dietpi-LetsEncrypt

Troubleshooting
1

I am trying to get dietpi-LetsEncrypt working with Emby. I get the following:

 DietPi-LetsEncrypt
─────────────────────────────────────────────────────
 Mode: Running Certbot

[  OK  ] DietPi-LetsEncrypt | Apache webserver detected
[  OK  ] DietPi-LetsEncrypt | Desired setting in /etc/apache2/apache2.conf was already set: ServerName jony-skids.hopto.org
[  OK  ] DietPi-LetsEncrypt | systemctl restart apache2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jony-skids.hopto.org
Enabled Apache rewrite module
Cleaning up challenges
An unexpected error occurred:
ValueError: Unable to insert label!
Please see the logfiles in /var/log/letsencrypt for more details.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...

Press any key to return to the DietPi-LetsEncrypt menu ...

Any helo would be appreciated.

2

Die you checked the log file mentioned?

cat  /var/log/letsencrypt/letsencrypt.log
3 
2022-01-24 13:18:46,801:DEBUG:certbot.main:certbot version: 0.31.0
2022-01-24 13:18:46,802:DEBUG:certbot.main:Arguments: ['--apache', '--redirect', '--staple-ocsp', '--agree-tos', '--no-eff-email', '--rsa-key-size', '4096', '-m', 'jonyskids@gmail.com', '-d', 'jony-skids.hopto.org:8096']
2022-01-24 13:18:46,802:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-01-24 13:18:46,845:DEBUG:certbot.log:Root logging level set at 20
2022-01-24 13:18:46,847:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2022-01-24 13:18:46,849:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2022-01-24 13:18:47,069:DEBUG:certbot_apache.configurator:Apache version is 2.4.38
2022-01-24 13:18:47,701:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x76214230>
Prep: True
2022-01-24 13:18:47,703:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.override_debian.DebianConfigurator object at 0x76214230> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x76214230>
2022-01-24 13:18:47,703:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2022-01-24 13:18:47,743:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/334844840', new_authzr_uri=None, terms_of_service=None), dc16625c429eeb5f0e1b37a038d2e661, Meta(creation_dt=datetime.datetime(2021, 12, 24, 17, 48, 34, tzinfo=<UTC>), creation_host='DietPi'))>
2022-01-24 13:18:47,747:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2022-01-24 13:18:47,754:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2022-01-24 13:18:48,019:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2022-01-24 13:18:48,023:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Jan 2022 18:18:47 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
  "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
  "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
  "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
  "sIUfwDdqqrM": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
}
2022-01-24 13:18:48,027:INFO:certbot.main:Obtaining a new certificate
2022-01-24 13:19:04,762:DEBUG:certbot.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0027_key-certbot.pem
2022-01-24 13:19:04,943:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0027_csr-certbot.pem
2022-01-24 13:19:04,947:DEBUG:acme.client:Requesting fresh nonce
2022-01-24 13:19:04,947:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2022-01-24 13:19:05,023:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2022-01-24 13:19:05,025:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Jan 2022 18:19:04 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002moTKS2BDnSnBgiiWK7mZVVYcUWMYl3LnD9z_OawkBw4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800


