I have followed the above instructions but am receiving the error below and can not start the addon
this is what is in my options:
{
“lets_encrypt”: {
“accept_terms”: true,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
},
“token”: null,
“domains”: [
null
],
“seconds”: 300
}
And this is the error I get:
not a valid value for dictionary value @ data[‘options’]. Got {‘lets_encrypt’: {‘accept_terms’: True, ‘certfile’: ‘fullchain.pem’, ‘keyfile’: ‘privkey.pem’}, ‘token’: None, ‘domains’: [None], ‘seconds’: 300}
I had duckdns setup and had configured letsencrypt. It worked but I’m not a big fan of duckdns. No real control of my DNS name. So I looked for a better option. Google domains. Not free only 12 dollars a year but they support the dyndns protocol so you can use your own domain name for accessing your network. You can create subsites and forwards. You can also use the DNS txt records to get a letsencrypt SSL certificate as well. To me the 12 dollars is well worth it!
I actually used this article to setup SSL on my OMV NAS and then scripted utilities to convert & push the certificate to my LEDE router, Emby and a few other things I wanted to use with SSL.
Okay - thanks. I was just in doubt of whether to do anything on duckdns first or that also was a part of the add-on. Reading only the blog suggested the latter.
Do I still need to do some port forwarding or is it only opening ports that is not needed (or is those two the same)?
Yep, if you have ‘base_url:’ with the port number on the end you’ll need to forward 8123 to 8123 on your pi, if you have just the duckDNS address with no port it’s 443 to 8123.
Sure, Just fyi… im not the best at explaining step by step but here we go… its really simple first go to https://domains.google.com and setup your domain that you want. Then once you log in you with click on the dns icon…
Then scroll down to synthetic records and choose the dynamic dns setting from the dropdown…
Once that is created you will get a generated username and password. These will be used to setup the dyndns service on your home router.
As long as your router support the dyndns service you will choose that and then for the server address you will enter in domains.google.com then use the username and password from your custom domain subsite…
After this is setup and working you then can use any of letsencrypts online tool to verify the domain. I used https://www.sslforfree.com/ you want to add your main domain yourdomain.com and any subsite… homeassistant.yourdomain.com to the list of sites you want included in the ssl certificate. Then you can use the option to verify the domain by dns txt record. The site will pretty much walk you through what to do. Once you get the dns txt record you will add this to the custom resource records on your google domain. Dont worry about the TTL googles default is 1h but it takes less than that to verify. After that you can copy the cert and key txt into a seperate txt doc and save it as a pem file for home assistant. After you do that you just need to copy those files to the correct location and you should be able to get up and running. You can use the same cert for any other systems you have running on your network as long as the site and subsites are in there.
I have installed duckdns and configured it according t the instructions here and other places.
It basically works for me using ssl/htps everywhere but on the iOS home assistant app. When using the app I get an invalid certificate message and the app refuses to connect. I have imported the full chain.pem file to my iPhone and allowed it to be used for SSL, but the app still fails to connect and shows the same error.
Is there anyone else out there with this problem? Is there anyone out there with a working iOS app using duckdns and SSL? If so, did you do anything special to make it work?
Thanks for the above guide. I followed the steps and was able to get the cert files. You mentioned about the correct location of the file. Does it need to be in specific location?
Also there were 3 cert files, which one are we to use?
I get error that HA can’t access pem files in config folder.
My HA PI is hard lined into my Google WiFi router but I also have an ISP modem which external ip address am I supposed to use my ISP? Or the Google WiFi
I am hoping to find a poiner to why I can’t get SSL to work.
I have a static IP and my own domain.
Installed the LetsEncrypt addon.
Setup NAT from MyStaticIP:447->hassio:8123 (that is not a typo, 443 is in use) https://hasio.local:8123 works correctly
SSLChecker says the certificates are valid and tcpdump shows the cert being passed when a request comes in on https://MyDomain.com:447
But if I go to https://MyDomain.com:447 from outside my network, I always get:
Home Assistant had trouble
connecting to the server.
TRY AGAIN
Which must be coming from something running on the Pi. I’ve tried a number of things in the http section of the config file. Currently it looks like:
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
# server_port: 8123
# Secrets are defined in the file secrets.yaml
api_password: !secret http_password
# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
# base_url: example.duckdns.org:8123
base_url: https://MyDomain.com:447
I run my own DNS servers and have static IP addresses - No DuckDNS here.
The problem appears to be that Home Assistant is not quite correct in it’s html and this causes lynx to fail. I was using lynx to test so that I could see how things work from an out of state machine.
