A more lightweight Let's Encrypt + DuckDNS setup

Where did this occur? What command were you on?

Are you running hassbian or did you use another install method?

Ok wow thanks for your hard work, I’ve read through the thread. This seems pretty intense but just to confirm that one cannot use the pre made script from the hassbian script page. I mean I tried using but when I looked it didn’t create the Cron job etc. Also to confirm that the duckdns component in hassbian doesn’t have built let’s encrypt as it seems to for hass.io(I tried this to but when i added the suggested mark up to my yaml) it didn’t work. So I did get it working with that bruh video tutorial and have encrypted access to my dns domain but it appears that I have to renew certificate manually as I have it set up now. Can somebody confirm what I’m writing here. Should I follow this method here to get self renewing certificates in hassbian. I’m just learning Hassbian but have been playing around with Linux based distros for a long time.

Thanks so much anybody help me out

Can you provide a link, I was not aware of a ‘pre-made script’

No, the duckdns component just keeps your IP up to date with duckdns.

Be careful mixing methods, not sure how the method you used is setup, but some of the methods out there follow different methodologies on how to accomplish the same task. Mixing these is likely to result in failure.

Hassbian is just rasbian with some scripts built in, most anything you search for related to rasbian will work for hassbian (just be aware that HA runs in a python virtual environment). Rasbian is based on debian so if you are used to debian, ubuntu or other variants of debian alot of the same commands work.

That script can be found here https://github.com/home-assistant/hassbian-scripts/blob/dev/docs/duckdns.md it is called with sudo hassbian-config install duckdns . On running the script it queries whether or not you would like to generate ssl certs. It generated a folder called dehydrated but I didnt see the cron job listed that it was supposed to generate so figured it wasnt going to work. In hindsight I can see it tells you to run as user homeassistant and since i ssh’d as user pi I guess that may have caused issues.

I ended up using the built in hassbian duckdns component that doesnt include letsencrypt. For letsencrypt I used bruhs video here https://www.youtube.com/watch?v=BIvQ8x_iTNE but it is dated and I believe you have to manually generate your ssl certificates monthly now by rerunning the script. I will forget for sure

I’ve used various distros but have probably used ubuntu the most which is based on debian back since Edgy Eft and Feisty Fawn. I am having trouble understanding the file structure here a bit and how the users are setup along with Su in this distro. Struggling with custom components now but that is just gravy and this is security and important. I hope I can get it squared away.

Thanks for answering alot

to not screw up premissions the cronjob are added to the homeassistant user’s crontab.
you can see that by running:
sudo su -s /bin/bash homeassistant
crontab -e

Since Im posting here, users that do not run hassio or hassbian might find this script useful:
https://gitlab.com/ludeeus/toolbox/blob/master/homeassistant/auto_duckdns_and_le-cert.sh

You can use the cert expiry sensor.
https://github.com/SilvrrGIT/HomeAssistant/blob/master/sensors.yaml#L299

And create a notification when it gets below a certain threshold.
https://github.com/SilvrrGIT/HomeAssistant/blob/master/automation/certupdate.yaml#L1

I really appreciate these sorts of scripts. So this script if run correctly should help the user if they have set up duckdns properly to have properly set up letsencrypt with there duckdns account. Furthermore your script sets up Cron jobs to renew your ssl certificates. I think this is most of what problems that novice users face here.

I noticed there was some errors/warnings when I ran this script but I ran it as pi, oops sorry. Are some of the warnings ignorable. How can I tell if your script is installed properly?

Thanks again for the script I wish it could be incorporated into the duckdns component

Thanks but probably better to have it set up to renew the ssl certs automatically

If you have not used the crontab for the user running homeassistant before it will give you an warning, ignore that.

Both the hassbian-config script and the generic one I posted will write this to the console if it where successful:
“Installation done…”
and “Installation failed…” if there was an error.

Thanks for the guide.
I’ve just spent a good few hours trying to follow it through for my particular setup which is HA running via Docker on OSMC on a RPi3.

After adding the http config to configuration.yaml I was having issues with HA not starting and this error appearing in the log file
Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/home/homeassistant/dehydrated/certs/<removed>.duckdns.org/fullchain.pem'

I spent a while changing permissions of the .pem files, moving them etc but nothing worked.
Then I realised my stupid mistake… the path in OSMC is /home/homeassistant/, but this gets mapped to /config/ within the docker container.
After I changed my yaml file to use the /config/ path it worked - hopefully this saves someone some time!

Now I have this up and running is it correct that the only way to access HA now is via https?

I cant access via http://.duckdns.org or via the local IP address, just want to check if that is correct.

That is correct :+1:

1 Like

Thanks a lot, works great!

