Issue With lets encrypt certificate

My YunoHost server

Hardware: Raspberry Pi 4 at home
YunoHost version: 11.2.9.1 (stable)
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen | …
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no
My IT skill : Proto newbie confortable with command line

Description of my issues

Issue n°1 cant share logs with Yunohostpastelog

error message : Error: Something wrong happened while trying to paste data on paste.yunohost.org : HTTPSConnectionPool(host=‘paste.yunohost.org’, port=443): Read timed out. (read timeout=30)

-Issue N°2 Get Let’s encrypt certificates tried after a fresh Yunohost

Error message with `sudo yunohost domain cert-install pi-scine.xyz:

sudo yunohost domain cert-install pi-scine.xyz 
Warning: 'yunohost domain cert-install' is deprecated and will be removed in the future
Warning: 'yunohost domain cert-install' is deprecated and will be removed in the future
Warning: 'yunohost domain cert-install' is deprecated and will be removed in the future
Info: Now attempting install of certificate for domain pi-scine.xyz!
Warning: The configuration file '/etc/resolv.dnsmasq.conf' has been manually modified and will not be updated
Info: Parsing account key...
Info: Parsing CSR...
Info: Found domains: muc.pi-scine.xyz, pi-scine.xyz, xmpp-upload.pi-scine.xyz
Info: Getting directory...
Info: Directory found!
Info: Registering account...
Error: Error registering:
Url: https://acme-v02.api.letsencrypt.org/acme/new-acct
Data: b'{"protected": "eyJ1cmwiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvbmV3LWFjY3QiLCAiYWxnIjogIlJTMjU2IiwgIm5vbmNlIjogIjJrc2gxS1VzRmttUHEzVjdlTTZKanR1MWlwWEdFaHl0UENpX2ZPZW4za0R0bGU5cFR1WSIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiLWhLNGlnOWZ6WmFIeTE1em82aHgwTEZPUzRsSWJiREo2c0o0and5SlgySzVkNVVyVHc2Sy1VZXBOdzBtQ0x6QlU2VzVGLWhWckZacUNfZGNlUjItSjZWQXo2SS1BelVkRlhiSU9uNFg1RzUta0FjNUp3RDI2VVlLRDRLeFQzZlhCLWVBcUpkclRUeWhlTlFKYnR5Qk93OUZ6bU9JcXNDU2d3S1IxOThWa2ZwR0hLUlZwdmN4MXVWUmwtZVdFbXdNaXV3dEdwSHhtdG9wRXRWcktHcERqc0xGNTJYTGE0YXVhbjlYNFRIVE1EN0JISVczSVpLTnRlRVZoaUwxUU5zRGpMNDJoVERNR1NYbnpROXUzUjllTGFCcENybzJHOTJETjdzV2U1TlNuc3NyVzcwTnliWlpSU1R0VndhQ184VEpUMmlWeENyZlVVMGstbHF2b1V4MHRiYkR6QUp2eU93cmVkbzEwU2t5TmhNaUEwTlhkYUJNSHpPYUY2dFVVX3p1aEhaZlVkWDMwTV9hVTlGLXFSWF9MdFhHSjBHSW1fd052ZC1QWmJ2Um5jQlNuX2VkZzMyMTNpaV8zWEhDa21kSExVcjFFckMybzJDQnRKeENqZFlfVXVLOWJlYi1pZm5NOG1kQ1NFMXF6MXo5aTZxOUVWU003aloyODlpRldPTloifX0", "payload": "eyJ0ZXJtc09mU2VydmljZUFncmVlZCI6IHRydWV9", "signature": "k05P33NKX_GRkseQlBQDlY8SQAtRj_pWONYrc4Nhw9ke78_ctetrKwKKU1Sn-xjU91PzkM9U0G9dTgME0Qv4mdWvRNSAkw8OjX5Q8MfpWs4j6XmASOxW3mtRBRjiklKNeksJkAbgQ6gTmRjmkeBV6tkMBp_f2KHFhj7nMDbRy0x6OsoM1xPT-5mf36KWjDu33RCJF2s8XGP1_hiHtqgKincV9aXlJOnnz3o2Bmk6x6P_y9HZC3wGeQrIlz5euTR5ZC84vdSDEp1va-czYwgrLO9_QuEY757TLgGslnsdsJxWntVhg0oCh5XRAiiFJvdG8o_XqG_MaQygXJ9_3ZybSB9eBbQ08RuzDbtfGAV1Cgdi3deC4cAn8KCuV7vVtXk_AsMolOm5kcPyk0mcwJDqo911IS3drRB25deNpVVkknEKYrZJ6DmA9qyH9XKXA1PcLUpo4VQTxzvRBHgpO_c36QXu53Oybk0cHsROR39h7PpziTfB5FqRv9KdMY5y3IHE"}'
Response Code: None
Response: Remote end closed connection without response
Error: Certificate installation for pi-scine.xyz failed !
Exception: Could not sign the new certificate
Info: The operation 'Install a Let's Encrypt certificate on 'pi-scine.xyz' domain' could not be completed. Please share the full log of this operation using the command 'yunohost log share 20240203-124347-letsencrypt_cert_install-pi-scine.xyz' to get help
Error: Please consider checking the 'DNS records' (basic) and 'Web' categories of the diagnosis to check for possible issues that may prevent installing a Let's Encrypt certificate on domain pi-scine.xyz.
Error: Let's Encrypt certificate install failed for pi-scine.xyz

