addons
addons copied to clipboard
home-assistant
TransIP method in letsencrypt doesn't support global keys
Describe the issue you are experiencing
Getting error: Error finding domain using the Transip API: 401: Remote IP is not authorized for this request; called from IP x.x.x.x
Reason: In TransIP you can generate public keys without an IP whitelist requirement. I have generated my keys without this requirement because my HA is on a dynamic IP.
However when requesting an access token using this key (which is the second step in the authentication process), certbot by default requests an access token with an whitelist IP requirement. Even when the key was generated without the whitelist requirement. Certbot can be told not to do this by setting the following in its ini file:
dns_transip_global_key = yes
But of course using this addon I can't influence the certbot ini file directly. Therefore it would be great to get a yaml configuration variable that can be used to add this setting to the generated certbot ini file.
PS: This config option was introduced in 2021: https://github.com/hsmade/certbot-dns-transip/pull/36 in order to fix this issue: https://github.com/roaldnefs/python-transip/issues/46
What type of installation are you running?
Home Assistant Supervised
Which operating system are you running on?
Other (e.g., Raspbian/Raspberry Pi OS/Fedora)
Which add-on are you reporting an issue with?
Let's Encrypt
What is the version of the add-on?
5.0.18
Steps to reproduce the issue
- Set up correctly.
- Get error ...
System Health information
System Information
| version | core-2024.5.2 |
|---|---|
| installation_type | Home Assistant Supervised |
| dev | false |
| hassio | true |
| docker | true |
| user | root |
| virtualenv | false |
| python_version | 3.12.2 |
| os_name | Linux |
| os_version | 5.10.103-v7l+ |
| arch | armv7l |
| timezone | Europe/Madrid |
| config_dir | /config |
Home Assistant Community Store
| GitHub API | ok |
|---|---|
| GitHub Content | ok |
| GitHub Web | ok |
| GitHub API Calls Remaining | 4897 |
| Installed Version | 1.34.0 |
| Stage | running |
| Available Repositories | 1393 |
| Downloaded Repositories | 18 |
Home Assistant Cloud
| logged_in | false |
|---|---|
| can_reach_cert_server | ok |
| can_reach_cloud_auth | ok |
| can_reach_cloud | ok |
Home Assistant Supervisor
| host_os | Raspbian GNU/Linux 10 (buster) |
|---|---|
| update_channel | stable |
| supervisor_version | supervisor-2024.05.1 |
| agent_version | 1.4.1 |
| docker_version | 20.10.21 |
| disk_total | 252.2 GB |
| disk_used | 32.2 GB |
| healthy | true |
| supported | failed to load: Unsupported |
| supervisor_api | ok |
| version_api | ok |
| installed_addons | deCONZ (6.23.0), InfluxDB (5.0.0), ESPHome (2024.5.0), Mosquitto broker (6.4.0), Node-RED (17.0.12), File editor (5.8.0), Terminal & SSH (9.14.0), Ring-MQTT with Video Streaming (5.6.4), Let's Encrypt (5.0.18) |
Dashboards
| dashboards | 2 |
|---|---|
| resources | 6 |
| views | 11 |
| mode | storage |
Recorder
| oldest_recorder_run | May 8, 2024 at 8:12 AM |
|---|---|
| current_recorder_run | May 23, 2024 at 3:00 AM |
| estimated_db_size | 1868.96 MiB |
| database_engine | sqlite |
| database_version | 3.44.2 |
Anything in the Supervisor logs that might be useful for us?
No response
Anything in the add-on logs that might be useful for us?
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
writing RSA key
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[02:53:09] INFO: Selected DNS Provider: dns-transip
[02:53:09] INFO: Use propagation seconds: 60
[02:53:10] INFO: Increasing DNS propagation limit for TransIP to at least 240 seconds.
[02:53:10] INFO: Detecting existing certificate type for domain.xyz
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[02:53:13] INFO: No certificate found - using 'ecdsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for domain1.xyz and domain2.xyz
Encountered exception during recovery: certbot.errors.PluginError: Error finding domain using the Transip API: 401: Remote IP is not authorized for this request; called from IP x.x.x.x
Error finding domain using the Transip API: 401: Remote IP is not authorized for this request; called from IP x.x.x.x
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
Additional information
I notice the cloudflare letsencrypt module also does feature global keys which is similar. Transip's isn't implemented
