Hi, I just migrated/restored my Freedombox to another system and mostly everything is working, except it seems the let’s encrypt cert expired mid June and didn’t seem to want to renew, either on the old machine, or the new one. It appears to be complaining that it cannot decide which domain to use? I think that is the problem, but I don’t know how to fix it.
This is the error I am getting when attempting to renew the cert from the Let’s Encrypt section in the FB web menu:
*‘PLACEHOLDER’ in place of the actual domain name
Failed to obtain certificate for domain PLACEHOLDER.sds-ip.de: (“Error obtaining certificate: Saving debug log to /var/log/letsencrypt/letsencrypt.log\nPlugins selected: Authenticator webroot, Installer None\nMissing command line flag or config entry for this setting:\nPlease choose an account\nChoices: [‘freedombox.PLACEHOLDER.sds-ip.de@2022-07-22T03:01:50Z (f9ed)’, ‘Freedombox.freedombox.local@2023-07-25T05:33:44Z (a9ea)’]\n”, b’‘, b’\x1b[31m ERROR\x1b[0m \x1b[94m__main__ \x1b[0m
Problem Description
Trying to Renew Cert using Let’s Encrypt
Steps to Reproduce
Select Re-obtain certificate
Expected Results
Renew expired cert
Actual results
Error obtaining certificate
Screenshot
Information
FreedomBox version: Debian GNU/Linux 11 (bullseye) and FreedomBox version 23.6.2
Is your domain name right in plinth/sys/config?
Hostname: PLACEHOLDER
Domain Name: PLACEHOLDER.SDS-IP.DE
Is your sds-ip.de account name PLACEHOLDER, or is it SOMETHING_ELSE? In this case you’d do:
Hostname: PLACEHOLDER
Domain Name: SOMETHING_ELSE.SDS-IP.DE
The domain name field needs the external FQDN for the host, not the DNS domain. I interpret the domain name field as, “what is the DNS record to use with the certificate?”
Thanks for the reply. That bit seems fine. Just trying to re-obtain the cert again from plinth/sys/letsencrypt/ and I notice the error shows:
Failed to obtain certificate for domain mydomain.sds-ip.de: ("Error obtaining certificate: Saving debug log to /var/log/letsencrypt/letsencrypt.log\nMissing command line flag or config entry for this setting:\nPlease choose an account\nChoices: [‘freedombox.mydomain.sds-ip.de@2022-07-22T03:01:50Z (f9ed)’, ‘Freedombox.freedombox.local@2023-07-25T05:33:44Z (a9ea)’
I don’t know if there is supposed to be 2 choices (one appears to be a local (freedombox.local) and one is my public facing domain (mydomain.sds-ip.de) which is a side issue perhaps? )
Both domains referenced in the error above have ‘freedombox.’ added to the beginning, which is obviously wrong. My domain is not and never was ‘freedombox.mydomain.sds-ip.de’
Still struggling with this. Been poking around without any change.
Running Diagnostics and everything is okay except for the Let’s Encrypt part. The domain I am using is correct, but it’s appearing twice. I don’t know if that is normal.
When I go to the domain it brings me to my FB login, which is what I expect.
Indeed the dig command reveals the correct IP, as does sys/dynamicdns from the FB settings. All the same IP, so nothing strange there.
I gather from the Let’s Encrypt error that it cannot choose between two entries, which leads me to believe that is the source of the problem.
This FB was recently restored from a backup (all possible settings restored), so my guess is that either settings have been duplicated during the restore, or I just did something dumb (most likely) and so I’m just trying to figure out how best to undo that based on the error.
Having said that, it appears my cert is valid now until Oct and everything seems to be working, so maybe not a show stopper per se, but something still isn’t right.
Just a thought… is your FBX connected to a router/modem? if so, you may need check that your ports 80 and 443 are forwarded to the same ports on your FBX
Yes, Thanks. I appreciate your response. Initially that’s how I was able to get a valid cert. However, the problem is not with the connection, it’s with the choice of domains as there are two. Just tried it again and it’s the same message as before.
What a joke this is. Still wondering why I would even keep trying when I’m just going around in circles wasting my time. I tried running letsencrypt from the terminal in verbose mode and im getting permissions issues with an account that has admin rights to everything. Why is this so difficult? I thought this project was supposed to solve more problems than it seemingly creates. I realize I’m ranting and all that, but honestly wondering what the point is to this when I have to constantly try to figure out problems after updates break something. Not everyone wants to tinker with computer settings all day.
letsencrypt -v
The following error was encountered:
[Errno 13] Permission denied: ‘/var/log/letsencrypt/.certbot.lock’
Either run as root, or set --config-dir, --work-dir, and --logs-dir to writeable paths.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/certbot-log-l4or89z_/log or re-run Certbot with -v for more details.
The problem seems to be that my domain is set in Freedombox twice (must have happened after restoring my backup on a new instance), so Certbot can’t decide which one to use/renew since they are identical domains.
How can I take one of these out, and does it matter which one?
*I tried deleting the cert and then restoring from backup for lack of any other knowledge, but it’s the exact same message. Is there a reason why two identical entries would be showing up here?
Looking at the workaround, there seems to be some key details missing. I don’t know where to find this information. I presume I would need to use the terminal, but where do I go, what do I do exactly so I don’t break something? Thank You.
*Maybe I should just go back to Debian 11, install FB again, then restore?
This has been resolved. For what it’s worth, here is what I had to do:
I installed a fresh instance of FB on top of Debian 11 server (ProxMox VM) and restored one of my full backups. Then purely from the web interface in the lets encrypt section, I deleted the cert that was there and obtained a new one.
I’m using Matrix and initially that wasn’t working, so I had to disable it, select ‘update setup’, then enable, and ‘update setup’ again, then it worked.
Hope this helps. I learned that upgrading FB from Debian 11 to 12 is generally not a good idea if you are going to be dumb like me and not have a way to revert back quickly.
