Issue With lets encrypt certificate

Support
,
7

Okay that’s great to hear!

Sometimes the DNS takes time to propagate (get applied), even after you set it. It usually happens fast but it can take up to 24 hours I think. So maybe that’s why there was a problem, and it got resolved once the DNS got updated.

For future reference: if the device is not accessible from outside the certificates will always fail. That’s because Let’s Encrypt has to talk to the server to generate the certificates, and Let’s Encrypt is (obviously) outside your local network! :slightly_smiling_face:

So the main problem would have been your server wasn’t available from outside. Once that got fixed (my guess is because of DNS propagation), the certificate renewal would have gone through as expected.

Anyway, good to know it’s working now!

Setting up rDNS

Actually you should do it the other way, set the rDNS for your server’s IP address to pi-scine.xyz. I just realised you can’t do it in Gandi, you have to do it at the server end. If it’s a VPS provider you can ask them to do it, but since you’re running your own Raspberry Pi I’m not sure how…maybe others on this forum can help. I’m hosting my VPS or RackNerd so when I contacted RackNerd customer support they added it for me.

Anyway, if you are not using your YunoHost to send emails you can ignore this issue for now…or work on it again when you come to it!

Explanation of rDNS

Reverse DNS is used to verify email providers. So if your server 123.4.5.67 sends an email “from” something@hotmail.com, the receiving server can look up in the reverse DNS for a record something like this

PTR 123.4.5.67.in-addr.arpa hotmail.com

That will mean 123.4.5.67 is authorised to send email from the Hotmail domain. But instead it will find a record like this!

PTR 123.4.5.67.in-addr.arpa pi-scine.xyz

In which case (depending on the setup) it will probably reject the email as spam/impersonation since 123.4.5.67 is not authorised to send email as hotmail.com. On the other hand, if you send email as something@pi-scine.xyz from the same address it will work.

Apart from rDNS there are other verification methods like SPF, DKIM, and DMARC, which might help even if you do not manage to set up rDNS, as discussed here: