Once up and running, I made sure to go into the ssh (/hassio/addon/core_ssh/config)
to add port 22 as a host.
Panic over, as my Hassio controls the heating in my house!!