Let's Encrypt Staging workflow is problematic

[giggio]

Describe the issue you are experiencing

If you test on Let's encrypt staging, after you remove the server the addon will not issue a new certificate, even if you try to remove the certificates fom /ssl.

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

5.0.18

Steps to reproduce the issue

1. Install the addon
2. Test the configuration using acme_server: https://acme-staging-v02.api.letsencrypt.org/
3. Check certs were issued on /ssl.
4. Remove the acme_server config and certs from /ssl.
5. Start the addon again, it will recreate the staging certificates.

System Health information

N/A.

Anything in the Supervisor logs that might be useful for us?

N/A.

Anything in the add-on logs that might be useful for us?

cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[21:04:37] INFO: Selected DNS Provider: dns-cloudflare
[21:04:37] INFO: Use propagation seconds: 60
[21:04:37] INFO: Use CloudFlare token
[21:04:37] INFO: Detecting existing certificate type for xxx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[21:04:38] INFO: Existing certificate using 'ecdsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

Additional information

Originally reported at #1705, but incorrectly closed as stale.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[giggio]

Not stale.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[giggio]

Not stale.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[giggio]

Not stale.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[giggio]

Not stale.

[GoetzGoerisch]

Could you please verify with the update certbot version.

letsencrypt v5.3.3

If this is still the case I will look deeper into this.

[giggio]

Could you please verify with the update certbot version.

letsencrypt v5.3.3

If this is still the case I will look deeper into this.

@GoetzGoerisch My current configuration is using the production server (https://acme-v02.api.letsencrypt.org/). I changed it to the staging one, deleted all files from /ssl and restarted the addon. No new certs were issued.

This workflow is still problematic for anyone who wants to first test their setup using staging, and then move to the production server. Changing the acme server should issue a new cert. It currently does not do that.

[GoetzGoerisch]

@giggio Thank you for the update. I looked into the code and am preparing an update https://github.com/home-assistant/addons/pull/3943 This includes an easy switch for issuing test certificates.

Nevertheless due to --keep-until-expiring. The default behavior is to never renew until it is expiring.

https://github.com/home-assistant/addons/blob/13c92fda8ef617b93bb89873ba2e32958c8a31c6/letsencrypt/rootfs/etc/services.d/lets-encrypt/run#L348

@agners my proposal would be to make this option configurable and have a sane default value and also add a "--force-renewal" switch

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[GoetzGoerisch]

Not fixed. @agners and @frenck please advise if you would value looking into improving this as detailed above?

[agners]

The reason for this behavior is that the add-on stores the certificate in its internal config directory (in /data). You could uninstall and reinstall the add-on to clear this data and hence work around, but it's more of a work around.

@agners my proposal would be to make this option configurable and have a sane default value and also add a "--force-renewal" switch

We could do this, but it does put the burden on the user. Also we definitely don't want this to be the default.

What we could do instead is simply store the certs in a per-acme server directory (essentially make CERT_DIR to be dependent on acme_server). This would resolve the problem immediately. What do you think?

[GoetzGoerisch]

This would resolve the problem with the staging workflow but would still need a workaround if one wants to renew the cert before it expires.

Therefore I still think that having a default --keep-until-expiring with a possibility to override with a switch to use --force-renewal would be benificial for all occasions.

[GoetzGoerisch]

Please have a look on https://github.com/home-assistant/addons/pull/3976

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[giggio]

Not stale.

[83noit]

Perhaps --keep-until-expiring could dynamically switch to --force-removal by comparing the CA of the live certificate at letsencrypt/live/domain.net against the --test-cert option and the server's CA. Specifically, for a given domain, if the target server is:

• Let's Encrypt production (https://acme.api.letsencrypt.org/directory) but the current CA is the fake staging CA;
• Let's Encrypt staging (https://acme-staging.api.letsencrypt.org/directory) but the current CA is the production CA (potentially also requiring --break-my-certs).

I can't test this now but might investigate in about a week if no one else does.

[83noit]

Feedback on draft PR #4027 welcome (which I haven’t fully tested yet), implementing the above suggestion.

[andreasscherbaum]

Ran into a similar issue: first tested with the staging server to find out if my DNS setup is working. And then switched to the production server, only to find out that I have to wait 30 days to renew my certificate. I am currently on version 5.4.9. Had to uninstall the extension and delete all data in order to remove the certificates.

The proposal by @83noit in https://github.com/home-assistant/addons/issues/3781#issuecomment-2845719469 will likely work.

Perhaps --keep-until-expiring could dynamically switch to --force-removal by comparing the CA

Having a "force renew" option will also work.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[giggio]

Not stale.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[AlexHunterCodes]

Not stale

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[andreasscherbaum]

Definitely not stale.