A more lightweight Let's Encrypt + DuckDNS setup


#22

I renewed the certificates and it seems to have worked. However when I attempt to access my HASS I get an invalid certificate error. Any Ideas?


#23

Did you ever make the guide? It would be good to have a version 2.0 of this guide as reading by the comments a lot of us have got stuck.


#24

No, sorry.

I was going to make it when I switched my HA instance over to my virtual machine instance (which I did yesterday actually), but I didn’t run into the same issues do to the new configuration.


#25

I’m guessing the homeassistant user no longer can see the certs (premission)


#26

So I found that I installed dehydrated as homeassistant and as pi. So when I would run the renew as pi it would not work. Switched over to homeassistant and worked like a charm.


#27

@splitbrain

I initially installed the full Letsencrypt version from the docs.

I just installed the dehydrated version from your (splitbrain) website.

Everything seems to be working but I have one question…

I installed ssl-cert-check to keep track of my cert expiration.

will that also check for the expiration of the cert using the dehydrated method? if not then how do I fix it?

Right now the sensor is still showing 39 days remaining. but I don’t remember when that updates. So it may be good an I’m just being a nervous nelly…

And do I need to do anything to uninstall the full version of letsencrypt?

Thanks for this!


#28

Anyone have "this script require openssl on hassio?

‘This script requires an openssl binary’


#29

Well, OK.

I guess everything doesn’t seem to be working OK.

I forgot to save my config yaml. when I did save it & reload then HA wouldn’t load the frontend.

checking the log I get the following errors:

2018-01-12 23:57:56 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/home/pi/dehydrated/certs/bussnet.duckdns.org/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/home/pi/dehydrated/certs/bussnet.duckdns.org/privkey.pem'. (See /home/homeassistant/.homeassistant/configuration.yaml, line 43). Please check the docs at https://home-assistant.io/components/http/

I ran the installation as the pi user.

the certs actually do exist in the above locations as far as I can see.

Everything looked as if it installed properly.


#30

@finity Looks like the user running homeassistant does not have permissions to cert files.

I’ve made an PR to hassbian-scripts #81, using the dehydrated methode, if included hassbian install will be just as east as the hassio install for this :slight_smile:


#31

@ludeeus

Thanks. I must have skimmed past that part of the discussion above.

I’ll switch permissions and see if that fixes it.


#32

I tried to change permissions (as per @digieurope example above) and I still get the same error.

If I switch my config yaml back to pointing to the original cert files then everything is fine.

looks like i’m continuing the investigation…

EDIT:

my other SSL files were owned by root. i changed the new files to root ownership and still get the same error.

is there some place the SSL files are specified other than in the config yaml that might be causing an issue?


#33

I have exact same issues… tried root ownership and admin ownership in synology… also tried different paths… same error… do i need any plugin like duckdns or letsencrypt?

I simply generated the cert with dehyrdate as per guide… no plugins installed


#34

For reference, this blog post doesn’t work on Hassbian, as the homeassistant user isn’t allowed to restart Hass via systemctl

[email protected]:~/dehydrated $ ./dehydrated -c
# INFO: Using main config file /home/homeassistant/dehydrated/config
Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
Processing ajha.duckdns.org
Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for ajha.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK
 + Responding to challenge for ajha.duckdns.org authorization...
OK
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for homeassistant:
Sorry, try again.
[sudo] password for homeassistant:
sudo: 1 incorrect password attempt
[email protected]:~/dehydrated $ 

But I could fix it by setting the sudo rights like that :

[email protected]:~ $ sudo su -
SSH is enabled and the default password for the 'pi' user has not been changed.
This is a security risk - please login as the 'pi' user and type 'passwd' to set a new password.
[email protected]:~# echo 'homeassistant ALL=(ALL) NOPASSWD:  /bin/systemctl restart [email protected]' > /etc/sudoers.d/hass_restart
[email protected]:~#

This will allow the script to run properly.


#35

That is partaly correct, it works, but try to restart the service.
That part fails…

For hassbian this is included in sudo hassbian-config install duckdns
https://github.com/home-assistant/hassbian-scripts/blob/dev/docs/duckdns.md


#36

… and the script stops running, and I think not completing all the tasks.

