Lets encrypt plugin for home asisstant failing with http challange

AZSteve · April 12, 2023, 10:09pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: treffyes.asuscomm.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

with HomeAssistant (Supervised) i tried to use a new DuckDNS. the issue i have (i think) is that i also have a DDNS for my router. when i perform NSLOOKUP, both the asuscomm.com and duckdns.org return same IP address.. i assume this is my issue, i've read that only 1 cert per IP address..

so, instead, i abandon the DuckDNS plugin and try the LetsEncrypt plugin. but that always fails

Requesting a certificate for treffyes.asuscomm.com
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: treffyes.asuscomm.com
  Type:   connection
  Detail: 24.251.4.120: Fetching http://treffyes.asuscomm.com/.well-known/acme-challenge/ujydrKMmPYSPjsonIV37jXS26X46Og-cFAE7tRH3-Ok: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

i am at a loss..i have port fwd port 80 to my RPi.. what else could be wrong?

thanks for your help
Steve

Bruce5051 · April 12, 2023, 10:14pm

Hello @AZSteve, welcome to the Let's Encrypt community.

From the public Internet Port 80 is not Open

$ nmap -Pn treffyes.asuscomm.com
Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-12 22:13 UTC
Nmap scan report for treffyes.asuscomm.com (24.251.4.120)
Host is up (0.052s latency).
rDNS record for 24.251.4.120: ip24-251-4-120.ph.ph.cox.net
Not shown: 995 filtered ports
PORT     STATE SERVICE
84/tcp   open  ctf
85/tcp   open  mit-ml-dev
443/tcp  open  https
1723/tcp open  pptp
8443/tcp open  https-alt

Nmap done: 1 IP address (1 host up) scanned in 7.66 seconds

Bruce5051 · April 12, 2023, 10:17pm

Here is a list of issued certificates https://crt.sh/?q=treffyes.asuscomm.com, the latest bein 2023-02-21.

Is it possible your ISP has started blocking Port 80?

mcpherrinm · April 12, 2023, 10:18pm

You do have plaintext HTTP listening on 443 that's successfully directing to your HA instance, so something's not set up properly. If you have some rule 443 -> 8123 (which I think is the default HA port), you need 80 -> 8123 instead.

You shouldn't have a problem using DuckDNS either. If you want to go that route, you don't need to open any ports.

MikeMcQ · April 12, 2023, 10:23pm

With --standalone you must have a valid port 80 configured and it must not be in use by anything else. The standalone auth requires exclusive use of port 80 and it will appear to be open only while it is running.

~~If you need to port map 80 to something else to reach your certbot standalone then you also need to tell certbot you are using that alternate port (see the docs for http-01-port)~~

Your best approach may be as mcpherrinm suggests to use DuckDNS DNS Challenge instead of standalone.

Bruce5051 · April 12, 2023, 10:37pm

The certificate presently being served is this one crt.sh | 8082754416, which is not the latest issued certificate. SSL Checker and SSL Server Test (Powered by Qualys SSL Labs)

mcpherrinm · April 12, 2023, 10:38pm

Home Assistant's webserver and plugin does handle piping the request into the certbot container, so that's not going to be the problem here. It's probably just messed up router port forwarding.

Bruce5051 · April 12, 2023, 11:02pm

Also of possible help is Home Assistant also has its own community forum here https://community.home-assistant.io/

AZSteve · April 12, 2023, 11:24pm

So, take @mcpherrinm advice, I went back to ten DuckDNS plug in. I cleaned up everything configured the plug in and start… it did download the certificate. I copied the contents on the pem file and found a certificate parser online.. it does appear to be correct, so I guess I was chasing ghosts

My real issue was trying to link SmartThings with HA.. that kept failing saying that invalid certificates or something. 25 years as a software Eng and I still don’t know Jack (about networking)…

I’ll go back to the beginning and troubleshoot the setup for SmartThings,

I’ve removed all the port forwarding except for 8123, required by HA

Now…. It’s working!!! Thank you all for your help!!

AZSteve · April 13, 2023, 1:08am

interestingly... i can connect smartthings, but i cannot connect with the app

thanks again all... i appreciate the help

Archibald · April 13, 2023, 8:43pm

Are you talking about Samsung's SmartThings?
https://www.samsung.com/us/support/owners/app/smartthings

system · May 13, 2023, 8:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.