Lets encrypt Error

Troubleshooting
1

Required Information

  • DietPi version |
    G_DIETPI_VERSION_CORE=9
    G_DIETPI_VERSION_SUB=5
    G_DIETPI_VERSION_RC=0
    G_GITBRANCH=‘beta’
    G_GITOWNER=‘MichaIng’
  • Distro version | `bookworm 0
  • Kernel version | `6.1.21-v8+ #1642 SMP PREEMPT Mon Apr 3 17:24:16 BST 2023 aarch64 GNU/Linux
  • Architecture | arm64
  • SBC model | RPi4)
  • Power supply used | (EG: 5V 1A RAVpower)
  • SD card used | SSD

Steps to reproduce

Start Dietpi-Launcher
Use Letsencrypt

Expected behaviour

Certificate should be reinstalled

Actual behaviour

[  OK  ] DietPi-LetsEncrypt | Apache webserver detected
[  OK  ] DietPi-LetsEncrypt | Desired setting in /etc/apache2/sites-available/000-default.conf was already set: 	ServerName XXXX.duckdns.org
[  OK  ] DietPi-LetsEncrypt | a2enmod http2
[  OK  ] DietPi-LetsEncrypt | systemctl restart apache2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('There has been an error in parsing the file /etc/apache2/sites-enabled/000-default-le-ssl.conf on line 17: Syntax error')
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...Last login: Tue Jun  4 09:04:42 on ttys000

Config file
/etc/apache2/sites-available/000-default-le-ssl.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
<------>ServerName XXXXXX.duckdns.org
        
SSLCertificateFile /etc/letsencrypt/live/xxxxxx.duckdns.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxxxxx.duckdns.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

<IfModule mod_headers.c>
 Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains; strict-origin; preload"
 Redirect 301 /.well-known/carddav /nextcloud/remote.php/dav
 Redirect 301 /.well-known/caldav /nextcloud/remote.php/dav
 Redirect 301 /.well-known/webfinger /nextcloud/index.php/.well-known/webfinger
 Redirect 301 /.well-known/nodeinfo /nextcloud/index.php/.well-known/nodeinfo
</IfModule>

Obviously there is something wrong here because I always get the same error message. And I can’t find an syntax error in the file

Tks
Henning

2

This config includes options-ssl-apache.conf. Maybe the syntax error is in there.
Did you modify any of these files?

3

Tks for correcting my first post :slight_smile:

I need to check the conf file you mentioned , reverting

4

This <------> is not literally in your config, is it? In case remove it. But it does not match the line number 17, hence I also guess it is in /etc/letsencrypt/options-ssl-apache.conf line 11 then. That file should normally not be touched, as it is provided by the python3-certbot-apache package directly. Better override its directives in 000-default-le-ssl.conf, if needed.

5

Tks , this file “options-ssl-apache.conf” is in original condition

Meantime I found that I had 2 open < IfModule > parts in the /etc/apache2/sites-available file and only 1 < /IfModule >
I corrected this and Now it looks like this

[  OK  ] DietPi-LetsEncrypt | Apache webserver detected
[  OK  ] DietPi-LetsEncrypt | Desired setting in /etc/apache2/sites-available/000-default.conf was already set: 	ServerName homer276.duckdns.org
[  OK  ] DietPi-LetsEncrypt | a2enmod http2
[  OK  ] DietPi-LetsEncrypt | systemctl restart apache2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for homer276.duckdns.org

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
  Domain: homer276.duckdns.org
  Type:   dns
  Detail: DNS problem: SERVFAIL looking up CAA for duckdns.org - the domain's nameservers may be malfunctioning

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...

Press any key to return to the DietPi-LetsEncrypt menu ...

Now it’s looks like the problem is on the receiving end

Brgds
Henning

6

Verify your DDNS provider is having correct and up to date IP address information. Looks like some information within the DNS record is missing. Not sure if you can add them yourself or of you need to contact your DDNS provider.

7

This seems to happen by times with DuckDNS: DuckDos Challenge validation has failed - Configuration - Home Assistant Community

Does this work for you?

getent ahosts homer276.duckdns.org

If so, please simply retry dietpi-letsencrypt. If not, please try to chance your DNS provider.

Certbot checks for CAA records, which define/limit the CAs which are permitted to generate certificate for a domain. E.g. dietpi.com has CAA records which permit only Let’s Encrypt and Cloudflare to generate TLS certificates, but not other CA. So if Certbot finds a record which does not permit Let’s Encrypt to generate certs, it will respect it and stop. However, in this case, the lookup itself seems to have failed.

8

Good morning,
tks for the hint’s. This morning the renewal of the certificate worked as planned. But I guess that sooner or later I change back to “dyndns.org

Have a nice day

2 Likes
9

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.