Can't get Let's Encrypt working with Hassio

Hi All,

I’m new to all this and way out of my depth. I installed Hassio on a new Raspberry Pi 3. Followed the prompts (Mainly through Bruh Automation videos and HA instructions) to do the configuration.

DuckDNS installed and working.

Followed the instructions for Let’s Encrypt but I can’t seem to get it working.
I’ve forwarded ports 80 & 443.
Disabled add ons (at this stage samba, duckdns and mosquito [which I haven’t set up yet]).
Installed Let’s Encrypt> checked the log to see if it got the ssl certs> added the additional text to config> restarted all the add ons (tried several times not starting them first but I was running into the problem of not being able to access the config and not being able to access HA)> Rebooted the Raspberry Pi by switching it off and on from the power cable (could not restart through HA as it would become unresponsive once I started let’s encrypt).
Delete port forwarding for 80 & 443 - change 8123>8123 to 443>8123.
Can’t access HA at all, not through http://xxx.duckdns.org:8123 or https:xxx.duckdns.org or hassio.local:8123

The only thing I can do is delete all info about ssl from the config, reboot the pi from the power cable and restart my PC, then I’m back to square one. I have been researching and playing around with it for 24 hours with no luck.

Sorry if I haven’t explained it right, I’m seriously way over my head with all this. Config below. Thanks in advance for any help you can give, really appreciate it.

homeassistant:
# Name of the location where Home Assistant is running
name: Home
# Location required to calculate the time the sun rises and sets
latitude: -33.73
longitude: 150
# Impacts weather/sunrise data (altitude above sea level in meters)
elevation: 0
# metric for Metric, imperial for Imperial
unit_system: metric
# Pick yours from here: http://en.wikipedia.org/wiki/List_of_tz_database_time_zones
time_zone: Australia/Sydney

# Show links to resources in log and frontend
introduction:

# Enables the frontend
frontend:

# Enables configuration UI
config:

http:
  api_password: _securepassword_
  server_port: 443
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  login_attempts_threshold: 50

# Checks for available updates
# Note: This component will send some information about your system to
# the developers to assist with development of Home Assistant.
# For more information, please see:
# https://home-assistant.io/blog/2016/10/25/explaining-the-updater/

updater:
  # Optional, allows Home Assistant developers to focus on popular components.
  # include_used_components: true

# Discover some devices automatically
discovery:

# Allows you to issue voice commands from the frontend in enabled browsers
conversation:

# Enables support for tracking state changes over time
history:

# View all events in a logbook
logbook:

# Track the sun
sun:

# Weather prediction

ifttt:
  key: xxxxxxxx

sensor:
  - platform: yr

# Text to speech
tts:
  - platform: google

group: !include groups.yaml
automation: !include automations.yaml
1 Like

@davidp1984,

Forward port 8123 to 443 on your router, dont forward anything else.

Try removing this from your config:
server_port: 443
In the same place, please try inserting:
base_url: xxx.duckdns.org

Without any ports forwarded, the line would look like this, which should also give you something to play with if the above doesn’t work:
base_url: xxx.duckdns.org:8123

Also please make sure the additional text for Let’s Encrypt addon is setup somewhat like this:

{
  "challenge": "https",
  "email": "[email protected]",
  "domains": [
    "xxx.duckdns.org"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

And that DuckDns additional test looks like this:

{
  "token": "xxxxxxxxxx",
  "domains": [
    "xxx.duckdns.org"
  ],
  "seconds": 300
}

Let me know what happens.

1 Like

Thanks for your help Vilreen, about one hour after posting last night it started working with the config from my original post (I could only access it from my https address, it would not access it using hassio.local:8123). It was up for about two hours before I couldn’t start it back up again (I was adding sensors to my config), it was saying that it couldn’t connect to the server.

After some research I found that that typically means that the HASS server is down and to just wait it out. That was about 24 hours ago and it still can’t connect to the server. If I remove all the ssl certs etc from my config it lets me access it through hassio.local:8123 but as soon as I add those details it can’t connect to the server. It is doing my head in.

