A more lightweight Let's Encrypt + DuckDNS setup


Where did this occur? What command were you on?

Are you running hassbian or did you use another install method?


Ok wow thanks for your hard work, I’ve read through the thread. This seems pretty intense but just to confirm that one cannot use the pre made script from the hassbian script page. I mean I tried using but when I looked it didn’t create the Cron job etc. Also to confirm that the duckdns component in hassbian doesn’t have built let’s encrypt as it seems to for hass.io(I tried this to but when i added the suggested mark up to my yaml) it didn’t work. So I did get it working with that bruh video tutorial and have encrypted access to my dns domain but it appears that I have to renew certificate manually as I have it set up now. Can somebody confirm what I’m writing here. Should I follow this method here to get self renewing certificates in hassbian. I’m just learning Hassbian but have been playing around with Linux based distros for a long time.

Thanks so much anybody help me out


Can you provide a link, I was not aware of a ‘pre-made script’

No, the duckdns component just keeps your IP up to date with duckdns.

Be careful mixing methods, not sure how the method you used is setup, but some of the methods out there follow different methodologies on how to accomplish the same task. Mixing these is likely to result in failure.

Hassbian is just rasbian with some scripts built in, most anything you search for related to rasbian will work for hassbian (just be aware that HA runs in a python virtual environment). Rasbian is based on debian so if you are used to debian, ubuntu or other variants of debian alot of the same commands work.


That script can be found here https://github.com/home-assistant/hassbian-scripts/blob/dev/docs/duckdns.md it is called with sudo hassbian-config install duckdns . On running the script it queries whether or not you would like to generate ssl certs. It generated a folder called dehydrated but I didnt see the cron job listed that it was supposed to generate so figured it wasnt going to work. In hindsight I can see it tells you to run as user homeassistant and since i ssh’d as user pi I guess that may have caused issues.

I ended up using the built in hassbian duckdns component that doesnt include letsencrypt. For letsencrypt I used bruhs video here https://www.youtube.com/watch?v=BIvQ8x_iTNE but it is dated and I believe you have to manually generate your ssl certificates monthly now by rerunning the script. I will forget for sure

I’ve used various distros but have probably used ubuntu the most which is based on debian back since Edgy Eft and Feisty Fawn. I am having trouble understanding the file structure here a bit and how the users are setup along with Su in this distro. Struggling with custom components now but that is just gravy and this is security and important. I hope I can get it squared away.

Thanks for answering alot


to not screw up premissions the cronjob are added to the homeassistant user’s crontab.
you can see that by running:
sudo su -s /bin/bash homeassistant
crontab -e

Since Im posting here, users that do not run hassio or hassbian might find this script useful:


You can use the cert expiry sensor.

And create a notification when it gets below a certain threshold.


I really appreciate these sorts of scripts. So this script if run correctly should help the user if they have set up duckdns properly to have properly set up letsencrypt with there duckdns account. Furthermore your script sets up Cron jobs to renew your ssl certificates. I think this is most of what problems that novice users face here.

I noticed there was some errors/warnings when I ran this script but I ran it as pi, oops sorry. Are some of the warnings ignorable. How can I tell if your script is installed properly?

Thanks again for the script I wish it could be incorporated into the duckdns component


Thanks but probably better to have it set up to renew the ssl certs automatically


If you have not used the crontab for the user running homeassistant before it will give you an warning, ignore that.

Both the hassbian-config script and the generic one I posted will write this to the console if it where successful:
“Installation done…”
and “Installation failed…” if there was an error.


Thanks for the guide.
I’ve just spent a good few hours trying to follow it through for my particular setup which is HA running via Docker on OSMC on a RPi3.

