Domoticz Raspberry

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bandol.freeboxos.fr

I ran this command: sudo ./certbot-auto renew

It produced this output: Waiting for verification…
Challenge failed for domain bandol.freeboxos.fr
http-01 challenge for bandol.freeboxos.fr
Cleaning up challenges
Attempting to renew cert (bandol.freeboxos.fr) from /etc/letsencrypt/renewal/bandol.freeboxos.fr.conf produced an unexpected error: Some challenges have failed… Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/bandol.freeboxos.fr/fullchain.pem (failure)

My web server is (include version): Domoticz 4.10717

The operating system my web server runs on is (include version): Raspbian GNU/Linux 9.9 (stretch)

My hosting provider, if applicable, is: FREE

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.40

Please show output of:
./certbot-auto certificates
and file:
/var/log/letsencrypt/letsencrypt.log

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: bandol.freeboxos.fr
Domains: bandol.freeboxos.fr
Expiry Date: 2019-11-21 16:35:49+00:00 (VALID: 3 days)
Certificate Path: /etc/letsencrypt/live/bandol.freeboxos.fr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/bandol.freeboxos.fr/privkey.pem


This is good (simple: one name only)
and this is bad: VALID: 3 days
We need to get this fixed soon.

OK, I see the problem:

wget bandol.freeboxos.fr
--2019-11-17 19:18:04--  http://bandol.freeboxos.fr/
Resolving bandol.freeboxos.fr (bandol.freeboxos.fr)... 2a01:e35:2f45:8980::1, 82.244.88.152
Connecting to bandol.freeboxos.fr (bandol.freeboxos.fr)|2a01:e35:2f45:8980::1|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://bandol.freeboxos.fr:1969/index.php [following]
--2019-11-17 19:18:05--  https://bandol.freeboxos.fr:1969/index.php
Connecting to bandol.freeboxos.fr (bandol.freeboxos.fr)|2a01:e35:2f45:8980::1|:1969... ^C

No, nothing more…

LE will only follow redirects to ports 80 or 443 (not 1969)
[and never to/through a .php file]

Please show your vhost config file for port 80
[the one that redirects to 1969]

Also:
IPv4 reaches your port 1969
but IPv6 fails to reach your port 1969

File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/client.py”, line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 180, in _poll_authorizations
raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.

2019-11-17 20:25:35,872:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2019-11-17 20:25:35,872:ERROR:certbot.renewal: /etc/letsencrypt/live/bandol.freeboxos.fr/fullchain.pem (failure)
2019-11-17 20:25:35,875:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1378, in main
return config.func(config, plugins)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py”, line 1287, in renew
renewal.handle_renewal_request(config)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/renewal.py”, line 474, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

The solution to the problem will be us making changes to this file:

My router redirects port 80 to 8080 from my server’s IP address and port 443 to 443

Please show the vhost config that is served when anyone tries:
http://bandol.freeboxos.fr/

the 1969 port is the secure port of my Freebox

The problem is NOT there.
The problem is in the file that redirects you there.

Please show the file that is reached by:
http://bandol.freeboxos.fr/

OOOOOOOOOOOOOOOOOOOOOOOOH!!!
Well that will be a BIG problem to overcome.

Wait.
I checked the site and it has a valid cert that expires in 30 days:


How was that installed?

Until now it worked. Nothing has changed between the time except the certbot version

This is the certificate of my Freebox, the problem is on the certificate of my Domoticz server

This certificate is automatically renewed by my Freebox

The cert that expires in 3 days is NOT the cert being used/seen from the Internet.
The Internet site seems to be renewing correctly.
So… I don’t understand the problem.

Please clarify this problem.

Does that system already have an LE cert?
If so, how did it get it?