Using Let's Encript with routers DyDNS (ERR_CONNECTION_TIMED_OUT)

funkytwig · November 18, 2024, 7:48pm

I have given up using DuckDNS as I could not get it working so uninstalled it and am installing Lets’s Encrypt add-on and using my routers (TP-Link) built in Dydns service.

I have the routers DyDNS setup and the Let’s Encript add on set up (log file shows no errors).

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[19:25:03] INFO: Selected http verification
[19:25:03] INFO: Detecting existing certificate type for zerodog.tplinkdns.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[19:25:06] INFO: No certificate found - using 'ecdsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for XXXX.tplinkdns.com
Successfully received certificate.
Certificate is saved at: /data/letsencrypt/live/XXXX.tplinkdns.com/fullchain.pem
Key is saved at:         /data/letsencrypt/live/XXXX.tplinkdns.com/privkey.pem
This certificate expires on 2025-02-16.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

I have also changed the domain in ‘NGINX Home Assistant SSL proxy’ and log file looks good. I then restarted HA.

But the domain is timing out (ERR_CONNECTION_TIMED_OUT).

anon55355842 · November 23, 2024, 6:47pm

Hi @funkytwig,

It seem that Port 80 is Closed and Port 443 is Open.

$ curl -k -Ii http://zerodog.tplinkdns.com/.well-known/acme-challenge/sometestfile
curl: (7) Failed to connect to zerodog.tplinkdns.com port 80 after 242 ms: Connection refused

$ curl -k -Ii http://zerodog.tplinkdns.com:443/.well-known/acme-challenge/sometestfile
HTTP/1.1 400 Bad Request
Server: nginx
Date: Sat, 23 Nov 2024 18:44:54 GMT
Content-Type: text/html
Content-Length: 248
Connection: close
Strict-Transport-Security: max-age=31536000; includeSubDomains

$ curl -k -Ii https://zerodog.tplinkdns.com:443/.well-known/acme-challenge/sometestfile
HTTP/2 502
server: nginx
date: Sat, 23 Nov 2024 18:46:40 GMT
content-type: text/html
content-length: 150
strict-transport-security: max-age=31536000; includeSubDomains

$ nmap -Pn -p80,443 zerodog.tplinkdns.com
Starting Nmap 7.80 ( https://nmap.org ) at 2024-11-23 18:45 UTC
Nmap scan report for zerodog.tplinkdns.com (31.52.241.28)
Host is up (0.15s latency).
rDNS record for 31.52.241.28: host31-52-241-28.range31-52.btcentralplus.com

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds

And to assist with debugging there is a great place to start is Let’s Debug.

funkytwig · November 25, 2024, 4:04pm

Very odd, port 80 should be open

And I through it only needed 80 to renew and above it seemed to get cert.

Also, it was wording and I got it working briefly, and the subdomain worked fine for a while. I have a mobile app working for a bit on new migration, I had migrated it to a new Pi and was using DuckDNS but this did not work on the new Pi so I tried tplinkdns.

Will have a look at the debug link, thanks for your help.

anon55355842 · November 26, 2024, 4:16am

True; for HTTP-01 challenge assuming that there is not a redirect to HTTPS (Port 443).

Does your ISP possibly block Port 80?