After adding the http config to configuration.yaml I was having issues with HA not starting and this error appearing in the log file
Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/home/homeassistant/dehydrated/certs/<removed>.duckdns.org/fullchain.pem'

I spent a while changing permissions of the .pem files, moving them etc but nothing worked.
Then I realised my stupid mistake… the path in OSMC is /home/homeassistant/, but this gets mapped to /config/ within the docker container.
After I changed my yaml file to use the /config/ path it worked - hopefully this saves someone some time!


Now I have this up and running is it correct that the only way to access HA now is via https?

I cant access via http://.duckdns.org or via the local IP address, just want to check if that is correct.


That is correct :+1:


Thanks a lot, works great!


Sorry, i have a problem

I renew certificates with:

sudo su -s /bin/bash homeassistant
source /srv/homeassistant/bin/activate
cd /home/homeassistant/dehydrated/
/home/homeassistant/dehydrated/dehydrated -c

i go to /home/homeassistant/dehydrated/certs/[myhost].duckdns.org and see

-rwxrwxrwx 1 homeassistant homeassistant 1675 jun 1 2018 cert-1527832445.csr
-rwxrwxrwx 1 homeassistant homeassistant 2520 jun 1 2018 cert-1527832445.pem
-rwxrwxrwx 1 homeassistant homeassistant 1675 ago 30 12:58 cert-1535626661.csr
-rwxrwxrwx 1 homeassistant homeassistant 2520 ago 30 12:58 cert-1535626661.pem
-rw------- 1 homeassistant homeassistant 1675 dic 3 14:11 cert-1543842646.csr
-rw------- 1 homeassistant homeassistant 2277 dic 3 14:11 cert-1543842646.pem
lrwxrwxrwx 1 homeassistant homeassistant 19 dic 3 14:11 cert.csr -> cert-1543842646.csr
lrwxrwxrwx 1 homeassistant homeassistant 19 dic 3 14:11 cert.pem -> cert-1543842646.pem
-rwxrwxrwx 1 homeassistant homeassistant 1648 jun 1 2018 chain-1527832445.pem
-rwxrwxrwx 1 homeassistant homeassistant 1648 ago 30 12:58 chain-1535626661.pem
-rw------- 1 homeassistant homeassistant 1648 dic 3 14:11 chain-1543842646.pem
lrwxrwxrwx 1 homeassistant homeassistant 20 dic 3 14:11 chain.pem -> chain-1543842646.pem
-rwxrwxrwx 1 homeassistant homeassistant 4168 jun 1 2018 fullchain-1527832445.pem
-rwxrwxrwx 1 homeassistant homeassistant 4168 ago 30 12:58 fullchain-1535626661.pem
-rw------- 1 homeassistant homeassistant 3925 dic 3 14:11 fullchain-1543842646.pem
lrwxrwxrwx 1 homeassistant homeassistant 24 dic 3 14:11 fullchain.pem -> fullchain-1543842646.pem
-rwxrwxrwx 1 homeassistant homeassistant 3243 jun 1 2018 privkey-1527832445.pem
-rwxrwxrwx 1 homeassistant homeassistant 3243 ago 30 12:57 privkey-1535626661.pem
-rw------- 1 homeassistant homeassistant 3243 dic 3 14:11 privkey-1543842646.pem
lrwxrwxrwx 1 homeassistant homeassistant 22 dic 3 14:11 privkey.pem -> privkey-1543842646.pem

I think it is correct, i generate certificates 3 dic.

In confirguration.yaml i write:

ssl_certificate: /home/homeassistant/dehydrated/certs/myhost.duckdns.org/fullchain.pem
ssl_key: /home/homeassistant/dehydrated/certs/myhost.duckdns.org/privkey.pem
base_url: !secret base_url

And restart hass and restart raspberry

When i access https://myhost.duckdns.org i see “loading data…” and “Unable to connect to Home Assistant.”

And when I see certificate of https://myhost.duckdns.org i see that use old https certificate generated 30 ago, no refresh for new certificate generated 3 dic

Why hass use old certificate??

What i do wrong??

Sorry for my english