Can't get Let's Encrypt working with Hassio

Installation Home Assistant OS
41

Dear All,

I am having the same issue, can’t start home assistant with Let’s Encrypt. I am actually able to get the certificate.

The following in my Let’s Encrypt log,

"starting version 3.2.4

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /data/letsencrypt/renewal/1234qwer.duckdns.org.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/data/letsencrypt/live/1234qwer.duckdns.org/fullchain.pem (skipped)
No renewals were attempted."

I read through the entire thread, tried difference combinations of port forwarding whether is 433->8123 or 8123->433, cancel the 80 -> 80, tried with and without https or 8123 in the configuration file, no luck.

http:
api_password: “1234qwer”
base_url: https://1234qwer.duckdns.org:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

I can restart home assistant only if a delete the bottom 2 lines, the ssl lines. Any help would be appreciated. Thanks.

42

Try removing https:// from the base_url? You use “https://” when accessing your site, but not in the config file (at least I don’t). At this point you’re just trying to get it to boot up, later you can work on the port forwarding questions, but I just forwarded 8123 to 8123.

43

Thanks VdkaShaker, tried that before already…

I actually don’t mind not encrypting, but i gathered i must have SSL certificate and put it in the configuration file to use google home (i got the SSL certificate just can’t put it in the config file and run), using google home voice command as triggers is my aim.

I also took on the suggestion, remove all port forwarding rules and run on the local network, just to try get Home Assistant to start with SSL, and then work on the port forwarding after. but no… as long as i don’t remove or hash tag out the ssl lines in the config file, Home Assistant will not start.

what do we think?? thanks all in advance.

1 Like
44

I saw somewhere that I had to turn off all other add-ons before using Lets Encrypt, so I re-did my Lets Encrypt, turning off all add-ons including Duck-DNS. I got a new Cert

starting version 3.2.4
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 1234qwer.duckdns.org
Waiting for verification…
Cleaning up challenges
Non-standard path(s), might not work with crontab installed by your operating system package manager
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /data/letsencrypt/live/1234qwer.duckdns.org/fullchain.pem
    Your key file has been saved at:
    /data/letsencrypt/live/1234qwer.duckdns.org/privkey.pem
    Your cert will expire on 2018-04-22. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • If you like Certbot, please consider supporting our work by:
    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

I noticed there is a line about non-standard path(s), is that affecting my Home Assistant? I still can’t start it unless i remove the SSL lines.

Should I completely remove my certificate and start over again? I read somewhere that removing a certificate is not wise either… any suggestions what I should do?

Thanks all.

45

which one?

46

Hi

I have a question… my duckdns runs but my let’s encript is on stopped.

I do everything until i have to do this: “run crontab -e. Copy the following text and paste it into the bottom of the crontab file. */5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1”

I tried this : https://community.home-assistant.io/t/guide-how-to-set-up-duckdns-ssl-and-chrome-push-notifications/9722 and I also tried it on the duckdns website…

I cannot save it with ctrl+x or ctrl+o … any hints / help ?

47

is anyone seeing the below in the log when they start the DuckDNS addon (log at the bottom of the addon). I’m doing this for the first time and it looks as though “error occurred while sending get-request to http://cert.int-x3.letsencrypt.org/” means I can’t get anywhere.

Please Help!!!

starting version 3.2.2
# INFO: Using main config file /data/workdir/config
+ Account already registered!
Mon Feb  5 00:01:49 AEDT 2018: OK
110.22.26.43
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing sebhassio.duckdns.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for sebhassio.duckdns.org...
 + Already validated!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
  + ERROR: An error occurred while sending get-request to http://cert.int-x3.letsencrypt.org/ (Status 301)
Details:
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>
48

Yes, I’m encountering that now (first time trying DuckDNS add-on with Let’s encrypt). I believe it is due to the following: https://github.com/lukas2511/dehydrated/commit/7a0e71c6c2ccc6e98abca5ea1c7de28053e90c02 (as mentioned here: https://community.letsencrypt.org/t/dehydrated-caused-rate-limits-to-be-reached/52477).

I’m trying to build the addon myself, with updated URL, to see if that helps.

Update: it seems to be related to dehydrate , I’ve submitted a pull request (https://github.com/home-assistant/hassio-addons/pull/250) which should solve this.

49

Hi,

I seem to be getting this now on a new install, any way around this?

50

Same in here and it seam to me that is strange that no one else has this error

51

I’m also having problems with connecting externally. The DuckDNS/LetsEncrypt
process appeared to have run correctly but I cannot connect outside my network.

I get a “ERR_CONNECTION_TIMED_OUT” message.