I am using VPN client configured with a .cube file from Aquilnet

Everything is ok in the diagnostic except:

**1- Le reverse-DNS n'est pas correctement configuré en IPv4.** Il se peut que certains emails ne soient pas acheminés ou soient considérés comme du spam.

* DNS inverse actuel : `vpn-0-248.aquilenet.fr`
Valeur attendue : `pi-scine.xyz`

**2- Aucun reverse-DNS n'est défini pour IPv6**. Il se peut que certains emails ne soient pas acheminés ou soient considérés comme du spam.

**3- Le fichier de configuration `/etc/resolv.dnsmasq.conf` semble avoir été modifié manuellement.**  

 *C'est probablement OK si vous savez ce que vous faites ! YunoHost cessera de mettre à jour ce fichier automatiquement ... Mais attention, les mises à jour de YunoHost pourraient contenir d'importantes modifications recommandées. Si vous le souhaitez, vous pouvez inspecter les différences avec `yunohost tools regen-conf dnsmasq --dry-run --with-diff` et forcer la réinitialisation à la configuration recommandée avec `yunohost tools regen-conf dnsmasq --force`*

About issue n°2
In VPN clien app I have this configured in the DNS & IPV6 tab:

*### DNS

*DNS resolvers*

*Custom DNS resolvers*

*185.233.100.100, 185.233.100.101*

* *185.233.100.100*

*185.233.100.101*

### IPv6

*IPv6 prefix (I shouldn't share that right?)*

*IPv6  (I shouldn't share that right?)*

I am not sure what is safe to share here with the Output of : yunohost tools regen-conf dnsmasq --dry-run --with-diff

Should I just Hide IPV4 and IPV6 ?

I hope I have been clear enough.
Thank you very much for the great work on YUNOHOST , really amazing and straight forward

Thanks in advance for the help

My domain name is hosted on gandi where I also record my DNS . Could that be the problem? from what I understood gandi and certbot are not the best of friends …
Help please :smiley:

Hi! I have been using gandi and certbot without any problems. But mine is a VPS setup, not a local machine with VPN.

I can see in the second message that your reverse DNS is set to vpn-0-248.aquilenet.fr but YunoHost is supposed to be pi-scine.xyz. Maybe you can change it in your Gandi dashboard? But that mainly affects email delivery, not certificate encryption.

I am not sure why the Let’s Encrypt certificate renewal was failing. Did you try again?

Also, can you make sure your YunoHost is accessible from outside? To check that, use some other device that is ideally connected to a different Internet connection, enter the domain that you want to generate the certificate for, and make sure that the page loads. If there is a problem with the VPN setup and pages are not able to load from outside, that might be why it’s failing.

