Hi there,

I tried setting up in (logged in via ssh, as root, executed the instructions as per How issue a certificate from Let's Encrypt NOT Using HTTPS or HTTP - ACME.SH). Result: all needed .cer and .key files are generated in /root/ So far so good. Then:

I tried to change the http: part of configuration.yaml like this:

  api_password: mypassword
  ssl_certificate: /root/
  ssl_key: /root/

But the configuration check says:

Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/root/' not a file for dictionary value @ data['http']['ssl_key']. Got '/root/'. (See /config/configuration.yaml, line 104). Please check the docs at

A chmod 755 to the directory /root/ did not help, nor did renaming the .cer and .key to .pem.

What am I missing ?


Not sure how you got that far on Hassio, but try this addon instead
It uses the same logic for that progress :slight_smile:

Thanks for the suggestion. Of course I have seen that addon, but I wanted to use the dns txt challenge to get arround having to open up port 80. Will that addon do the dns txt challenge too ? I did not see it mentioned.

It does, it is based on dehydrated (which are based of

Just enable it in the add-on config :wink:

I’ll try that.

Now my router (fritzbox) is already doing the dyndns updating at duckdns (both IPv4 and IPv6). The reason for this is, that I think my router knows best when it changes IPs and I do not rely on to update the domain.

Can/should I disable the regular duckdns updating in the addon somehow ? If not, I suppose the addon is polling some external service to detect IP changes. How much delay will that introduce ?

AFAIK you can not disable the DuckDNS updater part of it, you can set how frequent it is "seconds": 300 are default.

It did work exactly as you told. Thanks !

1 Like

Addon for Let’s Encrypt with (without DuckDNS)


1 Like

Amazin work! I am gonna try it today! Please add an example in your README to faciliate the configuration!

ahh ok was in eventually, in any case good job again!

So how do you install this addon for HAOS?


There is literally an official add-on to do acme/Let’s Encrypt certs…

Maybe so but it only supports a limited number of dns providers. I use and they are not supported with that addon hence why I am working on this. I did get it installed as an addon finally and the log shows everything works fine. The only problem now is that is shows to be copying the certs to /ssl/ but nothing is actually showing up there.

I got it installed. The part I was not familiar with is how to add the repository (your git page) and install the addon. It’s not in the file and I guess is assumed that one would know how to do that. I had never done that before and that had me stumped. I do have it now and the log looks good but no files are showing up in the /ssl/ folder.

hard to say what could be wrong with no info.

any errors in the logs? with DEBUG 3?

I figured it out. In the configuration.yaml file I needed to add the domain name to the path.

I had:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

Needed to be:
ssl_certificate: /ssl/
ssl_key: /ssl/mydomain/privkey.pem

Nothing in the default log said that I just noticed that that is how it was stored on my linux PC also using I really don’t see how to do the DEBUG 3 setting, where do you set that?



So the files did show up in the /ssl folder?

Debug stuff is in See Troubleshooting and Config. You add it to the config under dns > env. Maybe things will make more sense if you edit the config in YAML.


What would be awesome is if you could pay it forward by updating the docs where they were lacking, so the next person has it a bit easier.

@chriskuhl could you please post your full configuration.yaml segment, and the full add-on YAML configuration? Obfuscating whatever needs obfuscating, of course.

I am also trying this with Dynu but I am a bit ignorant of all these things and I am must admit I am probably messing things up. It really helps to see the full picture from a working configuration.



I think I got it working :crossed_fingers:

configuration.yaml segment:

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

ACME add-on full settings for Dynu (Settings / Add-ons / ACME / Configuration tab / menu / Edit in YAML):

account: [email protected]
certfile: fullchain.pem
keyfile: privkey.pem
  provider: dns_dynu
    - Dynu_ClientId=aaaaaaaa-bbbb-cccc-dddd-aaaaaaaaaaaa
    - DEBUG=3

That debug level is just useful to troubleshoot.

After it runs successfully, you can check for the certificate files in /ssl

Hi everyone! Does anybody know where the debug logs go? From the UI I can see the logs of the latest run, but I am looking for older stuff. Is there a bit log somewhere with everything appended?

Context: ZeroSSL is spamming me with daily warnings of my certificate expiring. But the certificates are being renewed and are far from expired. I try logging in to ZeroSSL Dashboard to see what is going on and I see this:

Those numbers don’t make much sense to me, I only have 3 sites, started a couple of months ago. But then the UI is totally useless, whatever I click I only get this message:

Note: Your account is holding more than 100 ACME certificates. For using the Dashboard or API with this amount of ACME certificates you have to upgrade at least to the ZeroSSL basic plan.

Thanks, ZeroSSL. But that’s not helpful. I sent multiple emails to their support, I got no reply :frowning:

So I am trying to figure out if I can find the certificate hex code somewhere in a log two months ago and figure out why it is creating different certificates daily (if it is, in fact…).