2022-01-24 13:19:05,025:DEBUG:acme.client:Storing nonce: 0002moTKS2BDnSnBgiiWK7mZVVYcUWMYl3LnD9z_OawkBw4
2022-01-24 13:19:05,026:DEBUG:acme.client:JWS payload:
b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "jony-skids.hopto.org"\n    }\n  ]\n}'
2022-01-24 13:19:05,192:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzM0ODQ0ODQwIiwgIm5vbmNlIjogIjAwMDJtb1RLUzJCRG5TbkJnaWlXSzdtWlZWWWNVV01ZbDNMbkQ5el9PYXdrQnc0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
  "signature": "j1EAD5MbGlO25zhw0DNJPmdIn2f7hvAdriBaWcTd3nTmEWIdmMapLbZ-u-ukC9lPVrWZ0CKMeu4TbsjA-5lmy0q3zm-Emz-dFNlqGO59GMOTpN5O9crcOLQZlWLQzDI1tL5lSJcm61SwnKr3awYMJ4t5KZKI-rGCfM1q6LDQjgCEgcnxnUpqRMDJJE9oo6NEY3LRkgj-J1IWl0XEgtq3FrSiZttGL1kaMfMLIX9IyfLIYlW-M70QjhIAEAbWZfw7b2ST2PciFuh1CpahBiakKZNMnBvL3KdG7yJrbIWSD3O4kWUUvHxmusijBSWybYhOH4FfTC9nElSUi-7XcXFqL2hRnwrjTPj31YQMcwGrRV3Z0SQ8Bo9bCq9CmLWlhQT__1TRTEOzcCYRu-H4WksjQJBpDjLQXIeRt4du7NDWu5DtmqoBV_tY96oN7BRzC212aF34y3Y8be7WhNvp8reTttPwBh-ay6d760mdisgNzAiZp_hpmP9MWKo86cKZHxHlGFVzDJg7IKMAcUzuqUE-_pm24N-FIHRau9hCSOJ-s_3sJs68clqDEIAUSC2FCseuWJrV-lwMfTJhwwxWx2lKtdXr6RtQzmyZH0r21T4Ba6-demycVOr4XX5hpvCIrvPyBbpIrznQzba-PxA99q5q7w2Pa8HlmI82HuKPqeCv5K8",
  "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImpvbnktc2tpZHMuaG9wdG8ub3JnIgogICAgfQogIF0KfQ"
}
2022-01-24 13:19:05,281:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 343
2022-01-24 13:19:05,283:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Mon, 24 Jan 2022 18:19:05 GMT
Content-Type: application/json
Content-Length: 343
Connection: keep-alive
Boulder-Requester: 334844840
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/334844840/57938482970
Replay-Nonce: 000217F4ClPuaI7c6lTsre3f-wm2NZgVk1bGcaPyRhVfq3M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "status": "pending",
  "expires": "2022-01-31T02:48:28Z",
  "identifiers": [
    {
      "type": "dns",
      "value": "my-url.org"
    }
  ],
  "authorizations": [
    "https://acme-v02.api.letsencrypt.org/acme/authz-v3/71300590640"
  ],
  "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/334844840/57938482970"
}
2022-01-24 13:19:05,283:DEBUG:acme.client:Storing nonce: 000217F4ClPuaI7c6lTsre3f-wm2NZgVk1bGcaPyRhVfq3M
2022-01-24 13:19:05,284:DEBUG:acme.client:JWS payload:
b''
2022-01-24 13:19:05,450:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/71300590640:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzM0ODQ0ODQwIiwgIm5vbmNlIjogIjAwMDIxN0Y0Q2xQdWFJN2M2bFRzcmUzZi13bTJOWmdWazFiR2NhUHlSaFZmcTNNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My83MTMwMDU5MDY0MCJ9",
