I am trying to install security certificates, running home assistant on raspberry pi 3 with python 3.7.3. There is no public IP, using duckDNS. Also created port forward on the router for port 80 and also for port 443. I try to run command as shown below and still get the error. Any pointers will be appreciated, thanks

My domain is: bkraspberry.duckdns.org

I ran this command:./certbot-auto certonly --standalone --preferred-challenges http-01 --email abc@hotmail.com -d bkraspberry.duckdns.org

It produced this output:
Requesting to rerun ./certbot-auto with root privileges…
Bootstrapping dependencies for Debian-based OSes… (you can skip this with --no-bootstrap)
Hit:1 http://archive.raspberrypi.org/debian buster InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian buster InRelease
Reading package lists… Done
Reading package lists… Done
Building dependency tree
Reading state information… Done
augeas-lenses is already the newest version (1.11.0-3).
ca-certificates is already the newest version (20190110).
gcc is already the newest version (4:8.3.0-1+rpi2).
libaugeas0 is already the newest version (1.11.0-3).
libffi-dev is already the newest version (3.2.1-9).
libssl-dev is already the newest version (1.1.1d-0+deb10u2).
openssl is already the newest version (1.1.1d-0+deb10u2).
python is already the newest version (2.7.16-1).
python-dev is already the newest version (2.7.16-1).
python-virtualenv is already the newest version (15.1.0+ds-2).
virtualenv is already the newest version (15.1.0+ds-2).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Creating virtual environment…
Installing Python packages…
Had a problem while installing Python packages.

pip prints the following errors:

Collecting ConfigArgParse==0.14.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 12))
Downloading
https://files.pythonhosted.org/packages/69/cb/f5be453359271714c01b9bd06126eaf2e368f1fddfff30818754b5ac2328/funcsigs-1.0.2-py2.py3-none-any.whl
Collecting future==0.18.2 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 89))
Downloading https://files.pythonhosted.org/packages/63/e3/05b02057b56cd9c59d848b67aff1cc701e1d2237055ebd0d0c1f44331186/zope.deferredimport-4.3.1-py2.py3-none-any.whl
Collecting zope.deprecation==4.4.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 142))
Downloading https://files.pythonhosted.org/packages/c5/96/361edb421a077a4c208b4a5c212737d78ae03ce67fbbcd01621c49f332d1/zope.event-4.4-py2.py3-none-any.whl
Collecting zope.hookable==4.2.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 148))
Downloading https://files.pythonhosted.org/packages/41/b5/378175b959565de41f45c775cdfbf8897aaeaf29a258b94e40bd2661ce46/zope.hookable-4.2.0.tar.gz
Collecting zope.interface==4.6.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 159))
Downloading https://files.pythonhosted.org/packages/4e/d0/c9d16bd5b38de44a20c6dc5d5ed80a49626fafcb3db9f9efdc2a19026db6/zope.interface-4.6.0.tar.gz (150kB)
Collecting zope.proxy==4.3.3 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 189))
Downloading https://files.pythonhosted.org/packages/e2/44/bea546c55488c044351e51ebf23bf440b19876e0069a418cadc1bd5736f7/zope.proxy-4.3.3.tar.gz (44kB)
Collecting letsencrypt==0.7.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 237))
Downloading https://files.pythonhosted.org/packages/fd/21/0c6f33829fadec8aca0c1ebb4d6f8101c05899356a58d1b2e506cb77cf18/letsencrypt-0.7.0-py2-none-any.whl
Collecting certbot==1.0.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 241))
Downloading https://files.pythonhosted.org/packages/b7/1a/121fe6726b36a8517325f8cc66c834de4b4e1bd9dc28e896df8a7ab4f8d1/certbot-1.0.0-py2.py3-none-any.whl (227kB)
Collecting acme==1.0.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 244))
Downloading https://files.pythonhosted.org/packages/67/5f/31ef89f92e610213b4e8e5bf19348f5c20e79f67497709b2d862f18e1274/acme-1.0.0-py2.py3-none-any.whl
Collecting certbot-apache==1.0.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 247))
Downloading https://files.pythonhosted.org/packages/70/cb/cbae8fcccbf613fc65f817fccceefd5370d911e186d604c8657e2bab16df/certbot_apache-1.0.0-py2.py3-none-any.whl (68kB)
Collecting certbot-nginx==1.0.0 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 250))
Downloading https://files.pythonhosted.org/packages/f8/b2/5e79c2b8b4dbaa1dc060388cd47e710013e43578394cce5b727152752f54/certbot_nginx-1.0.0-py2.py3-none-any.whl (45kB)
Requirement already satisfied: setuptools>=1.0 in /opt/eff.org/certbot/venv/lib/python2.7/site-packages (from josepy==1.2.0->-r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 97))
THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them.
pycparser==2.19 from https://www.piwheels.org/simple/pycparser/pycparser-2.19-py2.py3-none-any.whl#sha256=bc15573b7c6edd24407526dbbc7a0bd33d80d8af44231c37f58d73f56ff9cab6 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 115)):
Expected sha256 a988718abfad80b6b157acce7bf130a30876d27603738ac39f140993246b25b3
Got bc15573b7c6edd24407526dbbc7a0bd33d80d8af44231c37f58d73f56ff9cab6