I made the changes you recommended, thanks again.

Any help would be appreciated as I am at a total lost. The only thing I can think of is that when I created the certificates I had three port forwarding’s on - 8123>8123, 80>80 and 443>443. Would having 8123>8123 casue any issues?

I setup Lets Encrypt the other day on my Hassio.
As a pre-requisite DuckDns needs to be setup, I presume due to the certificates generated by Let Encrypt need to have the correct domain.

When running Lets Encrypt add-on port 80>80 and port 443>443 needs to be open in your Router config. The addon deals with the ACME challenge and the cert files should be generated successfully.

After that remove the port forwardings in your router and add only 443>8123. Setup the certificates in your configuration.yaml and you should be good to go.

Remember after setting up Let’s Encrypt/Duckdns the hassio.local:8123 should stop working, that’s expected.
:slight_smile:

1 Like

Thanks mate, pretty much what I did.

Everything looks right to my knowledge, unless having port 8123 open along with 80 & 443 while setting up the certificates has caused the problem. Right now I only have 443>8123 open.

I’m thinking that the issue may not be with my setup or my config and has to do with my router or firewall blocking me for some reason.

I have been trying for a week, since switching over to Hassio, with no luck… this is what I keep getting in the Let’s Encrypt log:

 starting version 3.2.2
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 -------------------------------------------------------------------------------
 Processing /data/letsencrypt/renewal/redacted.duckdns.org.conf
 -------------------------------------------------------------------------------
 renewal config file {} is missing a required file reference
 Renewal configuration file /data/letsencrypt/renewal/redacted.duckdns.org.conf is broken. Skipping.
 0 renew failure(s), 1 parse failure(s)
 No renewals were attempted.
 Additionally, the following renewal configuration files were invalid: 
   /data/letsencrypt/renewal/redacted.duckdns.org.conf (parsefail)

My Options:

{
  "challenge": "https",
  "email": "[email protected]",
  "domains": [
"reacted.duckdns.org"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

My router is fwding ports 80->80, 443->443, and 8123->443 (that last one was just added per this thread, but it had no effect.)
What am I doing wrong?

@dpicts Renewal, Maybe your certificates have already been created? If you run below… Are they there? Then you just need to setup http component in configuration.yaml.

core-ssh:/ssl# ls -ltr /ssl/
total 8
-rw-r–r-- 1 root root 1704 Aug 25 21:42 privkey.pem
-rw-r–r-- 1 root root 3461 Aug 25 21:42 fullchain.pem

I get:

total 0

I got mine working, I had to include the following in my config:

server_port: 443
trusted_networks:
  - Your PC IP address

This is on top of base_url etc. Reboot and wait about 30 or so minutes and you should be able to log in (hopefully).

Before doing that you need to have port forwarding done - 80>80 and 443>443. Download your certificates, Remove all port forwarding and add 443>8123 (not 8123>443 as indicated in your post).

I know that with my Let’s Encrypt log it said something along the lines of didn’t renew as valid certificate is already downloaded, I have no idea why yours isn’t working.

Please note that I have no IT background whatsoever, I’m just saying what worked for me.

I’m at work so can’t give much more details than that at the moment, sorry.

3 Likes

hi all,

trying to follow this video’s instructions to install ssh, duckdns and letsencrypt, im confused…
ssh is working fine, and i shell into the hassio.local.
the vid wants us to shell into the pi@raspberry though. How do i proceed from the hassio prompt core-ssh to the pi@raspberry login? it returns the following:

ssh: Could not resolve hostname raspberrypi: nodename nor servname provided, or not known

thanks,
Marius

if you doing from inside your network. you might need to enter:

“ex: https://192.168.1.20:8123” (enter your rpi ip)

from outside your network:

“ex: https://your.dns.com” no need for port.