  "signature": "qoTXPYLWQ0GnKrEs6uMcWqjn4XJjUfUswaGrAKMPrygqE3FeUU4lSUk1fqpAhIKZUAmdXlrZiY0-vz5s3IhlT8iHO6dKlP1U-C9GNB6P-cx3b2otyBTU32YNqS55Ln2zlWEQhWy_d5y3IbZ1TIV4ymlsKSAimi7vs_wpKuO1xSc2jgGvckhVsR5DtF7PLQti3C5exBQ4LhsHxS7JPwYN3_2emaUBJWJcbQPv6OLWGSw3yZyJ93-UTZPRdl4e47eFBdttbuRRw0c1HooS4IjPLqjUcZdKmdmMoTV-Ed_luev6b4pLdbmVocOcU_Im3pSSl3LR8MuwBTEK5DbtHVMwY_6-ZVD_gaeTbmnVShkQ0E_Ze81HPwR5BbYiwrhCtgT3InITOMP0BOYNRrsMYh8E-VwqRlyHBaOHm3leGZ_gvwxrcvbseTRGFUndj34vF3UreyA0xUOJYGbqFT7vAuOEPZ1TKkIk5lmL_P8m5-ZdNHP6uS8hpktC2njAjnD4Q7D3mP3Kij6MHzXt13v4DuBw8FWa9EyrB7m5Hy1BL168fXzkYZN34MQEgTC-gj3GE2kvh63Pw_alj4Oodr3bxRojFC_J5EiGPu7qGjt6NTtL3PZ8ffgjZcQ_SRDfRN4vPOPXbd5N91VIE8k7JLzAGtRGvlJc0bhhlOg42swa0Hk-j3g",
  "payload": ""
}
2022-01-24 13:19:05,535:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/71300590640 HTTP/1.1" 200 801
2022-01-24 13:19:05,537:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 24 Jan 2022 18:19:05 GMT
Content-Type: application/json
Content-Length: 801
Connection: keep-alive
Boulder-Requester: 334844840
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0002eHgiN-ZfeckzYPVyKUqZu9REkBv-eoIzim27aXKF_wk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "jony-skids.hopto.org"
  },
  "status": "pending",
  "expires": "2022-01-31T02:48:28Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/71300590640/XhihGA",
      "token": "mXYkv8tbDlgrfHmj1GBCocqgfXu_UN9qxaT0qEsDehU"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/71300590640/Ifg-jg",
      "token": "mXYkv8tbDlgrfHmj1GBCocqgfXu_UN9qxaT0qEsDehU"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/71300590640/Ug7JdQ",
      "token": "mXYkv8tbDlgrfHmj1GBCocqgfXu_UN9qxaT0qEsDehU"
    }
  ]
}
2022-01-24 13:19:05,538:DEBUG:acme.client:Storing nonce: 0002eHgiN-ZfeckzYPVyKUqZu9REkBv-eoIzim27aXKF_wk
2022-01-24 13:19:05,540:INFO:certbot.auth_handler:Performing the following challenges:
2022-01-24 13:19:05,540:INFO:certbot.auth_handler:http-01 challenge for jony-skids.hopto.org
2022-01-24 13:19:05,707:INFO:certbot_apache.override_debian:Enabled Apache rewrite module
2022-01-24 13:19:06,068:DEBUG:certbot_apache.http_01:Adding a temporary challenge validation Include for name: None in: /etc/apache2/sites-enabled/000-default.conf
2022-01-24 13:19:06,075:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2281, in perform
    http_response = http_doer.perform()
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 72, in perform
    self._mod_config()
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 112, in _mod_config
    self._set_up_include_directives(vh)
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 198, in _set_up_include_directives
    vhost.path, "Include", self.challenge_conf_pre)
  File "/usr/lib/python3/dist-packages/certbot_apache/parser.py", line 346, in add_dir_beginning
    self.aug.insert(first_dir, "directive", True)
  File "/usr/lib/python3/dist-packages/augeas.py", line 369, in insert
    raise ValueError("Unable to insert label!")
ValueError: Unable to insert label!