I’ll try to file a bug on this.
The whole objective was to get Google Assistant to work and it still fails.
i changed the default location of my cert files… the one you need is the key and the chain file. As soon as i added those to the folder i specified in my configuration file it picked up and everything worked fine. You added the root and sub domain name when you created your cert right? So prefix.domain.com and domain.com that should allow the cert to work.
I’m afraid I still wouldn’t describe this process as effortless. 1 hour with multiple restart, HASSIO just presenting a blank screen, SSH to reboot over and over, still not working.
Take this the right way but, after the initial missing instructions from the article about port forwarding etc were cleared up, it really is effortless BUT heavily relies on first, you do everything exactly as instructed and second, your instance of HA, hardware and network are all exactly as the setup expects, the latter is where most people’s problems lie.
Hi @Bobby_Nobble if we can troubleshoot my issues then I am happy to help fine tune the docs?
I’m on a pi-zero with hassio running 0.67. I’ve got router port 8123 mapped to 8123 on the pi. I’ve documented my issues in this thread.
My issues are related to the .pem files which I recall previously could only be generated by opening ports temporarily. However the new process doesn’t require this, so my first question is:
how do I validate that the .pem files have been generated and stored correctly? Using samba share I browse the hassio folders but cannot fined a folder /ssl, should I be able to locate this, or is it hidden within the container?
It stated quite clearly in the default configuration.yaml you had when first installing HA to uncomment that line if you wanted to access HA externally!
For some reason I had to manually create the ssl folder to get it to work. I did find that when using duckdns, tts on Google home stops working I checked NAT loopback is turned on but it didn’t help.
I created the SSL folder in the config folder, I’m using Hassio. I did it because HA wouldn’t start up and it seemed to be because the SSL files were missing (sorry I can’t remember the exact error) … anyway I added an SSL folder and everything worked; I could connect using SSL via my duckdns address (after setting up some port forwarding on my router). The really strange thing is that when I look in my SSL folder there is nothing there!
Finally, I’ve also noticed that the default options from the docs page apparently aren’t actually valid - appear to require the seconds to be configured:
I’ve selected RESET TO DEFAULTS and edited to give the following valid config:
I am able to reach the HA front-end at https://192.168.0.28:8123/states. With hindsight it is obvious but I was not appending https. However my logs fill with the error:
2018-04-16 06:42:41 ERROR (MainThread) [homeassistant.core] Error doing job: Task was destroyed but it is pending!
Therefore there is an issue here, but the process does work. My PR to clarify the docs is here.
@robmarkcole OK so I tried again after deleting the /config/ssl/ folder I had added and by forwarding port 8123 on my router everything worked. I have since upgraded to hassio 0.67.0 so perhaps there was a bug before. I have confirmed that fullchain.pem and privkey.pem are in /ssl/ as @DavidFW1960 suggested.
I went through my search history and the error I originally got was Got ‘/ssl/fullchain.pem’ not a file for dictionary value @ data[‘http’][‘ssl_key’]
Just a another way to do that with automatic renew without port fowarding.
There is a simplest way to configure it without care about port forwarding or leave HAS on exposed on WAN just to do automatic renew.
Great tutorial. I may have missed something, how to get HASSio to update the Google Domain? It seems mine is pointed to my provider local office for some reason. This is what I have in my Config.yaml file
google_domains:
domain: homeassistant.***************.com
username: !secret google_domain_user
password: !secret google_domain_pass
I had all working properly. During my holidays i guess my certificate expired. I was only able to access my setup without https. I figured ot that my duckdns add-on had stopped, but i’m not able to start it again. My logs on the add-on page is empty. Can someone help me out?
I installed DuckDNS (and not let’s encrypt, because of the warning not to use them both).
I followed the instructions above for the configuration.yaml, but got this error when checking the config: invalid config for [http]: not a file for dictionary value @ data[‘http’] [‘ssl_certificate’] Got ‘/ssl/fullchain.pem’
And the same for the ssl_key.
What did I do wrong
Hi, Noob question: Does this process only work with *.duckdns.org addresses or can I use it to create certs for any domain I own? If so, is the process any different?
Hi all,
I am new with Home Assistant and stil learning from the available documentation.
Trying to access hass.io from the internet I have followed the same steps as described in @Bobby_Nobble post from 15th April. The result is that now I can’t access UI neither from my home network neither from external.
Connection via ssh shows that HA is running. Also files fullchain.pem and privkey.pem are in /ssl folder.
Any hint or idea ? Thanks.
