Cannot renew/issue lets-encrypt certificates

I did go through all previous discussions on this issue and could not find a valid solution

My YunoHost server

Hardware: Pi 4
YunoHost version: 4.1.x (currently upgraded to 4.2 wherein the issue still persists)
I have access to my server : SSH + Webmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

I tried to create a new domain for zeronet and then tried to issue a lets encrypt certificate from the web interface wherein it failed. Then I tried to renew my main domain ( which happened successfully. So, I tried renewing my homeassistant domain but it failed, so I converted it into self-signed and trying creating a new one.

  force: false
  no_checks: false
  staging: false
ended_at: 2021-04-24 09:23:37.466222
error: 'Certificate installation for homeassistant.domain2.tld failed !

  Exception: Could not sign the new certificate'
interface: api
operation: letsencrypt_cert_install
parent: null
- - domain
  - homeassistant.domain2.tld
started_at: 2021-04-24 09:23:20.302254
success: false
yunohost_version: 4.1.8


2021-04-24 10:23:20,326: DEBUG - Making sure tmp folders exists...
2021-04-24 10:23:20,327: DEBUG - Reusing IPv4 from cache: xx.xx.xx.xx
2021-04-24 10:23:20,328: DEBUG - Reusing IPv6 from cache: None
2021-04-24 10:23:20,329: DEBUG - Prepare key and certificate signing request (CSR) for homeassistant.domain2.tld...
2021-04-24 10:23:22,794: DEBUG - Saving to /tmp/acme-challenge-private/homeassistant.domain2.tld.csr.
2021-04-24 10:23:22,795: DEBUG - Now using ACME Tiny to sign the certificate...
2021-04-24 10:23:22,796: INFO - Parsing account key...
2021-04-24 10:23:22,824: INFO - Parsing CSR...
2021-04-24 10:23:22,852: INFO - Found domains: homeassistant.domain2.tld
2021-04-24 10:23:22,854: INFO - Getting directory...
2021-04-24 10:23:24,280: INFO - Directory found!
2021-04-24 10:23:24,282: INFO - Registering account...
2021-04-24 10:23:31,947: INFO - Already registered!
2021-04-24 10:23:31,949: INFO - Creating new order...
2021-04-24 10:23:34,599: INFO - Order created!
2021-04-24 10:23:37,209: INFO - Verifying homeassistant.domain2.tld...
2021-04-24 10:23:37,461: ERROR - Wrote file to /tmp/acme-challenge-public/eVtpKzhWIpTVJ33_qQH23fvUbukMB_N7flhtdB-utBA, but couldn't download http://homeassistant.domain2.tld/.well-known/acme-challenge/eVtpKzhWIpTVJ33_qQH23fvUbukMB_N7flhtdB-utBA: Error:
Url: http://homeassistant.domain2.tld/.well-known/acme-challenge/eVtpKzhWIpTVJ33_qQH23fvUbukMB_N7flhtdB-utBA
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)>
2021-04-24 10:23:37,464: ERROR - Certificate installation for homeassistant.domain2.tld failed !
Exception: Could not sign the new certificate

For some reason the folder is only accessible on the main domain:

root@pi4:/home/admin# echo "hello world!" >> /tmp/acme-challenge-public/hello
root@pi4:/home/admin# curl
hello world!
root@pi4:/home/admin# curl

respective, curl -v:

root@pi4:/home/admin# curl -v
* Expire in 0 ms for 6 (transfer 0x13778b0)
* Expire in 1 ms for 1 (transfer 0x13778b0)
*   Trying
* Expire in 200 ms for 4 (transfer 0x13778b0)
* Connected to ( port 80 (#0)
> GET /.well-known/acme-challenge/hello HTTP/1.1
> Host:
> User-Agent: curl/7.64.0
> Accept: */*
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sat, 24 Apr 2021 10:33:34 GMT
< Content-Type: text/plain
< Content-Length: 13
< Last-Modified: Sat, 24 Apr 2021 10:31:09 GMT
< Connection: keep-alive
< X-SSO-WAT: You've just been SSOed
< ETag: "6083f36d-d"
< Accept-Ranges: bytes
hello world!
* Connection #0 to host left intact
root@pi4:/home/admin# curl -v
* Expire in 0 ms for 6 (transfer 0x176a8b0)
* Expire in 50 ms for 1 (transfer 0x176a8b0)
*   Trying
* Expire in 200 ms for 4 (transfer 0x176a8b0)
* Connected to ( port 80 (#0)
> GET /.well-known/acme-challenge/hello HTTP/1.1
> Host:
> User-Agent: curl/7.64.0
> Accept: */*
< HTTP/1.1 307 
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Content-Length: 0
* Connection #0 to host left intact

At this point, I tried pinging the domains and found that pi4 is redirected to whereas all the other are being redirected to the global IP. A quick fix was adding all the domains to /etc/hosts (pi4 was already there).

Is this patch of adding individually to the domain list needed or is there something else wrong?

Is there anything in the diagnosis that could be related ? Even in the ignored ones ? Maybe something with /etc/resolv.conf ?

Only the resolve.conf issue

The file /etc/resolv.conf should be a symlink to /etc/resolvconf/run/resolv.conf itself pointing to (dnsmasq). If you want to manually configure DNS resolvers, please edit /etc/resolv.dnsmasq.conf.

This has been there since day 0 on both my servers (I flashed the image on the pi in question, and installed via cURL on the other)

Then that’s probably the root cause of the issue, though the diagnosis doesn’t explain how to fix it.

You probably want to rm /etc/resolv.conf then ln -s /etc/resolvconf/run/resolv.conf /etc/resolv.conf

1 Like


Quick questtion while I try this fix, why is it happening on a clean installation?

hmm, this did not fix it. Same error as before after symlinking and restarting the server. Temporary fix is adding it into /etc/hosts

Because /etc/resolv.conf is a subject of a war between many programs for its control, between resolvconf (the service), networkmanager, dhcpclient, and probably many others. It’s difficult to design a reliable way to initialize this file correctly while still allowing people to customize it manually if they want/have to :confused:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.