Problem with LetsEncrypt - Renew Topic is solved

Having issues with your DietPi installation or found a bug? Post it here.
User avatar
Joulinar
Posts: 4823
Joined: Sat Nov 16, 2019 12:49 am

Re: Problem with LetsEncrypt - Renew

Post by Joulinar »

hmm quite strange. What web server you are using?

as well can you post following

Code: Select all

ss -tulpn | grep LISTEN
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
GreenGentleman
Posts: 47
Joined: Mon Nov 09, 2020 4:10 pm

Re: Problem with LetsEncrypt - Renew

Post by GreenGentleman »

Code: Select all

root@DietPi:~# ss -tulpn | grep LISTEN
tcp     LISTEN   0        1024             0.0.0.0:443           0.0.0.0:*       users:(("lighttpd",pid=1110,fd=6))
tcp     LISTEN   0        5              127.0.0.1:4711          0.0.0.0:*       users:(("pihole-FTL",pid=465,fd=14))
tcp     LISTEN   0        80             127.0.0.1:3306          0.0.0.0:*       users:(("mysqld",pid=606,fd=23))
tcp     LISTEN   0        511            127.0.0.1:6379          0.0.0.0:*       users:(("redis-server",pid=539,fd=7))
tcp     LISTEN   0        1024             0.0.0.0:80            0.0.0.0:*       users:(("lighttpd",pid=1110,fd=4))
tcp     LISTEN   0        32               0.0.0.0:53            0.0.0.0:*       users:(("pihole-FTL",pid=465,fd=9))
tcp     LISTEN   0        1000             0.0.0.0:22            0.0.0.0:*       users:(("dropbear",pid=520,fd=3))
tcp     LISTEN   0        5                  [::1]:4711             [::]:*       users:(("pihole-FTL",pid=465,fd=16))
tcp     LISTEN   0        511                [::1]:6379             [::]:*       users:(("redis-server",pid=539,fd=8))
tcp     LISTEN   0        1024                [::]:80               [::]:*       users:(("lighttpd",pid=1110,fd=5))
tcp     LISTEN   0        32                  [::]:53               [::]:*       users:(("pihole-FTL",pid=465,fd=11))
tcp     LISTEN   0        1000                [::]:22               [::]:*       users:(("dropbear",pid=520,fd=4))
I'm running the basic owncloud + pihole installed via dietpi-software. Server is (as you can see) lighttpd.

Could the problem be that http requests get redirected to https by lighttpd?
User avatar
Joulinar
Posts: 4823
Joined: Sat Nov 16, 2019 12:49 am

Re: Problem with LetsEncrypt - Renew

Post by Joulinar »

Still I can't replicate your issue.

even if it is not related, let's clean your system and disable https + redirect

Code: Select all

lighty-disable-mod dietpi-https
lighty-disable-mod dietpi-https_redirect
service lighttpd force-reload
systemctl restart lighttpd.service
let's clear certificates

Code: Select all

rm -r /etc/letsencrypt/*
ok try to create new cert

Code: Select all

dietpi-letsencrypt
pls if possible post the output of dietpi-letsencrypt once done
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
GreenGentleman
Posts: 47
Joined: Mon Nov 09, 2020 4:10 pm

Re: Problem with LetsEncrypt - Renew

Post by GreenGentleman »

Code: Select all

root@DietPi:~# lighty-disable-mod dietpi-https
Disabling dietpi-https
Run "service lighttpd force-reload" to enable changes
root@DietPi:~# lighty-disable-mod dietpi-https_redirect
Disabling dietpi-https_redirect
Run "service lighttpd force-reload" to enable changes
root@DietPi:~# service lighttpd force-reload
root@DietPi:~# systemctl restart lighttpd.service
root@DietPi:~# rm -r /etc/letsencrypt/*
root@DietPi:~# dietpi-letsencrypt

 DietPi-LetsEncrypt
─────────────────────────────────────────────────────
 Mode: Running Certbot

[  OK  ] DietPi-LetsEncrypt | Lighttpd webserver detected
[  OK  ] DietPi-LetsEncrypt | systemctl start lighttpd
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my_domain
Using the webroot path /var/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my_domain (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://my_domain/.well-known/acme-challenge/_ZjLIczfWAqngGccJRNRvY-3UtoByEfE8j2CFrGT2os: Error getting validation data

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: my_domain
   Type:   connection
   Detail: Fetching
   http://my_domain/.well-known/acme-challenge/_ZjLIczfWAqngGccJRNRvY-3UtoByEfE8j2CFrGT2os:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
[FAILED] DietPi-LetsEncrypt | Certbot failed, please check its above terminal output. Aborting...

Press any key to return to the DietPi-LetsEncrypt menu ...
I also noticed that I still get redirected to the https version if I open http://my_domain, so I can't access my owncloud for now. Maybe that's the reason why certbot still doesn't work?
User avatar
Joulinar
Posts: 4823
Joined: Sat Nov 16, 2019 12:49 am

Re: Problem with LetsEncrypt - Renew

Post by Joulinar »

usually we disabled https before recreating the cert.

probably it got reactivated by dietpi-letsencrypt even if the certificate could not be created.

Can you try to disable it again and check if you are able to reach your system on http? Because you still have issues to resolve the domain correctly. Are you sure your DDNS is set correctly?

Code: Select all

lighty-disable-mod dietpi-https
lighty-disable-mod dietpi-https_redirect
service lighttpd force-reload
systemctl restart lighttpd.service
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
GreenGentleman
Posts: 47
Joined: Mon Nov 09, 2020 4:10 pm

Re: Problem with LetsEncrypt - Renew

Post by GreenGentleman »

Looks like it was already disabled.