Yep, I’ve been spinning my wheels over the apparent same issue as Chewee. Now it’s a month and a half later than Chewie having the problem,so…
Hey, Chewie, did you get that solved?
Thanks to a blog post by Andreas Gohr I realized that DuckDNS supports setting TXT records, making it compatible with the DNS-01 challenge of Let’s Encrypt. The DNS-01 challenge is using the DNS record of the domain instead of interacting with the server. This means that it’s not needed for the user to open any ports!
But I DO have to forward a port on my router. What is meant by this passage?
One documentation I read guided you to first set up a test portforward (8123 → 8123) and later on advices you to delete that portforwarding and replace it with (443 → 8123).
Currently I can’t find that doc.
Whats the reason for this?
Is it more unsecure to open the port 8123 to the public than opening 443?
The advantage about the forwarding 8123 to 8123 is that it will be the same URL either in the local or in the public network.
When I change it to 443 → 8123 than I have to open XXX.duckdns.org in a public network and XXX.duckdns.org:8123 in my local network. Or is there a workarround for that?
So it makes no difference (thats my main question) if you chose 443 or 8123 than why use different ports?
EDIT:
This is the doc I was talking about.
headlines 5 - CHECK THE INCOMING CONNECTION and 6 - CLEAN UP PORT FORWARDS
In step 2 we created a port forwarding rule called ha_test . This opens port 8123 to the world, and is no longer necessary.
Last passage before section 1 mentions why.
It’s because he aims to get the default behavior of writing https which runs on port 443 instead of having to specify port each and every time.
Personally I have also seen that if you want to run home Assistant as progressive web app (I.e. it shows up as a app on your drawer) on Android. You need to run it on port 443 alt port forward 443 to HA port of choice.
From a local network standpoint you can still run the same https://xxx.duckdns.org address as externally.
This is because the router knows that the endpoint of that address is internal so it will just turn the traffic back around.
But from a security point of view it’s the same, if you open 443 or some other port?
Or is it even more scure have an other port than 443 because it isn’t that obvious for a potential attack from a hacker?
I don’t care if I have to specify the port every time, because I save the url as bookmark, so I don’t have to care about that.
I just want to know if I’m doing it right. So are both ways ok or is one better than the other?
Are you sure about that, I tried it with port 443 but I wasn’t able to open it without the internal port at the end (local).
My router doesn’t support natloop-back maybe thats the issue?
Changing port would be classified as security by obscurity. I.e. Security wise it makes no difference. A bot will port scan you anyway.
What setting you need to do on your router. Unsure. Never had to tweak this on any of mine.
I would say that the router should be able to find the lookup address in its own dns table.
I.e. It knows resolves the duckdns address to its own external address. And hence loops it back internally.
my duck dns works outside my local network - https://XXXXXX.duckdns.org/....but When I use the same address at home on the local network it brings up the login page for my router not home assistant. What I’m I missing? Any help would be greatly appreciated? Thanks!
Hi All
Can you help please Installed Hass.io couple of days ago, now setting up DuckDNS as distributed.
The Hass does start up anymore this is my error message in the log file:
2019-02-26 11:11:09 ERROR (MainThread) [homeassistant.core] Error doing job: SSL error errno:1 reason: HTTP_REQUEST
Traceback (most recent call last):
File “uvloop/sslproto.pyx”, line 504, in uvloop.loop.SSLProtocol.data_received
File “uvloop/sslproto.pyx”, line 204, in uvloop.loop._SSLPipe.feed_ssldata
File “uvloop/sslproto.pyx”, line 171, in uvloop.loop._SSLPipe.feed_ssldata
File “/usr/local/lib/python3.7/ssl.py”, line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1056)
this is in my configurations file:
http:
# base_url: https://secret.duckdns.org:8123
# ssl_certificate: /ssl/fullchain.pem
# ssl_key: /ssl/privkey.pem
and this is the setup in the DuckDNS setup:
{
“lets_encrypt”: {
“accept_terms”: true,
“certfile”: “fullchain.pem”,
“keyfile”: “privkey.pem”
},
“token”: “token from Duck DNS page”,
“domains”: [
“secret”
],
“seconds”: 300
}
I did not install the add-on Letsencrypt separately, as it was not in the instruction.
@Vennerberg thanks for the remark. tried that but without succes.
