Suddenly can't access GUI, related to SSL error?

PuckStar · August 6, 2017, 10:14am

My certificate was up for renewal around this weekend so I renewed it last weekend which seemed to have worked fine:
End of the letsencrypt log:

2017-07-30 10:55:29,813:DEBUG:certbot.storage:Writing new private key to /etc/letsencrypt/archive/xxx.duckdns.org/privkey3.pem.
2017-07-30 10:55:29,814:DEBUG:certbot.storage:Writing certificate to /etc/letsencrypt/archive/xxx.duckdns.org/cert3.pem.
2017-07-30 10:55:29,815:DEBUG:certbot.storage:Writing chain to /etc/letsencrypt/archive/xxx.duckdns.org/chain3.pem.
2017-07-30 10:55:29,815:DEBUG:certbot.storage:Writing full chain to /etc/letsencrypt/archive/xxx.duckdns.org/fullchain3.pem.
2017-07-30 10:55:38,747:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/xxx.duckdns.org.conf.new.
2017-07-30 10:55:38,757:DEBUG:certbot.renewal:no renewal failures

But since yesterday I suddenly can’t access the HASS url anymore!
Error that I keep seeing in the log and is probably related:

2017-08-06 12:06:40 ERROR (MainThread) [homeassistant.core] Error doing job: Fatal read error on SSL transport
Traceback (most recent call last):
  File "/usr/lib/python3.4/asyncio/selector_events.py", line 825, in _read_ready
    data = self._sock.recv(self.max_size)
  File "/usr/lib/python3.4/ssl.py", line 730, in recv
    return self.read(buflen)
  File "/usr/lib/python3.4/ssl.py", line 619, in read
    v = self._sslobj.read(len or 1024)
ssl.SSLError: [SSL: SSLV3_ALERT_BAD_CERTIFICATE] sslv3 alert bad certificate (_ssl.c:1769)

But how can I solve this?

When I just try to renew the certificate again I get the message it’s not up for renewal:

 ./certbot-auto renew --no-self-upgrade --standalone \
>                      --preferred-challenges http-01
Requesting root privileges to run certbot...
  /home/pi/.local/share/letsencrypt/bin/letsencrypt renew --no-self-upgrade --standalone --preferred-challenges http-01
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/xxx.duckdns.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/xxx.duckdns.org/fullchain.pem (skipped)
No renewals were attempted.

Any help is appreciated as currently I can’t access HASS at all and triggers/actions based on the URL (like tasker) are not working!

treno · August 6, 2017, 11:25am

Make sure the cert file your config is pointing to is the one that got updated. You should be able to tell by the time stamp on the cert file.

PuckStar · August 6, 2017, 12:11pm

It does.
When I open the certificates with a certificate manager it also says expiry: zaterdag 28 oktober 2017 11:55:00.

PuckStar · August 6, 2017, 3:55pm

I have no idea why because I didn’t change anything, but now the errors are suddenly gone and everything is working again.
Very very strange.