I did go through all previous discussions on this issue and could not find a valid solution
My YunoHost server
Hardware: Pi 4
YunoHost version: 4.1.x (currently upgraded to 4.2 wherein the issue still persists)
I have access to my server : SSH + Webmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
I tried to create a new domain for zeronet and then tried to issue a lets encrypt certificate from the web interface wherein it failed. Then I tried to renew my main domain (pi4.navan.dev) which happened successfully. So, I tried renewing my homeassistant domain but it failed, so I converted it into self-signed and trying creating a new one.
args:
force: false
no_checks: false
staging: false
ended_at: 2021-04-24 09:23:37.466222
error: 'Certificate installation for homeassistant.domain2.tld failed !
Exception: Could not sign the new certificate'
interface: api
operation: letsencrypt_cert_install
parent: null
related_to:
- - domain
- homeassistant.domain2.tld
started_at: 2021-04-24 09:23:20.302254
success: false
yunohost_version: 4.1.8
============
2021-04-24 10:23:20,326: DEBUG - Making sure tmp folders exists...
2021-04-24 10:23:20,327: DEBUG - Reusing IPv4 from cache: xx.xx.xx.xx
2021-04-24 10:23:20,328: DEBUG - Reusing IPv6 from cache: None
2021-04-24 10:23:20,329: DEBUG - Prepare key and certificate signing request (CSR) for homeassistant.domain2.tld...
2021-04-24 10:23:22,794: DEBUG - Saving to /tmp/acme-challenge-private/homeassistant.domain2.tld.csr.
2021-04-24 10:23:22,795: DEBUG - Now using ACME Tiny to sign the certificate...
2021-04-24 10:23:22,796: INFO - Parsing account key...
2021-04-24 10:23:22,824: INFO - Parsing CSR...
2021-04-24 10:23:22,852: INFO - Found domains: homeassistant.domain2.tld
2021-04-24 10:23:22,854: INFO - Getting directory...
2021-04-24 10:23:24,280: INFO - Directory found!
2021-04-24 10:23:24,282: INFO - Registering account...
2021-04-24 10:23:31,947: INFO - Already registered!
2021-04-24 10:23:31,949: INFO - Creating new order...
2021-04-24 10:23:34,599: INFO - Order created!
2021-04-24 10:23:37,209: INFO - Verifying homeassistant.domain2.tld...
2021-04-24 10:23:37,461: ERROR - Wrote file to /tmp/acme-challenge-public/eVtpKzhWIpTVJ33_qQH23fvUbukMB_N7flhtdB-utBA, but couldn't download http://homeassistant.domain2.tld/.well-known/acme-challenge/eVtpKzhWIpTVJ33_qQH23fvUbukMB_N7flhtdB-utBA: Error:
Url: http://homeassistant.domain2.tld/.well-known/acme-challenge/eVtpKzhWIpTVJ33_qQH23fvUbukMB_N7flhtdB-utBA
Data: None
Response Code: None
Response: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)>
2021-04-24 10:23:37,464: ERROR - Certificate installation for homeassistant.domain2.tld failed !
Exception: Could not sign the new certificate
For some reason the folder is only accessible on the main domain:
root@pi4:/home/admin# echo "hello world!" >> /tmp/acme-challenge-public/hello
root@pi4:/home/admin# curl pi4.navan.dev/.well-known/acme-challenge/hello
hello world!
root@pi4:/home/admin# curl homeassistant.navan.dev/.well-known/acme-challenge/hello
respective, curl -v:
root@pi4:/home/admin# curl -v pi4.navan.dev/.well-known/acme-challenge/hello
* Expire in 0 ms for 6 (transfer 0x13778b0)
...
* Expire in 1 ms for 1 (transfer 0x13778b0)
* Trying 127.0.0.1...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x13778b0)
* Connected to pi4.navan.dev (127.0.0.1) port 80 (#0)
> GET /.well-known/acme-challenge/hello HTTP/1.1
> Host: pi4.navan.dev
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: nginx
< Date: Sat, 24 Apr 2021 10:33:34 GMT
< Content-Type: text/plain
< Content-Length: 13
< Last-Modified: Sat, 24 Apr 2021 10:31:09 GMT
< Connection: keep-alive
< X-SSO-WAT: You've just been SSOed
< ETag: "6083f36d-d"
< Accept-Ranges: bytes
<
hello world!
* Connection #0 to host pi4.navan.dev left intact
root@pi4:/home/admin# curl -v homeassistant.navan.dev/.well-known/acme-challenge/hello
* Expire in 0 ms for 6 (transfer 0x176a8b0)
...
* Expire in 50 ms for 1 (transfer 0x176a8b0)
* Trying 122.160.47.68...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x176a8b0)
* Connected to homeassistant.navan.dev (122.160.47.68) port 80 (#0)
> GET /.well-known/acme-challenge/hello HTTP/1.1
> Host: homeassistant.navan.dev
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 307
< LOCATION: https://homeassistant.navan.dev/.well-known/acme-challenge/hello
< X-Download-Options: noopen
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Content-Length: 0
<
* Connection #0 to host homeassistant.navan.dev left intact
root@pi4:/home/admin#
At this point, I tried pinging the domains and found that pi4 is redirected to 127.0.0.1 whereas all the other are being redirected to the global IP. A quick fix was adding all the domains to /etc/hosts (pi4 was already there).
Is this patch of adding individually to the domain list needed or is there something else wrong?
