Renew certificates fails please help

Well, if you got it to work once, then we may be able to get to work again and better than one by automating it (Check Mate).

So what all do we have to play with...let's review:

  1. Does your DNS service provider support updates via DNS?
  2. Do you have a static Internet IP (home ISP)?
  3. Can you spell DNS?
    OK ^that^ was a trick question [the question spelled it out for you] and can be skipped
  4. Does your ISP allow port 80 (HTTP)?
  5. Does your ISP allow port 53 (DNS)?
  6. Can your router port forward 80 (TCP)?
  7. Can your router port forward 53 (TCP and UDP)?
  8. Are you ready to have some fun?
1 Like

I would nominate you for being the first person to receive a third arm - so you can keep clicking without missing a single beat as you eat :slight_smile:
But seriously... You are almost single handedly keeping the fast-food small business franchises of America in business!
Keep up the good work.

~This has been a lame attempt at an unpaid non-political advertisement~
~Remember to Vote early and Vote often~
~Americans for American FFSBF US National Development Organization LLC is solely responsible for its' content and views or lack thereof~

We will now return you to our regularly scheduled topic...

1 Like
  1. Does your DNS service provider support updates via DNS? I got my certificates from Ionis have no idea what this question means or how I would find the answer. They provided the DNS as far as I am aware
  2. Do you have a static Internet IP (home ISP)? I have BT Broadband have nothing specifically assigned as an external static IP for anything at my home. Obviously I use static addresses in my Home Network.
  3. Can you spell DNS? Yep Doh
    OK ^that^ was a trick question [the question spelled it out for you] and can be skipped
  4. Does your ISP allow port 80 (HTTP)? No idea how do I find out
  5. Does your ISP allow port 53 (DNS)? No idea how do I find out
  6. Can your router port forward 80 (TCP)? It has pages for configuring port forwarding rules in its advanced setting . Smart Hub 2 from BT
  7. Can your router port forward 53 (TCP and UDP)? I can set TCP,UDP or both
  8. Are you ready to have some fun? Yes please
1 Like

And just so we are crystal clear:
Do want get a cert for a device that will only be accessed from your internal network only or also from the Internet?

Then these additional details:

  • Q1. Who is your DNS provider (for your domain: pjrawlings.co.uk)?
  • Q2. We can make it work with static or dynamic (static is just a lot simpler).
    More on that later...
  • Q3. DONE
  • Q4+Q6. We need to test this.
    You would need to port forward (TCP 80) in to an internal device that is listens (on any port) for HTTP type connections.
  • Q5+Q7. We also need to test this.
    You would need port forward (TCP+UDP 53) in to an internal device that "can" listen to DNS type requests.
    It would be helpful if your router has some logs to see if it gets these requests.
    Here "can" means it doesn't have to have a full time DNS server running. We can bring up the acme-dns when needed.
  • Q6. relates directly to Q4
  • Q7. relates directly to Q5
  • Q8. Excellent!
    Answer the additional question at the top of this post and then we can go from there.
2 Likes

If I have read your post correctly you nned me to just answer Q1

Q1. Who is your DNS provider (for your domain: pjrawlings.co.uk)?

IONOS i.e. www.ionos.co.uk

NAME SERVER TYPE
ns1033.ui-dns.com IONOS Nameserver
ns1074.ui-dns.org IONOS Nameserver
ns1090.ui-dns.biz IONOS Nameserver
ns1104.ui-dns.de IONOS Nameserver

Hope this is what your looking for

2 Likes

Can you ask IONOS "Do you support DNS updates via API?" ?

In the meantime, I need to know the final destination before setting off in any direction:

2 Likes

Internal network only

3 Likes

OK so that actually simplifies things a bit.

Now we need to know if IONOS supports DNS updates via API.
If yes, the we go that route.
If no, then we need to know if your ISP allows port 80 (HTTP) OR port 53 (DNS).
[either one will work (DNS may be simpler in the long run) - provided your router can port forward them]

1 Like

I will contact Ionos tomorrow for some bizarre reasonm they dont supply email support and only use phone.

Can you expand a little on "does my ISP support Port 80 or 53" . I assumed that all HTTP came through 80 so they must support it. So what do you mean by does my ISP allow port 80 . Allow what and can I test either of these. I really want to learn so please dont assume I know anything .

1 Like

I wrote:

It is a simple question to ask them.
Or you can reverse the question and say to them "Which ports do you block inbound to my router/house?"

1 Like

Ionos do not support the settings of dns in my account via an api

1 Like

Is the question to my ISP now relevant ? Can I presume your saying can my ISP support outbound communications on Ports 80 or 53 ? ie from me

OK then that still leaves use with inbound DNS & HTTP authentication.
[not as simple as outbound DNS via API - but still very possible]

Know that (OUTBOUND) should always be the case.
We now need 80 or 53 INBOUND.

1 Like

Apologies for the tardy reply. Its taken an age to get to talk with my ISP (BT). They say Port 80 should be open.

2 Likes

OK
With port 80 we can do HTTP authentication :slight_smile:
Back to Q6:
Can your router port forward 80?

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

1 Like

My router has port forwarding rules capability so should be fine

Forwarding screen

1 Like

OK you need to make an entry there "HTTP" for port 80 external to port 80 internal for TCP.
Then repeat that for any other ports that you might want to secure (like "HTTPS" 443 TCP).

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

1 Like

OK done that and still get the same issue initially reported. See screen shot of forwarding

See new rule added

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?


1: kodi.pjrawlings.co.uk


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kodi.pjrawlings.co.uk
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. kodi.pjrawlings.co.uk (http-01): urn:ietf:params:acme:error:dns :: No valid IP addresses found for kodi.pjrawlings.co.uk

IMPORTANT NOTES:

1 Like

We're making progress.
The port forwarding looks good (the HTTP label for 443 could be HTTPS - but that's just a label).

The error:

Means there is no DNS entry found for that name.
Have you made an entry in your global domain DNS for it?
Nevermind, I see you did:

Name:    kodi.pjrawlings.co.uk
Address:  192.168.1.4

That IP will not work for HTTP validation.
You need to change that to your real (external) Internet IP.
That is the IP the world will go to to find your kodi device.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

1 Like

Sorry, I should have reread through the posts before moving in the most likely direction...

OK, so even though you only want this to be accessed from the Internal network we still need some way to authenticate the certificate request.
Let's use HTTP (port 80) for that.
Please remove the HTTPS port 443 forwarding entry in your router - the world doesn't need to access your kodi device.

[&2* readers: Get involved; Be heard. It starts with: if you read something you like, then like it :heart:]

1 Like