Problem getting Home Assistant OS to update Certificate

Still learning Home Assistant and a bit confused on how certificates work with HA OS. I appreciate any help that you can provide and/or direct me to.

My certificate expired on the 5th of January. The Lets encrypt addon log says that my certificate is not yet due for renewal. (Check the end of this message for this log file)

My domain is:haos.koehn.us

I ran this command: N/A, I am not sure if I can run a command. Please advise.

It produced this output: N/A

My web server is (include version). Nginx Proxy Manager - Current version: 0.12.3

The operating system my web server runs on is (include version): Home Assistant OS

My hosting provider, if applicable, is: Local Internet Provider. I have a static IP for the HA

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No. I do all through the Home Assistant Web page.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I can't run this command when I ssh into the box. The Home Assistant Let's Encrypt addon says: Let's Encrypt Current version: 4.12.7

When I open the Home Assistant Nginx Proxy Manager Web UI and click on the SSL Certificates. It shows that my domain expired on 5th January 2023, 4:39pm. When I click on the 3 vertical dots and select Renew Now, I get an error that says Internal Error. Reviewing the log file immediately after shows this:

(at the very top of the log)
The NGINX addon Log file shows this at the top:
[1/9/2023] [7:08:24 PM] [SSL ] › :heavy_multiplication_x: error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Failed to renew certificate npm-6 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-6/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
at ChildProcess.exithandler (node:child_process:400:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1093:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)

There are a lot more lines in this log file between the top error and the last error) it appears to be mostly GET's from my web browser when I load up the page.

At the very bottom of the file:
[1/9/2023] [8:09:56 PM] [SSL ] › :heavy_multiplication_x: error Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Failed to renew certificate npm-6 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-6/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
at ChildProcess.exithandler (node:child_process:400:12)
at ChildProcess.emit (node:events:513:28)
at maybeClose (node:internal/child_process:1093:16)
at Process.ChildProcess._handle.onexit (node:internal/child_process:302:5)
[09/Jan/2023:20:10:44 -0600] - 101 101 - GET https haos.koehn.us "/api/websocket" [Client 192.168.100.1] [Length 92338] [Gzip -] [Sent-to 192.168.100.20] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36" "-"
[1/9/2023] [8:12:25 PM] [SSL ] › :information_source: info Renewing Let'sEncrypt certificates for Cert #6: haos.koehn.us
[1/9/2023] [8:12:25 PM] [SSL ] › :information_source: info Command: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-6" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
[1/9/2023] [8:12:30 PM] [Express ] › :warning: warning Command failed: certbot renew --force-renewal --config "/etc/letsencrypt.ini" --cert-name "npm-6" --preferred-challenges "dns,http" --no-random-sleep-on-renew --disable-hook-validation
Saving debug log to /data/logs/letsencrypt/letsencrypt.log
Failed to renew certificate npm-6 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-6/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /data/logs/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

This the the log from the Lets Encrypt addon:
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[09:58:03] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal


Certificate not yet due for renewal; no action taken.


s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

I think the official Let’s Encrypt addon works with the official Nginx addon, but not the unofficial Nginx Proxy Manager addon which has its own Let’s Encrypt client.

That’s why you’re seeing one place that says valid but another invalid.

Edit for clarification: "Official" here refers to the status of the Home Assistant OS integration.

4 Likes

Hello @tkoehn, welcome to the Let's Encrypt community. :slightly_smiling_face:

Here is a list of issued certificates crt.sh | haos.koehn.us, the latest being 2023-01-06.

1 Like

Used unnecessarily.

Do you really need that?

2 Likes

The problem might be as simple as you have blocked / closed port 80 (HTTP). An HTTP Challenge requires it be open. See Let's Debug test site (link here).

I can see your domain using HTTPS, but not HTTP

curl -Ik https://haos.koehn.us
(a 405 here is fine it at least shows connections work)

HTTP/2 405
server: nginx
date: Tue, 10 Jan 2023 03:18:58 GMT
content-type: text/plain; charset=utf-8
content-length: 23
allow: GET

curl -Ik http://haos.koehn.us
(but "refused" is not ok)
curl: (7) Failed to connect to haos.koehn.us port 80 after 61 ms: Connection refused
3 Likes

Supplemental verification of what @MikeMcQ has already shown

$ nmap haos.koehn.us
Starting Nmap 7.91 ( https://nmap.org ) at 2023-01-09 19:56 PST
Nmap scan report for haos.koehn.us (64.39.221.12)
Host is up (0.083s latency).
rDNS record for 64.39.221.12: ip-64-39-221-12.kwikom.com
Not shown: 998 filtered ports
PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 7.61 seconds

1 Like

@mcpherrinm, Thank you. I do see that I am running the community version. I did not realize that. So my first question is why is there a community version and why would one use the community version over the official version?

Whats the best course of action?

  1. Use the official version of Let's Encrypt and NGINX Proxy Manager
    or
  2. Use the Community version. If I understand correctly the community version handles both.

I installed the VM Home Assistant OS version because I wanted the system to just work with out having to constantly tinker with it. So I would love to hear your opinion on this?

But at the end of the day it looks like I should remove the community version and run the official NGINX version. Do you agree?

2 Likes

Home assistant is very customizable, and I don’t think you’ll get the best advice on it here, even if there’s a few users. But personally: I’ve never had any trouble using the official nginx addon, along with the Let’s Encrypt addon.

5 Likes

@mcpherrinm, thanks for your help. Removing the community version and installing the official NGINX addon worked. I will watch it in April when it renews again to see how things go.

Again, Thank you.

5 Likes