My configuration:
rpi 3 (not B)
Xfinity modem
Linksys router
HASSIO 0.68.1
DuckDNS 3.2.4 (with embedded LetsEncrypt)
Mosquitto 3.2.2
SSH server 3.2.4
Samba share

DuckDNS config:
{
  "lets_encrypt": {
	"accept_terms": true,
	"certfile": "fullchain.pem",
	"keyfile": "privkey.pem"
  },
  "token": "xxxx-xxxx-xxxx-xxxx",
  "domains": [
	"xxxxx.duckdns.org"
  ],
  "seconds": 300
}

I started the DuckDNS service with the above config. Waited until the process
appeared to finish. I don’t remember what I had for port forwarding, if any.

configuration.yaml:
http:
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem 
  base_url: xxxxx.duckdns.org
  # Secrets are defined in the file secrets.yaml
  api_password: !secret http_password

Updated the configuration.yaml file and restarted HASSIO.

modem port forwarding:
443 -> 443 at router ip

router port forwarding:
443 -> 8123 at rpi ip

I can connect internally using https://hassio.local:8123, SSH and Samba also
still work (with no changes).

When I tried connecting using https://xxxxx.duckdns.org, I got the error
message:
This site can’t be reached
xxxxx.duckdns.org took too long to respond.
ERR_CONNECTION_TIMED_OUT

To verify this was not a certificate error, I used the site:
https://www.geocerts.com/check-ssl-certificate

The site verified my SSL certificates. NOTE: The port forwarding above was
necessary to verify the certificates.

I cannot connect using the external url, nor can I connect using the iOS
home assistant app. It also give me a “request timed out” error.

Any ideas anyone???

1 Like
52

Any luck or update with this? I’m having the same problem. Reinstalled duckdns, all messages look encouraging, but cannot connect externally.

53

I’ve concluded the problem is my ISP, Comcast. They won’t let me make that “loop”, go out and come back on the same IP address. I tried doing it without hassio and had the same problem. Giving up for now.

54

Hi,

I am having the same problem here. Is there anybody out there who got DuckDNS to work? I am very confused with variying instructions.
How to access the modem settings? I have ports 80 and 443 forwarded to themselves until a certificate is created and that never works. If I forward both these ports to 8123 DuckDNS starts but fail before creating the certificate. I do not have SSH installed. Wondering if I need it!
Also, my ISP is Comcast too. Any tips?

55

Did you ever get this fixed? I have the same issues. Worked for a year, now I can’t fix this issue no matter what I try…

56

Hi,

Have anyone fixed this issue? I just installed the SSL services, everything is configured correctly but still I can’t make the Configurator to work.

Correctly means:
Port forwarding in my Router for:

  1. Hassio: from 443 to 8123
  2. Configurator: from 3218 to 3218
  3. IDE: from 8321 to 8321
  4. SQL Lite: from 6210 to 6210
  5. Configurator settings to:

Configurator config:

{
"username": "xxxx",
"password": "xxxx",
"ssl": true,
"certfile": "fullchain.pem",
"keyfile": "privkey.pem",
"allowed_networks": [
"192.168.0.0/16",
"MyExternalIPAddress"
],
"banned_ips": [
"8.8.8.8"
],
"banlimit": 0,
"ignore_pattern": [
"__pycache__"
],
"dirsfirst": false,
"enforce_basepath": false,
"notify_service": "persistent_notification.create"
}

  1. In configuration.yaml

    http:
  api_password: !secret api_password
  base_url: https://domainname.net:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

The only way I can open it is adding 0.0.0.0/0 OR my external IP in allowed_networks. (Even when I’m connected on the same LAN using WiFi. where my ip is on 192.168.1.X range.
But, the rest add-ons like: IDE, SQL, etc won’t open using SSL (https) - The only way they work is without the SSL. (http)
Is this an expected behavior?

The message in the browser when I try to open any add-on says:

This site can’t provide a secure connection
domainname.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

I hope someone can help.
Thanks!

57

You don’t want to use ssl in the configurator options. That is where you are coming unstuck. I’d also suggest using a banlimit and also a ‘sesame’ (You could also make sure you have /36 at the end of the internal ip address in allowed networks in configurator.) I had the same issue when I tried to get this working and did use 0.0.0.0 as the allowed as you did.
You might want to think about using Caddy as a reverse proxy

58

David, sorry If I didn’t understand but what do you meant with:

You don’t want to use ssl in the configurator options

I will add ban limit. Thanks for the heads-up. On the other hand, I don’t know what sesame is, I need to read a little bit more about it.

59

I have /16 instead. “Out Of The Box” - Should I change it with /36?
I will check about Caddy also.

60

sesame should be a default option in configurator unless you are using an old version… It’s an extra ‘key’ that whitelists the ip address you are using.

My configurator options look like this:

{
  "username": "user-secret",
  "password": "user-password",
  "ssl": false,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "allowed_networks": [
    "172.30.0.0/16"
  ],
  "banned_ips": [
    ""
  ],
  "banlimit": 5,
  "ignore_pattern": [
    "__pycache__"
  ],
  "dirsfirst": true,
  "enforce_basepath": false,
  "notify_service": "persistent_notification.create",
  "sesame": "secret-sesame"
}

I did switch to Caddy and did a step-by-step configuration blog post here if you are interested.

1 Like