Can't get Let's Encrypt working with Hassio

The sesame thing did the trick. It’s kind of insecure because the “sesame-password” is being sent through query-string but its a cool solution.
I will research about sending a push notification when the sesame querystring is being used in order to alert myself.
I’m reading about Caddy. It seems even better.

Thank you very much for your guidance. I have lost 4 hours for not asking before, but reading the forum also helps to find out other important things that I didn’t know.

Best,

1 Like

i fixed my issue with below steps:

ssh to your pi

go to this diretory:
cd /usr/share/hassio/addons/data/core_duckdns/workdir

remove lock file:
rm lock

Nope, I have 443 forwarded to 443.
It’s the only port I have open

If 443 is forwarded to 443, how is it supposed to be connecting to port 8123 for hassio?

I thought we’d been through this before.
I use http://local:8123 for local access and
https://remote.duckdns.org for remote

I use nginx

Well that explains it!

don’t have the 443 port open at all anymore…
only have a redirect for the 3 Ha instances I have via duckdns, to the local port 8123 now

Okay so you have a secure https (default port 443) redirected to a non-secure http 8123 port.
That’s fine if you are using a http: entry in your config as ALL ports are then under SSL (with the standard DuckDNS configuration).
It’s absolutely your choice and a lot of people run it that way too.

Mmm not really I fear.

Some time ago we had to open 443 to have letsencrypt create the secure connection/certificate.

After that the duckdns addon took care of that too, so opening 443 wasn’t necessary for that anymore.

Right now I use all ssl and https, are you saying that doing so I am risking my secure connection?

Note I have 3 ha instances with their own external duckdns port which is then redirected to the local port of choice

Not at all, Sorry if I implied that. Your security seems nailed down. :+1:
I’m just a traditionalist on the https front, I also know these are merely ‘conventions’ rather than hard standards.

I was just responding to your post : -

I can use my duckdns address from inside my lan but it does average about 90ms behind the straight 8123 internal one.
I would be intregued to know if you have seen any differences ?

Just to stress: I would love to hear if I am compromising security, don’t get me wrong. What would Nginx add to my setup?
Of course I could also use HaCloud connection which supposedly is even better…

About the 443 post: it is quite old… from before the Addon change to take over completely. That should explain my stance there…

I’ve just pinged both address’s (100 pings each)
The average on local said <1ms each time (ave 1ms)
The average on remote (presumably now just to loopback) was ave 3ms

I have changed both ISP and Router since the last tests though too.

So I’d have to say the difference is negligable.
You probably won’t be able to test as you don’t have the option.

The only other cocievable benefit I can see is if your internet goes down you (probably) won’t be able to access you HA as the address is via dhcp on duckdns. You could go in locally on local ip:8123 but it might complain about the certificates not matching as they are written for https://myfortressofsolitude.duckdns.org (don’t click it, it’s not real)
Dunno, you tell me
Can you access it via local ip:8123 ?
What haapens if you remove the DSL cable from the modem/router ?

That’s the magic of a reverse proxy - with that you can.

Errrr ?
Marius asked what the benefits were (of the nginx approach).
I said that I was a traditionalist and liked my numbers in the traditional ranges, so he may not accrue any benefits.
The major one I could think of is that I can address my instance when the Internet is down, could he ?
He was going to check if and how he could do that.
I was just giving him an example instance.
I’m not sure I understand your point ???

Only pointing out you can use a local IP address as well as duckdns/domain if you use a reverse proxy. Without a reverse proxy, if you use duckdns you can’t.

Yes, I understand that, that’s why I do it.
The issue for Marius is “would he get any benefit from moving to nginx”.
ie, given that certs are for the duckdns site and that is where the duckdns address is resolved.
Is there anyway to reach the local HA instance without Internet (for the above two reasons)
I thought you ‘might’ be able to, but that it threw up warnings in your browser or some such (I’ve slept since) but now I can’t remember (if they can) just how they do it.

not really sure I fully grasp what you’re saying here, but using duckdns for outside connection, I can use that from inside my network too. Killing the internet, I can still use my HA instance locally without issue, and browse it using either hassio.local (and -2 , -3) and the ip address with the instructed port.

Of course things that rely on the outside internet our useless, but I can control everything locally.

(most of the time that is, have to look into some finer details)

Didn’t I see you using Nabu casa in another thread about cast?
Anyway, when I was using duckdns, I couldn’t connect using the IP address until I installed a reverse prox.

yes, I do use that too, mainly for connecting to google assistant :wink: I am a bit daunted by the handle we need to enter, and, since I also use 127.0.01, still getting the error the cast dev’s haven’t found solution for yet.

I’ll check nginx for the added functionality for sure.