I had to kill the script (ctrl+c), then delete all the files generated by the script, then fix sudo, then re-run the script.

I didn’t know that hassbian had it included in hassbian-config duckdns - cheers for the tip !
This could be added to the blog page :smile:


#37

Ok, I had to run this tonight as I have switched back to a hassbian based Pi install. Obviously all credit for this goes to splitbrain. I have just added some of the basic linux commands incase someone doesn’t know their way around. I strongly reccomend you copy and paste the commands from Splitbrains post, I have had issues when copy and pasting text from this forum. All the commands I added are simple enough that you should be able to copy and paste them into your terminal/ssh window.

The below assumes you have a domain with duckdns and know how to SSH into your Pi (or have native terminal access)

https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt

ssh into your pi

Switch to the home assistant user

sudo su -s /bin/bash homeassistant

I activated the vitrual enviroment (not sure if this is needed)

source /srv/homeassistant/bin/activate

Move to /home/homeassistant directory

cd /home/homeassistant

Copy the dehydrated script

git clone https://github.com/lukas2511/dehydrated.git

Change into the new dehydrated directory

cd /home/homeassistant/dehydrated

create a new domains.txt file containing your duckdns domain name

nano domains.txt

In the window that opens (should be blank) enter your domain from duck dns (eg. myhome.duckdns.org) then hit ctrl + x to exit and Y to confirm the file change and save.

(Note: nano is a text editor that can be used to create and/or edit files in linux. If you misspell/typo anything (ie. domain.txt not domains.txt) it will still create it and this will cause you issues in the future. )

Now create a config file

nano config

Paste the following into the blank file and hit ctrl x and y to exit and save the changes.

# Which challenge should be used? Currently http-01 and dns-01 are supported
CHALLENGETYPE="dns-01"

# Script to execute the DNS challenge and run after cert generation
HOOK="${BASEDIR}/hook.sh"

Create the hook.sh file

nano hook.sh

Copy the hook.sh file from splitbrains blog post (I don’t want it to copy and paste here incorrectly, get it straight from the source).
https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt
Be sure to change the token and domain at the top of the script.
Then ctrl x and y to exit and save.

Also make the hook script executable:

chmod 755 hook.sh

Time to run dehydrated.

First, register a new private key with letsencrypt:

./dehydrated --register  --accept-terms

Then generate the certificate:

./dehydrated -c

Note: this didn’t complete for me, it stopped and asked for my hassbian password. However, it created the files needed and everything is working fine. Hit ctrl+c to exit the running command. You can run ./dehydrated -c again and it should report that the cert is more than 30 days from expiry so its not going to renew. This shows everything is setup correctly.

From here you should be able to follow splitbrain’s post with no issue. So click on over to there and scroll down to “Automate Renewing”

After you finish this setup you can check that the files are available.

Switch to the home assistant user

sudo su -s /bin/bash homeassistant

I activated the virtual environment

source /srv/homeassistant/bin/activate

Then navigate to the certs directory.

cd /home/homeassistant/dehydrated/certs/myhome.duckdns.org

(Note that you will need to change the “myhome.duckdns.org” to your domain)

Then check the contents of that directory using the ls command

ls

You should see the fullchain.pem and privkey.pem files listed.


#38

This should (at least in theory) also work for virtualenv installation?


#39

yes. i used it in a straight debian install in a venv on a NUC. works perfectly.


#40

The base method should work on most installs (HassIO excluded as I don’t fully understand how docker works)

The user and folder structure could change depending on how and where HA was installed. To use this method for lets encrypt you would need to be able to compensate for any user/location changes when executing the commands and putting the config into your HA yaml file.


#41

Update: It work now, wrong key.
I could not set it up. It show:

  • Challenge validation has failed :frowning:
    ERROR: Challenge is invalid! (returned: invalid) (result: {
    “type”: “dns-01”,
    “status”: “invalid”,
    “error”: {
    “type”: “urn:ietf:params:acme:error:unauthorized”,