2022-01-24 13:19:06,075:DEBUG:certbot.error_handler:Calling registered functions
2022-01-24 13:19:06,076:INFO:certbot.auth_handler:Cleaning up challenges
2022-01-24 13:19:06,664:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
    certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot_apache/configurator.py", line 2281, in perform
    http_response = http_doer.perform()
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 72, in perform
    self._mod_config()
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 112, in _mod_config
    self._set_up_include_directives(vh)
  File "/usr/lib/python3/dist-packages/certbot_apache/http_01.py", line 198, in _set_up_include_directives
    vhost.path, "Include", self.challenge_conf_pre)
  File "/usr/lib/python3/dist-packages/certbot_apache/parser.py", line 346, in add_dir_beginning
    self.aug.insert(first_dir, "directive", True)
  File "/usr/lib/python3/dist-packages/augeas.py", line 369, in insert
    raise ValueError("Unable to insert label!")
ValueError: Unable to insert label!
2022-01-24 13:19:06,669:ERROR:certbot.log:An unexpected error occurred:

Not sure what I am looking for?

4

Did you changed anything on Apache vHost configuration? Just asking as I found a similar report on letsencrypt forum

https://community.letsencrypt.org/t/valueerror-unable-to-insert-label/54400/3

basically you have same error

    raise ValueError("Unable to insert label!")
ValueError: Unable to insert label!

there the issue was with vHost config

5

That did it for my default appche2 server.

Thanks for that!

Still, my emby server is not secure? mydomain.com:8096

Any suggestions?

6

basically 2 options.

  1. Use Apache as revers proxy to connect to Emby
  2. Or actiavte SSL on Emby and configure Emby to use certificates
7

Ok, For option #2

Do I need to have the apache server listen for Local https port number?

Do I need to forward the Local https port on the router?

Do I use same the same certificate?

Appreciate the help!

8

SSL configuration on Apache has nothing to do with SSL setup on Emby. If you go for option #2, you would need to have a look into Emby on how to configure SSL. If I’m not mistaken it should be on Network options inside Emby gui. If you go this way, it doesn’t matter how Apache is configured because Emby will create an own https server. In Theory you could remove Apache, if not needed for other web apps.

9

Thank you for the clarification.

10

For anyone looking to SSL their Emby-Server this is how I did it:

sudo su
cd /etc/letsencrypt/live/your_domain_name/

openssl pkcs12 -export -out your_domain_name.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:




cp your_domain_name.pfx /opt/emby-server/ssl/your_domain_name.ddns.net.pfx

I then went to my Emby Server Settings: Network: and added The Domain name and path to the certificate, password if you set one.

I then forwarded port 8920 on my router.

Finally, I followed this site to cron a renewal of my cert: https://devcoops.com/certbot-auto-renew-ssl-certificate-cron-job/
I am not sure how to test the cron job, so my fingers are crossed and the calendar noted

11

usually there is no need to setup a cron job to refresh certificates if you used dietpi-letsencrypt initally to generate certs. This will automatically fresh your certs if needed. The only thing needed would be to create a hook script that will covert certs again for Emby in /opt/emby-server/ssl/your_domain_name.ddns.net.pfx

12

Cool! Thanks for the tip! Can you point me to a tutorial to create hook script?

13

one question. How did you fixed the issue with creating the cert?

    raise ValueError("Unable to insert label!")
ValueError: Unable to insert label!

I would like to make a note if someone else will have similar issue.

14

This issue is somewhat irrelevant to making Emby work. But if someone is trying to https the apache server they would need to modify 000-default-le-ssl.conf in /etc/apche2/sites-available to include yourdomain address and then forward 443 on the router.

15

I see, thx. We will have a look why certificate is not created correctly. Maybe a challenge on our side that popped up as a side issue. :sunglasses:
Looks like certbot is expecting a config value inside Apache 000-default.conf. Otherwise it will not work. Doesn’t matter what the value is.

GitHub issue up https://github.com/MichaIng/DietPi/issues/5212

16

jonyskids
back to your question regarding the hook. You could create a script with the conversion command and place it inside following directory

/etc/letsencrypt/renewal-hooks/post

Usually it should be executed on next cert renewal

17

Solved with: https://github.com/MichaIng/DietPi/commit/bca964e

18

Sorry, Really new here.

Do I just need to add

openssl pkcs12 -export -out mydomain.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:

to script in: /etc/letsencrypt/renewal-hooks/post

?

19

You mean to enable HTTPS with Emby?

cat << '_EOF_' > /etc/letsencrypt/renewal-hooks/post/emby.sh
#!/bin/dash
domain='your_domain_name'
password='your_key_password'
cd "/etc/letsencrypt/live/$domain"
openssl pkcs12 -export -out "$domain.pfx" -inkey privkey.pem -in cert.pem -certfile chain.pem -passout "pass:$password"
mv "$domain.pfx" /opt/emby-server/ssl/
_EOF_
chmod 0700 /etc/letsencrypt/renewal-hooks/post/emby.sh

should do it (run those as root).

20

the MichaIng for providing the script