Controller letsencrypt cert won't renew

jack · July 4, 2025, 5:50am

My letsencrypt cert expired and won’t renew - leaving my router disconnected. When I try to renew manually I get:

root@891cd3aaf0f1:/etc# su - alta -c 'cd /usr/share/access/be && ./uacme.sh'
uacme: version 1.7.1 starting on Fri, 04 Jul 2025 05:41:25 +0000
uacme: loading key from /var/lib/access/certs/serroqk1g7b/private/key.pem
uacme: loading key from /var/lib/access/certs/serroqk1g7b/private/serroqk1g7b.ddns.manage.alta.inc/key.pem
uacme: checking existence and expiration of /var/lib/access/certs/serroqk1g7b/serroqk1g7b.ddns.manage.alta.inc/cert.pem
uacme: /var/lib/access/certs/serroqk1g7b/serroqk1g7b.ddns.manage.alta.inc/cert.pem expires in -7 days
uacme: /var/lib/access/certs/serroqk1g7b/serroqk1g7b.ddns.manage.alta.inc/cert.pem is due for renewal
uacme: generating certificate request
uacme: fetching directory at https://acme-v02.api.letsencrypt.org/directory
uacme: retrieving account at https://acme-v02.api.letsencrypt.org/acme/new-acct
uacme: account location: https://acme-v02.api.letsencrypt.org/acme/acct/2062333427
uacme: creating new order at https://acme-v02.api.letsencrypt.org/acme/new-order
uacme: order location: https://acme-v02.api.letsencrypt.org/acme/order/2062333427/402392586291
uacme: retrieving authorization at https://acme-v02.api.letsencrypt.org/acme/authz/2062333427/546926029481
uacme: running /usr/share/access/be/uacme-hook.sh begin dns-01 serroqk1g7b.ddns.manage.alta.inc OTY64ZLEHFoiX08Imq7IYqE5bciwxXerj21rqMK5d_c S7RUhrI6c6O36tcJMZlp8JqE21MkMUa5qs5oXFaxQ6U
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   150  100    11  100   139      5     74  0:00:02  0:00:01  0:00:01    79
"No device"uacme: starting challenge at https://acme-v02.api.letsencrypt.org/acme/chall/2062333427/546926029481/mFmJuQ
uacme: polling challenge status at https://acme-v02.api.letsencrypt.org/acme/chall/2062333427/546926029481/mFmJuQ
uacme: polling challenge status at https://acme-v02.api.letsencrypt.org/acme/chall/2062333427/546926029481/mFmJuQ
uacme: challenge https://acme-v02.api.letsencrypt.org/acme/chall/2062333427/546926029481/mFmJuQ failed with status invalid
uacme: the server reported the following error:
{
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "Incorrect TXT record \"Of8WyJzD40LfYFkysLduT2ixuk_oPOXZ-OK6Rum4olA\" found at _acme-challenge.serroqk1g7b.ddns.manage.alta.inc",
    "status": 403
}
uacme: running /usr/share/access/be/uacme-hook.sh failed dns-01 serroqk1g7b.ddns.manage.alta.inc OTY64ZLEHFoiX08Imq7IYqE5bciwxXerj21rqMK5d_c S7RUhrI6c6O36tcJMZlp8JqE21MkMUa5qs5oXFaxQ6U
uacme: failed to authorize order at https://acme-v02.api.letsencrypt.org/acme/order/2062333427/402392586291

osc · July 7, 2025, 11:37am

It seems you have forwarded Ports 80 and/or 443 to an internal host. Every time LE tries to validate the TXT record, the request will be forwarded to another web server instead of your local Alta controller.
I think you need to run your Alta controller on a dedicated public IP address, or alternatively run it on a VPS or similar.

jack · July 7, 2025, 6:42pm

I think it’s using the DNS API, not the web based one. I’m guessing some mixup in Alta Lab’s database. Maybe when I tried to reinstall the controller, but went back to my old setup?

jack · July 7, 2025, 7:45pm

I tried also recreating a docker image, but after restoring a backup from my previous image, it wouldn’t recognize my user/password any more.

jack · July 15, 2025, 12:55am

This was from my recreating my docker image - but going back to the old one. It was fixed by Jeff updating Alta’s database to match my older ID.