Sorry, i have a problem

I renew certificates with:

sudo su -s /bin/bash homeassistant
source /srv/homeassistant/bin/activate
cd /home/homeassistant/dehydrated/
/home/homeassistant/dehydrated/dehydrated -c

i go to /home/homeassistant/dehydrated/certs/[myhost].duckdns.org and see

-rwxrwxrwx 1 homeassistant homeassistant 1675 jun 1 2018 cert-1527832445.csr
-rwxrwxrwx 1 homeassistant homeassistant 2520 jun 1 2018 cert-1527832445.pem
-rwxrwxrwx 1 homeassistant homeassistant 1675 ago 30 12:58 cert-1535626661.csr
-rwxrwxrwx 1 homeassistant homeassistant 2520 ago 30 12:58 cert-1535626661.pem
-rw------- 1 homeassistant homeassistant 1675 dic 3 14:11 cert-1543842646.csr
-rw------- 1 homeassistant homeassistant 2277 dic 3 14:11 cert-1543842646.pem
lrwxrwxrwx 1 homeassistant homeassistant 19 dic 3 14:11 cert.csr -> cert-1543842646.csr
lrwxrwxrwx 1 homeassistant homeassistant 19 dic 3 14:11 cert.pem -> cert-1543842646.pem
-rwxrwxrwx 1 homeassistant homeassistant 1648 jun 1 2018 chain-1527832445.pem
-rwxrwxrwx 1 homeassistant homeassistant 1648 ago 30 12:58 chain-1535626661.pem
-rw------- 1 homeassistant homeassistant 1648 dic 3 14:11 chain-1543842646.pem
lrwxrwxrwx 1 homeassistant homeassistant 20 dic 3 14:11 chain.pem -> chain-1543842646.pem
-rwxrwxrwx 1 homeassistant homeassistant 4168 jun 1 2018 fullchain-1527832445.pem
-rwxrwxrwx 1 homeassistant homeassistant 4168 ago 30 12:58 fullchain-1535626661.pem
-rw------- 1 homeassistant homeassistant 3925 dic 3 14:11 fullchain-1543842646.pem
lrwxrwxrwx 1 homeassistant homeassistant 24 dic 3 14:11 fullchain.pem -> fullchain-1543842646.pem
-rwxrwxrwx 1 homeassistant homeassistant 3243 jun 1 2018 privkey-1527832445.pem
-rwxrwxrwx 1 homeassistant homeassistant 3243 ago 30 12:57 privkey-1535626661.pem
-rw------- 1 homeassistant homeassistant 3243 dic 3 14:11 privkey-1543842646.pem
lrwxrwxrwx 1 homeassistant homeassistant 22 dic 3 14:11 privkey.pem -> privkey-1543842646.pem

I think it is correct, i generate certificates 3 dic.

In confirguration.yaml i write:

ssl_certificate: /home/homeassistant/dehydrated/certs/myhost.duckdns.org/fullchain.pem
ssl_key: /home/homeassistant/dehydrated/certs/myhost.duckdns.org/privkey.pem
base_url: !secret base_url

And restart hass and restart raspberry

When i access https://myhost.duckdns.org i see “loading data…” and “Unable to connect to Home Assistant.”

And when I see certificate of https://myhost.duckdns.org i see that use old https certificate generated 30 ago, no refresh for new certificate generated 3 dic

Why hass use old certificate??

What i do wrong??

Sorry for my english

please help! i get error

INFO: Using main config file /home/pi/dehydrated/config

Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script

  • Creating chain cache directory /home/pi/dehydrated/chains
    Processing xxxx.duckdns.org
  • Creating new directory /home/pi/dehydrated/certs/xxx.duckdns.org
    Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 1 authorizations URLs from the CA
  • Handling authorization for xxx.duckdns.org
  • 1 pending challenge(s)
  • Deploying challenge tokens…
    OK
  • Responding to challenge for xxx.duckdns.org authorization…
  • Challenge is valid!
  • Cleaning challenge tokens…
    OK
  • Requesting certificate…
  • Checking certificate…
  • Done!
  • Creating fullchain.pem…
    Unknown hook sync_cert
  • Done!

Error: Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script

I saw that error and ignored it like it says. I seem to be working fine with the certificates.

1 Like

What is Unknown hook this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script
Please help, thanks so much!

I think it is someone’s way of saying there is an error you can ignore but they were unable to fix the error.
In other words, they expect you to get that error but things work right anyway.

1 Like

I port forwarding port 2304 to port 8123 on my Pi. But can not load to page: xxx.duckdns.org:2304.
On 12/2018 i following this guide and successful. But now my SD card bad, i have to flash new hassbian to new sd card then following this guide but not success. Could you help me!

I helped somebody else who thought they had a bad SD card. I have followed Raspberry Pi’s recommendations and had no issues. I use SD formatter to format the card.

Do you want to install Hassio directly on the card or install Hassio on an OS like Raspian, for example?

1 Like