search

troykelly / hassio-addons-letsencrypt-lexicon

Home Assistant Addon that provides Let's Encrypt with Lexicon
Apache License 2.0
5 stars 2 forks source link

Certificate will not renew #7

Closed faridanthony closed 3 years ago

faridanthony commented 3 years ago

Hi,

I did not have the renew automation set up initially, but I have added it now. I tried to uninstall and reinstall the add-on but it will not renew my cert. I also tried uninstalling and clearing the /ssl dir, reinstalling, and setting up config. Everything starts correctly but it seems my cert is still not renewed. Any idea on what I can do to force a renew?

troykelly commented 3 years ago

Hi there @faridanthony. Does the log reveal anything as to why the renew is failing? Every time the add on runs - it will generate a log - this is an example of it running, but not renewing because the certificates have not expired:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[11:29:00] INFO: [ha001_automation_sy3_example_com]:    ha001.automation.sy3.example.com cp.example.com
[11:29:00] INFO: [__ha001_automation_sy3_example_com]:  *.ha001.automation.sy3.example.com
[11:29:00] INFO: Requesting domains from LetsEncrypt
# Home Assistant Domains
ha001.automation.sy3.example.com cp.example.com > ha001_automation_sy3_example_com
*.ha001.automation.sy3.example.com > __ha001_automation_sy3_example_com
# END Home Assistant Domains
# INFO: Using main config file /etc/dehydrated/config
Processing ha001.automation.sy3.example.com with alternative names: cp.example.com 
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Oct 17 16:02:31 2021 GMT (Longer than 30 days). Skipping renew!
unchanged_cert called: ha001.automation.sy3.example.com, /ssl/ha001_automation_sy3_example_com/privkey.pem, /ssl/ha001_automation_sy3_example_com/cert.pem, /ssl/ha001_automation_sy3_example_com/fullchain.pem, /ssl/ha001_automation_sy3_example_com/chain.pem
Processing *.ha001.automation.sy3.example.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Oct 17 16:03:44 2021 GMT (Longer than 30 days). Skipping renew!
unchanged_cert called: *.ha001.automation.sy3.example.com, /ssl/__ha001_automation_sy3_example_com/privkey.pem, /ssl/__ha001_automation_sy3_example_com/cert.pem, /ssl/__ha001_automation_sy3_example_com/fullchain.pem, /ssl/__ha001_automation_sy3_example_com/chain.pem
[11:29:02] INFO: Copying domains and keys
[11:29:02] INFO: Cleaning Up
# INFO: Using main config file /etc/dehydrated/config
[11:29:03] INFO: Finished
[cmd] /run.sh exited 0
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
faridanthony commented 3 years ago

@troykelly

It shows skipping as the cert is valid until Nov 8, but when I browse the site it shows the cert expiredSaturday, March 20, 2021. See below for logs (I replaced my domain name with a dummy):

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[10:33:09] INFO: [host_mydomain_com]:   host.mydomain.com
[10:33:09] INFO: Requesting domains from LetsEncrypt
# Home Assistant Domains
host.mydomain.com > host_mydomain_com
# END Home Assistant Domains
# INFO: Using main config file /etc/dehydrated/config
Processing host.mydomain.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Nov  8 18:37:52 2021 GMT (Longer than 30 days). Skipping renew!
unchanged_cert called: host.mydomain.com, /ssl/host_mydomain_com/privkey.pem, /ssl/host_mydomain_com/cert.pem, /ssl/host_mydomain_com/fullchain.pem, /ssl/host_mydomain_com/chain.pem
[10:33:12] INFO: Copying domains and keys
[10:33:12] INFO: Cleaning Up
# INFO: Using main config file /etc/dehydrated/config
[10:33:13] INFO: Finished
[cmd] /run.sh exited 0
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
faridanthony commented 3 years ago

@troykelly It seems I was able to resolve this by adding the domain path for certfile and keyfile to my NGINX Home Assistant SSL proxy config as follows: 

domain: host.mydomain.com
certfile: host_mydomain_com/fullchain.pem
keyfile: host_mydomain_com/privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf