A more lightweight Let's Encrypt + DuckDNS setup


#1

I wrote a quick tutorial on how to set up Let’s Encrypt and DuckDNS without needing to expose Port 80 to the outside world using the “dehydrated” script instead of the heavy weight certbot tool.

https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt

The advantage of using DNS challenges is that I do not need to worry about what runs on port 80 (in my case it’s emulated_hue for Google Home) when doing the certificate renewal.

I hope it’s useful for others.


DuckDNS docs: json instead of YAML
#2

This works for me up until I get to generating the certificates. The script gets to the “Requesting challenge for mydomain.duckdns,org”, then exits with the message “curl: (60) SSL certificate problem: self signed certificate in certificate chain”. The error is coming when the "curl “https://www,duckdns,org/update?domains=$domain&token=$token&txt=$4"” command is run in the hook,sh file, but I’m not sure why this is, and can’t find another instance of this online.

Any chance you know why this is happening?


#3

Hmm sounds very weird indeed. The certificate at duckdns seems to be perfectly fine to me. No idea what’s going wrong there for you. Maybe some proxy in between?


#4

I think the issue was the initial raspbian setup - I was using raspbian stretch instead of jessie. I installed Jessie and now it’s working.


#5

I’m only seeing this topic now and I love this approach @splitbrain ! Would you want to work with me to see if we can get this added to Home Assistant as two new components: one for DuckDNS and one for Let’s Encrypt ?

My vision would be that a configuration could look something like this:

# Open the port on the router to allow accessing it remotely (already exists)
upnp:

# Will keep IP up to date and allow setting TXT record
duckdns:
  domain: bla.duckdns.org
  token: ABCDEFGH

# Will check cert status on startup and every X days,
# if not exist or about to expire will set TXT record and do verification.
# Future: auto-configures certs in HTTP component ?!
letsencrypt:
  platform: duckdns

#6

That will be phenomenal!!


#7

PR for DuckDNS component: https://github.com/home-assistant/home-assistant/pull/9556

It includes services to update/clear TXT record too.


#8

Worked with Pascal to integrate dehydrate in the DuckDNS add-on. Automatic creation and renewal is now available: https://home-assistant.io/blog/2017/09/27/effortless-encryption-with-lets-encrypt-and-duckdns/


#9

Hey, sorry for not replying earlier - I was on vacation. Awesome work on the hass.io component. I’m glad my post turned out to be useful.


#10

I like the idea of a ‘letsencrypt’ component that can support multiple DDNS providers – I, for instance, am using http://freedns.afraid.org and would love to accomplish a similar setup (hass.io-centered or not).


#11

dehydrated uses a custom hook file to interface with whatever DNS provider you’re working with. Check their wiki for examples. Shouldn’t be to hard to support afraid.org if they have an API.


#12

Already on it, @splitbrain! They don’t have a TXT API, per se, but I’ve got a good solution cooking!


#13

@balloob Will this be limited to Hassio?


#14

I too am wondering if this is only for hass.io? I’m new to home assistant and still trying to figure things out but I don’t see how or where to install the duckdns addon?


#15

@splitbrain, thanks for putting this together. I got this setup last night and its nice to finally have an https: connection for my HA instance.

Would you mind if I created a guide for less experienced users on how to implement your setup? I will give you all the credit for development and link to your site. I think your guide is good, however, I think a step by step option may lower the bar for less experienced users.

I found I had to add my home assistant user as a sudo user temporarily for example, that is an error that a number of people would run into and likely get stuck at. Even something as simple as changing the current directory can throw a hurdle for basic users.


#16

sure go ahead, I realize that my description needs some familiarity with Unix/Linux systems to fill in the blanks. A more beginner friendly guide is probably welcome.


#17

Hi funbobby,

This is already implemented in Hass.io through the add-on.


#18

Hello silvrr,

I think I ran into one of the issues. When following the guide from splitbrain I have successfully created the the let’sencrypt certificates, but get an error message from Homeassistant saying the files do not exist (they do).

In the tutorial they mention that the key files are located in

ssl_certificate: /home/homeassistant/dehydrated/certs/myhome.duckdns.org/fullchain.pem
ssl_key: /home/homeassistant/dehydrated/certs/myhome.duckdns.org/privkey.pem

I am on hassbian and tried the following as well:

ssl_certificate: /home/pi/dehydrated/certs/myhome.duckdns.org/fullchain.pem
ssl_key: /home/pi/dehydrated/certs/myhome.duckdns.org/privkey.pem

and

ssl_certificate: ./dehydrated/certs/myhome.duckdns.org/fullchain.pem
ssl_key: ./dehydrated/certs/myhome.duckdns.org/privkey.pem

Without success.

I also tried chmod 777 on the folders and can successfully open the file with the cat command.

I suppose it is a right issue, but would need a hint to help me out.

Thanks


#19

If you are on hassbian, did you switch users and enter the virtual environment first? This is where I got tripped up. I am not sure that the homeassistant user (what HA runs commands as) can access the files if they are not within the home assistant virtual environment.


#20

Helo silvrr,

Many thanks for your quick reply - we are on the right track to find the solution.

Once in the virtual environment I see the “dehydrated” folder but cannot access the “certs” folder. The right config would therefore be:

ssl_certificate: /home/pi/dehydrated/certs/myhome.duckdns.org/fullchain.pem
ssl_key: /home/pi/dehydrated/certs/myhome.duckdns.org/privkey.pem

But I need to search how to give access to the homeassistant user now.

Best

EDIT: found

I needed to give permission to homeassistant to access the two files (not done in the virtual environment):

$ sudo chown homeassistant:homeassistant ./dehydrated/certs/example.duckdns.org/fullchain.pem
$ sudo chown homeassistant:homeassistant ./dehydrated/certs/example.duckdns.org/privkey.pem

However - this does will prevent crontab from running. Itherefore chmodded both files with

$ sudo chmod 777 ./dehydrated/certs/example.duckdns.org/fullchain.pem ./dehydrated/certs/example.duckdns.org/privkey.pem

Not ideal but waiting for a better solution