Config file error:
Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got 'fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got 'privkey.pem'. (See /config/configuration.yaml, line 44). Please check the docs at https://home-assistant.io/components/http/
Wait hold on… in configuration.yaml it’s supposed to be as you stated. With https:// and /ssl/ In the hassio config for duckdns it’s supposed to be as I said. No https, no ports and no /ssl/
And my config file is
this is in my configurations file:
http:
base_url: https://secret.duckdns.org:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
@DavidFW1960
Because the DuckDNS ad-on now support the LetsIncrypt. And as it uses that “ad-on” / addition also, my reasoning was to also open that port.
Thanks, will try this tonight, from the office is it bit tricky to forward ports at home and restarting plugins. Will let you know what the result was.
With the duckdns addon it uses the DNS validation instead of HTTP - that is why it doesn’t require port 80.
Regarding other forwards… if you forward port 8123 to 8123 then you always need to specify the :8123 at the end of the HA URL. If you forward 443 to 8123 then you don’t need to specify any port.
if i do what you ask in the configuration.yaml file i get the following:
Configuration invalid
Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got 'fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got 'privkey.pem'. (See /config/configuration.yaml, line 23). Please check the docs at https://home-assistant.io/components/http/
for the record:
my network consists of a cablemodem with routing capabilities and a router. I thought i had disabled the routing capabilities, but that was not so.
that’s what i was missing. in my previous attempts I only enabled port forwarding on the attached wireless hub. now that i’ve enabled it on the router the duckdns URL communicates with my home assistant. thnx!
Is anyone able and willing to help me troubleshoot my setup? I am NOT using duckdns, and I am NOT using hass.io.
I have a domain and successfully generated certs from letsencrypt, no matter what I add to my configuration.yaml file… I get the following error in the log
2019-05-03 12:32:25 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got 'ssl/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got 'ssl/privkey.pem'. (See /config/configuration.yaml, line 23). Please check the docs at https://home-assistant.io/components/http/
what I have tried:
different directories and different permissions for the cert files, including 777 wide open
different port forwarding rules, though this does not matter as these errors are on start up, and not when connecting.
adding and removing a bunch of different compinations of leading “/” and “” and ‘’ to see… the error has always been the same
because within my docker install the config folder is not where the homeassistant root folder is, and so there was no <>/ssl/ folder, nor a /ssl/ folder in the docker install. so I had to fully qualify the proper location, and everything worked perfect.
Hi Petermj,
Did you ever got this fixed for the ios app. I currently have the same issues.
Works perfectly trough webbrowser externally, but the HA ios app fails : An SSL error has occured and a secure connection to the server cannot be made. I setup an duckdns address.
I should give a try again sometime, but have no time right now. For now I have installed the HomeKit plugin and can control all my devices using the Home app on my iPhone, which I believe is secure.
Exactly the same problem here.
I got Duckdns + caddy and works perfectly in internal network as well as externally by browser (even safari on iphone). But with the IOS app (2.0) fail with the same SSL error.
Already posted on IOS but no support so far. I guess the app cannot handle this configuration.
They will be referring to opening ports for LetsEncrypt validation which is not needed if you use the DuckDNS addon for Hass.io as it uses DNS validation instead of http validation.
You DO still need to forward say port 443 to 8123 to access home assistant from outside your network though. Before I used IPv6 I used a port in the high 30000’s range instead of forwarding port 443. You would then access by https://domain.duckdns.org:port
Yeah you and almost everyone else. You can use Nabu Casa the HA cloud with no open ports, or use zero tier one (which works really well) with no PF but other than that, if you want external access then you need to open/forward a port.
On my system I use only IPv6 (my duckdns address only has a IPv6 address updated) and I then have to open 443 (no PF) which is more obscure at the least…
I did not use duckdns for two reasons… I did not install HASS.io and so add-ons are not trival for me to get up and running, and I also have a DDNS provided by noip.com.
EDIT: this is the configuration error i get when i am adding the ssl file path in the configuration.yaml:
Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/ssl/fullchain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/ssl/privkey.pem’. (See /config/configuration.yaml, line 55). Please check the docs at HTTP - Home Assistant
What I would like to do now is allow SSL access to my other services on the same folder: Transmission (port 9091), zoneminder - (port80). I note that @chrisw has used this to enable other things (Emby).
Do I “just” need to reference these cert and key files in apache2 or do I need to make changes to hool.sh also?
Many thanks if anyone has a minute to explain how I can use this as described!
ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)
and at the bottom of the error
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Malformed account ID in KeyID header URL: \"https://acme-v02.api.letsencrypt.org/acme/acct/\"",
"status": 400
}
I eventually just installed letsencrypt manually and it worked fine. I don’t know what the issue is, this is a brand new install, so no chance of me really messing something up
…you have no base_url in your config!
I checked NAT loopback is turned on but it didn’t help.