zope.component==4.6 from https://www.piwheels.org/simple/zope-component/zope.component-4.6-py2.py3-none-any.whl#sha256=74f55521dec189c08d98341edce929eba6bb2404662d1878f1b289af46f6f6a5 (from -r /tmp/tmp.q6vEM95TxY/letsencrypt-auto-requirements.txt (line 137)):
    Expected sha256 ec2afc5bbe611dcace98bb39822c122d44743d635dafc7315b9aef25097db9e6
         Got        74f55521dec189c08d98341edce929eba6bb2404662d1878f1b289af46f6f6a5

=====================================================

Certbot has problem setting up the virtual environment.

We were not be able to guess the right solution from your pip
output.

Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: duckdns.org

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

http://bkraspberry.duckdns.org:8123/

Hi @bhavneshk

Please see this other thread: ./letsencrypt-auto failed due to hash problems

There’s a problem with Raspbian/pip and certbot-auto.

Thanks for the prompt response, i followed the step and removed pip.conf file , it helped me to move ahead but resulted in another error as shown below. I have also created port forward on the router for port 80 and also for port 443 (one at a time) but no luck.

Requesting to rerun ./certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bkraspberry.duckdns.org
Waiting for verification…
Challenge failed for domain bkraspberry.duckdns.org
http-01 challenge for bkraspberry.duckdns.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: bkraspberry.duckdns.org
  Type: connection
  Detail: Fetching
  http://bkraspberry.duckdns.org/.well-known/acme-challenge/LQDGsAtoNBLfJyft0AVyic8naiCj49hkOYyLuP55fXU:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain

If I try to connect to that site over HTTP, it times out. If I try to use HTTPS, I get a “connection refused” error.

It seems like port 80 is blocked by a firewall. (And port 443 is probably unfiltered, but there’s no HTTPS web server set up yet.)

Are you sure you don’t have a firewall blocking it?

Does your ISP block port 80?

over http it was timing out because server was not running, i just bring the server up and it can be reached at http://bkraspberry.duckdns.org:8123/

ISP do block port 80, i just reconfirmed this by checking on my ISP website.

I was under impression that I am trying to get this certificate so i can secure my connection from http to https, are there any pre-steps that i need to take to enable it for https configuration (I have SSH enabled on raspberry pi configuration), please suggest. Thanks!

Unfortunately that means you won't be able to use the HTTP-01 challenge to prove you own the domain in question. You'll have to look at using DNS-01 or TLS-ALPN-01.

Presently Certbot doesn't have support for TLS-ALPN-01 so to use that challenge type you would have to switch to a different ACME client.

I believe DuckDNS allows setting TXT records but I'm not sure if there is an easy plugin to use with Certbot or another ACME client.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.