Code: Select all

root@DietPi:~# lighty-disable-mod dietpi-https
Already disabled dietpi-https
Run "service lighttpd force-reload" to enable changes
root@DietPi:~# lighty-disable-mod dietpi-https_redirect
Already disabled dietpi-https_redirect
Run "service lighttpd force-reload" to enable changes
root@DietPi:~# service lighttpd force-reload
root@DietPi:~# systemctl restart lighttpd.service
root@DietPi:~#
Accessing http://my_domain still leads me to the https version (with no connection possible, because there's not valid certificate currently). Could there be another setting that forces that redirect?
Are you sure your DDNS is set correctly?
I had no problems accessing the domain from the outside before (for about half a year, until now with the certificate problems), so I assume everything in those settings should be fine. The DDNS status is currently "updated", too.
User avatar
Joulinar
Posts: 4823
Joined: Sat Nov 16, 2019 12:49 am

Re: Problem with LetsEncrypt - Renew

Post by Joulinar »

let's check used ports

Code: Select all

ss -tulpn | grep LISTEN
and active configs

Code: Select all

ls -la /etc/lighttpd/conf-enabled/
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
GreenGentleman
Posts: 47
Joined: Mon Nov 09, 2020 4:10 pm

Re: Problem with LetsEncrypt - Renew

Post by GreenGentleman »

Code: Select all

root@DietPi:~# ss -tulpn | grep LISTEN
tcp     LISTEN   0        5              127.0.0.1:4711          0.0.0.0:*       users:(("pihole-FTL",pid=468,fd=14))   
tcp     LISTEN   0        80             127.0.0.1:3306          0.0.0.0:*       users:(("mysqld",pid=608,fd=20))       
tcp     LISTEN   0        511            127.0.0.1:6379          0.0.0.0:*       users:(("redis-server",pid=541,fd=7))  
tcp     LISTEN   0        1024             0.0.0.0:80            0.0.0.0:*       users:(("lighttpd",pid=3040,fd=4))     
tcp     LISTEN   0        32               0.0.0.0:53            0.0.0.0:*       users:(("pihole-FTL",pid=468,fd=9))    
tcp     LISTEN   0        1000             0.0.0.0:22            0.0.0.0:*       users:(("dropbear",pid=522,fd=3))      
tcp     LISTEN   0        5                  [::1]:4711             [::]:*       users:(("pihole-FTL",pid=468,fd=18))   
tcp     LISTEN   0        511                [::1]:6379             [::]:*       users:(("redis-server",pid=541,fd=8))  
tcp     LISTEN   0        1024                [::]:80               [::]:*       users:(("lighttpd",pid=3040,fd=5))     
tcp     LISTEN   0        32                  [::]:53               [::]:*       users:(("pihole-FTL",pid=468,fd=11))   
tcp     LISTEN   0        1000                [::]:22               [::]:*       users:(("dropbear",pid=522,fd=4))      
root@DietPi:~# ls -la /etc/lighttpd/conf-enabled/
total 8
drwxr-xr-x 2 root root 4096 May 18 14:44 .
drwxr-xr-x 4 root root 4096 Feb 28 13:28 ..
lrwxrwxrwx 1 root root   33 Oct 29  2020 10-fastcgi.conf -> ../conf-available/10-fastcgi.conf
lrwxrwxrwx 1 root root   33 Oct 29  2020 10-rewrite.conf -> ../conf-available/10-rewrite.conf
lrwxrwxrwx 1 root root   37 Oct 29  2020 15-fastcgi-php.conf -> ../conf-available/15-fastcgi-php.conf
lrwxrwxrwx 1 root root   37 Oct 29  2020 98-dietpi-hsts.conf -> ../conf-available/98-dietpi-hsts.conf
lrwxrwxrwx 1 root root   45 Oct 29  2020 99-dietpi-dav_redirect.conf -> ../conf-available/99-dietpi-dav_redirect.conf
lrwxrwxrwx 1 root root   41 Oct 29  2020 99-dietpi-owncloud.conf -> ../conf-available/99-dietpi-owncloud.conf
lrwxrwxrwx 1 root root   58 Oct 29  2020 99-dietpi-pihole-block_public_admin.conf -> ../conf-available/99-dietpi-pihole-block_public_admin.conf
lrwxrwxrwx 1 root root   39 Oct 29  2020 99-dietpi-pihole.conf -> ../conf-available/99-dietpi-pihole.conf
lrwxrwxrwx 1 root root   38 Oct 29  2020 99-unconfigured.conf -> ../conf-available/99-unconfigured.conf
User avatar
Joulinar
Posts: 4823
Joined: Sat Nov 16, 2019 12:49 am

Re: Problem with LetsEncrypt - Renew

Post by Joulinar »

https is not active anymore. As you can see, only port 80 is used by lighttpd. As well https redirect configuration is not present. Means you system should be reachable on http. Did you tried to access the system using local IP instead of DDNS?
Pls let us know if a solution is working. This could help others if they hit by similar situation. Your DietPi Team
GreenGentleman
Posts: 47
Joined: Mon Nov 09, 2020 4:10 pm

Re: Problem with LetsEncrypt - Renew

Post by GreenGentleman »

Could /conf-available/98-dietpi-hsts.conf be a problem?

Did you tried to access the system using local IP instead of DDNS?
Accessing the domain via local IP works, via public IP I get a timeout. Via URL I get "Connection failed".
Post Reply