LetsEncrypt fails with internal ACME server and private CA

[Destarianon]

Describe the issue you are experiencing

I am unable to get the LetsEncrypt addon to connect to an internal ACME server running with Step-CA due to SSL validation errors. No matter the value that is provided in the configuration to trust the ACME root CA, SSL validation fails. with the following error:

An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.20.0.230', port=443): Max retries exceeded with url: /acme/ACME/directory/ (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4293)')))

If this is a certbot error, I don't have the same behavior on any other certbot install used in my environment, they all work correctly besides Home Assistant.

This still occurs even after manually adding the private root CA to the Linux trust store and the certifi trust store.

My configuration is as follows (with sensitive values replaced):

domains:
  - homeassist.example.com
email: [email protected]
keyfile: privkey.pem
certfile: fullchain.pem
challenge: http
dns: {}
acme_server: https://10.20.0.230/acme/ACME/directory/
acme_root_ca_cert: >
  -----BEGIN CERTIFICATE-----
  MIIBkDCCATagAwIBAgIRA...euuzpq9I=
  -----END CERTIFICATE-----

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

4.12.9

Steps to reproduce the issue

1. Setup internal ACME server with Step-CA, using a new self-signed root CA.
2. Setup new Home Assistant OS install and only install Lets Encrypt Addon.
3. Configurate LetsEncrypt addon as above, pointed to internal ACME responder.
4. View error message under Addon logs.
   ...

System Health information

System Information

version	core-2023.8.1
installation_type	Home Assistant OS
dev	false
hassio	true
docker	true
user	root
virtualenv	false
python_version	3.11.4
os_name	Linux
os_version	6.1.21-v8
arch	aarch64
timezone	America/Chicago
config_dir	/config

Home Assistant Cloud

logged_in	false
can_reach_cert_server	ok
can_reach_cloud_auth	ok
can_reach_cloud	ok

Home Assistant Supervisor

host_os	Home Assistant OS 10.4
update_channel	stable
supervisor_version	supervisor-2023.08.1
agent_version	1.5.1
docker_version	23.0.6
disk_total	116.5 GB
disk_used	6.7 GB
healthy	true
supported	true
board	rpi4-64
supervisor_api	ok
version_api	ok
installed_addons	Z-Wave JS UI (1.15.5), Let's Encrypt (4.12.9), File editor (5.6.0), Advanced SSH & Web Terminal (15.0.6)

Dashboards

dashboards	1
resources	0
views	5
mode	storage

Recorder

oldest_recorder_run	August 6, 2023 at 7:01 PM
current_recorder_run	August 6, 2023 at 2:01 PM
estimated_db_size	37.07 MiB
database_engine	sqlite
database_version	3.41.2

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[14:43:39] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='10.20.0.230', port=443): Max retries exceeded with url: /acme/ACME/directory/ (Caused by SSLError(SSLError(136, '[X509: NO_CERTIFICATE_OR_CRL_FOUND] no certificate or crl found (_ssl.c:4293)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Additional information

No response

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[elexx]

I just had this exact same problem. Turns out yaml replaces newlines with spaces, when using >. Just use | instead and it will work:

acme_root_ca_cert: |
  -----BEGIN CERTIFICATE-----
  MIIBkDCCATagAwIBAgIRA...euuzpq9I=
  -----END CERTIFICATE-----

The GUI configuration of this addon generates >- btw, which is definitely wrong.