[Solved] Let's encrypt SSL cert renew hairpinning issue

Hi there,

I had some hairpinning issues originally which were solved by editing the /etc/hosts files to point my domain to the internal IP address. After that, my site has worked fine from both outside and inside my network.

This worked fine, until the automatic Let’s Encrypt SSL certificate renewal failed with:

Warning: Timed out when server tried to contact itself through HTTP using public IP address (domain mydomain.com with ip 70.48.195.01). You may be experiencing a hairpinning issue or the firewall/router ahead of your server is misconfigured.

What I don’t understand though, is why everything would work fine except the certificate renew command, and why that wouldn’t work when the /etc/hosts file had already been modified (and the server restarted)…

I see some possibly related posts on this forum, however they’re in French and Google Translate doesn’t seem to be much help.

I also saw references to removing IPv6 helping, but I’m not sure exactly where it would need to be removed from.

Any ideas? Thanks!

Hey,

well the whole thing is a tricky topic, since as you see, there are many technical stuff in this, related to DNS, hairpinning, the /etc/hosts, and Let’s Encrypt :wink:

Basically YunoHost attempts to self-diagnose itself to check if the setup is ready for a Let’s Encrypt certificate. Sometimes it ‘fails’ (incorrectly report that it’s not when ready, when it probably is). But you’re right, since if you really tweaked the /etc/hosts on the server, it should work.

Anyway, an easy way to bypass this is to run the install with --no-checks. (There’s no security risk involved with doing this, at worse you will just ‘burn’ a certificate fetch attempt on your Let’s Encrypt 7-days quota thing but whatever ;))

So :

yunohost domain cert-install --no-checks your.domain.tld

What does that tells you ?

Thanks @Aleks! Yep. Looks like it was just a false error. When I actually run it with --no-checks, it managed to update the ssl certificate just fine.

I wonder if there’s any value in reporting this on the tracker? Do we use the “Solved” plugin on this instance of Discourse? I ask as I don’t seem to be able to mark this thread as solved…

That’s okay, I flagged it as resolved :wink:

I had the same issue with my server. Is it possible to set cert-renew to include the flag --no-checks in yunohost when renewing automatically?

Thanks