port forwarding for most router is

443 > 8123 - for outside connections ( only forward 443 > 443 when you need to setup or update letsencrypt)
8123 > 8123 - for local network connection - you might need to accept the unsecure connection warning.
1883 > 1883 - MQTT
don’t forward port 80 (only when setting up or updating LetsEncrypt), it will mess with other devices (ex: google home , Plex, etc )

1 Like

thanks, making progress…

the thing is that my Hass.io password wont log me in as [email protected] obviously , but neither wont the default pw raspberry.
I don’t think ive set another pw on the Hassio install than the [email protected], which works fine. its just that all instructions in the video rely on shelling in as pi@raspberry.

so, question remains: how to ssh login in as [email protected] on a Hassio installation…

Hope you can assist
Cheers,
Marius

I think the only SSH option with Hassio is that [email protected] ([email protected]) :frowning:

why are you using ssh with hassio?
the whole thing with hassio is to get rid of all the “$ sudo” crap and install things straight from the ios.

1 Like

there are several things not included in Hassio, i’d like to install. ssh is opening the Raspberry to that. On a Rasbian system that is. not on the Hassio apparently.

@veggie is right, only ssh as root@hassio

or?

cheers,
Marius

Sounds like you shouldn’t use Hass.io if your goal is to hack the system. Hass.io is a locked down OS image and HA system. You manage most of it from the GUI where you install the available add-ons (including DuckDNS add-on which has a built in Let’s Encrypt component). If you’re wanting things that are not on Hass.io, you’re probably better off going with something else.

HI,
Thanks, after a week or so trial and error things are getting clearer…:wink:
I understand the Hassio setup isnt ‘hackable’ . And one has to configure it through the internal options. Ive already deleted (## ) most of the options i had put in the configuration files, as instructed per the Home Assistant available components pages.
It might be a thought that where applicable, these pages state that in case of Hassio setup, different options apply, or one just shouldn’t apply them at all.

In my wonderings, Duckdns, let’s encrypt and certificates have been the most complicated, or should i say confusing.

That being said, with several external services one is in need of these certificates, and since they’re not browsable in the Hassio configuration, even though ssh’ing, we’re out of luck there?

Also, instead of using the embedded Mqtt broker, one should be able to use an external one? if that is to be encrypted, it further complicates things…

So its a bit of a trial and error situation, which external services work in the Hassio setup and which don’t.

Anyways, thanks for you feedback , hope you can confirm or point to solutions on the above.

Cheerio,
Marius

I’m in the same boat with you trying to figure it all out. I look at Hass.io as having a more limited scope, but one that is expanding. I prefer it because it removes some of the drudgery of maintaining the OS, but the trade off as you noted is less freedom to add just any other services, that is unless you want to learn how to create and publish add ons (I know I don’t).
I totally agree with you that documentation around Hass.io is not where it should be, but I recently discovered that Hass.io is still very new (this last spring), so we’re alll learning as we go and trying to share gems.
I was only trying to clarify Hass.io limitations that I’m learning with you, in case you weren’t aware, so you could decide if it was right for you in the near term.

Happy coding…

appreciated!

its a bit silly though, cause no matter what i do and try to change, the only thing thats working is a duckdns domain for my ip. i’ve added all port forwards, and neither ngnix, nor letsencrypt allow me to https to my Home Assistant.

They are able to load correctly in the Hass.io side bar.

Mqtt gives all kinds of startup errors in the log. If i check that in the Hass.io, all seems well :-(((

hope it develops quickly, glad to help in every possible way of course.
Cheers,
Marius

1 Like

I’m having problems with let’s encrypt as well. I can access my HA remotely now, but it’s broken my ability to SSH or Samba to my Pi so I’m unable to make any additional changes. I locked myself out and I don’t know how to get back in.

Not sure what you mean that Duckdns domain works but you can’t https to your setup. Isn’t that what your doing via duckdns? I only have one port forward set on my router and so far that part is working well. Amazing that my little Pi serves all this up to my phone over the internet.