HomeAssistant & Cert Renew Issues

Help
1

I came here 3 months ago when I had issues renewing my cert. After hours of trouble shooting, I figured out what i needed to do to renew my cert. These commands worked:

cd letsencrypt

./letsencrypt-auto certonly --email myemail@email.com -d mydomain.org

sudo chmod -R 777 /etc/letsencrypt

I also used this line in an attempt to get this working automatically (which must have failed):

./letsencrypt-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

Now when I attempt to follow the first section, I recieve this error and I have no clue how to get past it and I can no longer access my domain.

Failed authorization procedure. mydomain.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f9573507d3129eee3919809c9428c328.2ad119f2b373ff8e2e22fc823ba87be6.acme.invalid from MYIP. Received 2 certificate(s), first certificate had names "mydomain.org"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain.org
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   f9573507d3129eee3919809c9428c328.2ad119f2b373ff8e2e22fc823ba87be6.acme.invalid
   from MYIP. Received 2 certificate(s), first certificate
   had names "mydomain.org"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain

I’m not even sure where to look. I’m not very versed in this. I followed a video to get this far back in january and cobbled my way to the second cert renewal.

Does anyone know how I can fix this issue? Also, is there a way to get auto-renew to actually work?

2

Hi @petro,

--standalone means that you don't have another web server running. It looks like that's not the case for your system. However, it also seems like your --preferred-challenges option was ignored because the challenge was tried with TLS-SNI-01 instead of HTTP-01!

In general, you should not specify options to renew because renew would otherwise remember what worked before and then do that. :slight_smile: By contrast, if you specify things like --standalone, as arguments with renew, you might be changing the renewal method compared to the original issuance method.

What would happen if you just ran ./letsencrypt-auto renew? (optionally with --no-self-upgrade if it's important to you that Certbot not upgrade itself)

3

I’ll try that tonight.

Currently my cert is out of date. Is there a simple way for me to manually update the cert for the time being?

4

You can use ZeroSSL to generate a certificate manually to download, but as long as you’re not running up against rate limits, I’d recommend keeping that cert separate from Certbot’s files so that the certificate lineage doesn’t get confused when you fix automated renewal.

5

I tried the ./letsencrypt-auto renew and I received roughly the same error:

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/MyDomain/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: MyDomain
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   7672bd3a474694f57ef70c9fb64160ba.319859c00a6d22fd6eb9c997468d07a8.acme.invalid
   from MyIP. Received 2 certificate(s), first certificate
   had names "MyDomain"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
6

Can you post the renewal configuration file from /etc/letsencrypt/renewal/MyDomain.conf?

7 
# renew_before_expiry = 30 days
version = 0.14.1
archive_dir = /etc/letsencrypt/archive/MyDomain
cert = /etc/letsencrypt/live/MyDomain/cert.pem
privkey = /etc/letsencrypt/live/MyDomain/privkey.pem
chain = /etc/letsencrypt/live/MyDomain/chain.pem
fullchain = /etc/letsencrypt/live/MyDomain/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = standalone
installer = None
account = 1ace441c7c6c3098eeb396642986a382
8

Can I just remove the authenticator=standalone?

9

In order to renew, there needs to be some authenticator.

The problem right now with standalone is that it needs to receive a connection on port 443, but your regular web server is now using that port. That’s the reason for the “Incorrect validation certificate” error that you see.

Are you using port 80? It would be possible to move the standalone authenticator over to port 443.

See also

10

I’m forwarding port 443 to 8123, which is required by the system that I am using. I’ll try removing that port forwarding and see where that gets me.

11

If you let port 443 come through to port 443 on your system, the standalone renewal might work as-is, but you’d also have to make that change every time you want to renew.

12

So port forwarding was the issue. I forwarded port 443 to 443 and the single renewal worked. I tried running the auto renew and it failed. I’m sure my parameters are incorrect. Is there anyway to get around this manual process of switching the port forwards? Is it possible to change the port for the renew process only, say to port 9000?

13

If you take a look at the documentation that I linked to, this method requires port 443 (you can’t choose a different port), while there’s another method that requires port 80 (you can’t choose another port). If you can update DNS records from software, there’s a third method available that would use that as the basis for proving your control over the domain name.

14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.