Is my Yunohost accessible from outside
No it is not . I tried on a different device with different internet connection and it’s not accessible. the domain is pi-scine.xyz .
Where should I go and check the config . in etc/openvpn/client.conf ? or somewhere else ? What should i look for or verify ? Is ther esomewhere else I should look ?

About let’s encrypt
Yes tried again from the admin interface AND gui , still get the same message.

Could it be that it doesnt have access to my gandi API?
While researching I realized that I didn’t share any API from gandi to Yunohost . Should I do that in order for the certificate to be generated?

I was about to try to go around and to it manually with certbot snap and gandi-plugin …
see → GitHub - obynio/certbot-plugin-gandi: Certbot plugin for authentication using Gandi LiveDNS

About the reverse DNS
I didn’t configure anything on gandi about that . I am still really new to this and the DNS is something to get easily confused about (for me at least) . So if I understood correctly everywhere I found my domain name i replace it by vpn-0-248.aquilenet.fr and that will correct the mail error in the diagnostic .

Thanks for the guidance . I am still enjoying it so far :smiley:

Ok for some reason the GUI app for certificates now works in YNH ! The only thing I did was creating an API key in my gandi webadmin , I don’t know if that did the trick . anyway everything fine !

ThanksBadrhippo !

Ok for some reason the GUI app for certificates now works in YNH !

The only thing I did was creating an API key in my gandi webadmin , I don’t know if that did the trick . anyway everything fine !

I mark the subject as solved !

ThanksBadrhippo !

1 Like

Okay that’s great to hear!

Sometimes the DNS takes time to propagate (get applied), even after you set it. It usually happens fast but it can take up to 24 hours I think. So maybe that’s why there was a problem, and it got resolved once the DNS got updated.

For future reference: if the device is not accessible from outside the certificates will always fail. That’s because Let’s Encrypt has to talk to the server to generate the certificates, and Let’s Encrypt is (obviously) outside your local network! :slightly_smiling_face:

So the main problem would have been your server wasn’t available from outside. Once that got fixed (my guess is because of DNS propagation), the certificate renewal would have gone through as expected.

Anyway, good to know it’s working now!

Setting up rDNS

Actually you should do it the other way, set the rDNS for your server’s IP address to pi-scine.xyz. I just realised you can’t do it in Gandi, you have to do it at the server end. If it’s a VPS provider you can ask them to do it, but since you’re running your own Raspberry Pi I’m not sure how…maybe others on this forum can help. I’m hosting my VPS or RackNerd so when I contacted RackNerd customer support they added it for me.

Anyway, if you are not using your YunoHost to send emails you can ignore this issue for now…or work on it again when you come to it!

Explanation of rDNS

Reverse DNS is used to verify email providers. So if your server 123.4.5.67 sends an email “from” something@hotmail.com, the receiving server can look up in the reverse DNS for a record something like this

PTR 123.4.5.67.in-addr.arpa hotmail.com

That will mean 123.4.5.67 is authorised to send email from the Hotmail domain. But instead it will find a record like this!

PTR 123.4.5.67.in-addr.arpa pi-scine.xyz

In which case (depending on the setup) it will probably reject the email as spam/impersonation since 123.4.5.67 is not authorised to send email as hotmail.com. On the other hand, if you send email as something@pi-scine.xyz from the same address it will work.


Apart from rDNS there are other verification methods like SPF, DKIM, and DMARC, which might help even if you do not manage to set up rDNS, as discussed here:

Thanks for taking that time to answer and put forms :wink: .

I’ve had the same let’s encrypt problem again with a subdomain . I changed the DNS registration in gandi , I will wait 24 hours and try again to see if it worked !
If it did I will close the subject .

About reverse DNS

I have contacted my VPN provider to configure the thing on their end . I want to manage send mails from my adress :smiley: .

Thanks a lot

1 Like

Okay cool! Maybe the DNS takes time in your area for some reason. Also let me know how the rDNS works; it’ll be helpful for others to know how to set up rDNS when selfhosting :+1:

After waiting 24 hours Certificate was successfully signed !

Don’t forget to update API key from your registar in yunohost/admin → domains → main Domain → DNS → api key.

Still waiting for an answer from my vpn provider about the reverse DNS .

.