I’ve got HA running on a Raspberry Pi 2 all is well with that. I want to access my frontend remotely so I’ve setup port forwarding on my router. All good there too. I got LetsEncrypt certs successfully installed however HASS can’t seem to access them. I’m thinking a permissions issue. I was able to change permissions on the letsencrypt folders so I (pi) can see them but does the hass user for the virtualenv have to be given permissions too?
Yes. The certs need to be be accessible to Home Assistant. If “hass” runs that, then they need to be avail to hass.
Any suggestions on the best way to do that? Right now the director is owned by root. Should I create a group say “sslgroup”. Change the owner to that and add root and hass to that group? Or could I add hass to sudoers group? It would be nice not to have to manually change permissions every time I renew certs. Thanks for your help.
So. It appears that you don’t need to do that. Changing permissions to 755 seemed to do the trick. Not sure if that introduces any security issues though.
Not sure if that introduces any security issues though.
It does, but the risk is low. If hass is the only consumer of these certs, then easiest is to chown everything-Let’s-Encrypt to hass and do all LE functions as hass.
If more than one user account on your machine will use these certs, you can either accept the (very) low risk (that any compromised account will let an attacker get your private key) or create an ssl group and add hass + the other users to it. The latter is what I did.
1 Like
Good info. Thanks. This is a single purpose built rig only for HASS. The only other user is pi. Still I may take your suggestion. If not for any other reason than to try something else. I appreciate both of your inputs. Cheers.
Hi, just curious. I’m not able to get the certs when I run certbot. I keep getting Failure to authenticate 404. How did you go about this part? (I’m running the same setup, btw: RPi 2, All In One Installer)
Are you using the virtual server option in the certbot script to get the certs?
It seems that I wasn’t. However, I don’t see that option in the documentation…am I missing it?
Sorry, I’m trying to think back but is it the standalone option:
https://letsencrypt.readthedocs.io/en/latest/using.html#standalone
Ahh yeah, I did try that but no luck. Here’s what I ran:
pi@raspberrypi:~/certbot $ ./certbot-auto certonly --standalone --standalone-supported-challenges http-01 --email REDACTED -d REDACTED
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Requesting root privileges to run certbot...
/home/pi/.local/share/letsencrypt/bin/letsencrypt certonly --standalone --standalone-supported-challenges http-01 --email REDACTED -d REDACTED
Failed authorization procedure. REDACTED (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://REDACTED/.well-known/acme-challenge/Z7uxHdzZ--bK1tWz98U061HEN8Lz3kWYWp1OJIatu9w [REDACTED]: 404
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: REDACTED
Type: unauthorized
Detail: Invalid response from
http://REDACTED/.well-known/acme-challenge/Z7uxHdzZ--bK1tWz98U061HEN8Lz3kWYWp1OJIatu9w
[REDACTED]: 404
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.Have you setup a domain name and port forwarded port 80 on your router to the host of hass?
Yeah, I have everything working over 80 with a personal domain setup. It’s just not secured with SSL.
Just to be clear, I mean:
You should have external port 80 to internal port 80 on host machine, forwarded.
Not external port 80 to internal port 8123 or whatever port you’re using for hass.
2 Likes
The domain you’re using, is it anything other than a duckdns one? I don’t think certbot will authenticate for a dynamic DNS other than duckdns. I even had issues with that one. I ended up using a subdomain of a one I already own. I point the record to my router’s IP and all worked fine. Unfortunately when my ISP rotates IPs I have to manually update. Eventually I’m gonna switch to Tor to be done with this anyway.
1 Like
ohh, gotcha, let me try that out.
I’m not using duckdns. I own a domain through Namecheap and I’m using the dynamic dns that they offer.
First off, let me apologize for the weird replying I was just doing…totally lost using the comment / reply system.
Second, thank you @kevince52 and @martinhjelmare for the help. I was able to generate the certs once I started forwarding 80 to 80 as @martinhjelmare suggested.
Thanks again for the help!
1 Like
Glad you got it working. 