Helped med through. Thanks for the eye opener
For SSL (Lets Encrypt) you’ll need to have external port 443 point to internal port 8123 on the IP address of your Pi. Have you tried that?
Another thing you should test is sending a ping to your duckdns domain. On windows you can do this by starting the cmd program, typing ping [duckdns domain] (without the brackets). See if it points at your home IP address, which you can check at https://www.whatsmyip.org/. If those two IP’s are the same, you know it’s something in your router (can only be the portforwarding configuration) or in the addon configuration.
I myself eventually got the LetsEncrypt addon working with my own domain, making a new A-record in the DNS for a subdomain, pointing to my home IP address. An automation renewed the SSL files every night. I’ve never used NGINX.
thanks a lot!
I had the same issue on hassio 0.84.1
and my fix was to run the commands
`chmod 755 /ssl/fullchain.pem`
`chmod 755 /ssl/privkey.pem`
Restarted hassio and it was all good from there.
It is possible to run this command from windows?
i try this solution but the problem remain the same, i have let’s encrypt and a hosting pointing directly to 443 and this is my ha docker system data:
System Health
arch armv7l
dev false
docker true
hassio true
os_name Linux
python_version 3.7.2
timezone Europe/Rome
version 0.91.4
virtualenv false
Lovelace
mode storage
resources 0
views 1
and this is the error:
2019-04-21 10:26:48 ERROR (MainThread) [homeassistant.core] Error doing job: SSL handshake failed
Traceback (most recent call last):
File “uvloop/sslproto.pyx”, line 500, in uvloop.loop.SSLProtocol._on_handshake_complete
File “uvloop/sslproto.pyx”, line 484, in uvloop.loop.SSLProtocol._do_handshake
File “/usr/local/lib/python3.7/ssl.py”, line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1056)
I have no solution but I found that accessing the HA GUI with Edge doesn’t give me the error in the logs only when using Chrome. I’m thinking that Chrome might be trying a harder SSL setting than HA can handle at first?
And there is! I tried with Yandex browser and there were no errors too.
In my case it is definitely when I browse using my local IP, as my router wont do reverse NAT.
As I cannot access using duckdns name and proper SSL common name, I guess thats my problem.
Signed up just to reply to this. I got around it by adding my Duck DNS URL to my hosts file, so that my browser reports the certificate as valid (since the URL in the cert matches the one being accessed). For those who don’t know how, edit ‘%windir%\system32\drivers\etc\hosts’ as administrator, add the line:
(internal IP address without port) (duck dns url)
No brackets, tab in between.
Access your HA instance internally by going to the Duck DNS URL, port 8123. Certificate should show as valid and hopefully no more SSL errors being logged.
Sure! I am away from sysadmin for less than 10 yrs… How fast we can forget… Thanks a lot! I will do that as soon as I get home.
Solved for the PC! I would appreciate any suggestions for android.
Wow, this thread is epic indeed…
I also just stumbled upon these weird ssl handshake errors seemingly coming out of the blue.
So here are my two cents:
In my case the root cause was some strange caching issue with Chrome on my Android phone. When I opened the certificate details for the site, I noticed that the browser obviously still used an old LE certificate from May, which I renewed on Monday and which other browsers used as expected.
To verify this, I opened the HA instance in an incognito tab and voila: Chrome got the current SSL certificate and trusted the connection again.
After clearing the browser cache, the connection was again trusted in a regular browser tab as well.
I don’t know if this helps anybody, because browser caching problems are my personal all time favorites for otherwise inexplicable ssl certificate issues. But as nobody mentioned caching issues so far in this thread according to the thread search, maybe this is a helpful tip for some of you searching for solutions…
PS: TBH I have no clue, why Chrome didn’t trust the old certificate anymore. Despite the fact, it was my “old” LE certificate from May, it should have still been valid until August. As far as I know, LE doesn’t automatically revoke old certificates for a domain if they are renewed. And the error message also didn’t mention anything regarding revocation.
I get this SSL error "ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1056)"
when connecting to my HA with the internal IP.
I configured HA with https://my-xxxxxx.duckdns.org/ and router has Port Forward 443=>8123.
I can access HA correctly from outside my network. However from inside network https://my-xxxxxx.duckdns.org/ nor https://my-xxxxxx.duckdns.org:8123/ is not working.
I then connected using the ip address. Browsing to https://192.168.x.y:8123/ works, but with browser SSL warnings. And exactly at that moment the TTL errors came along.
Small fix for me was to add an entry to hosts file C:\Windows\System32\drivers\etc (Windows):
192.168.x.y my-xxxxxx.duckdns.org
Closed all open browser. I can now connect to https://my-xxxxxx.duckdns.org:8123/, this time without browser SSL warning and without the SSLV3 errors.
Maybe this helps a bit in solving the problems.
Perfect, this was the same solution SSHell gave. This solved my problem for windows connections as I stated above. I still have the messages when connecting from android/mobile. Did you get to solve those?
@derandiunddasbo I never got connections problems, just those awkward messages filling up logs and taking SD card life away. My problem has to do with HA SSL handshake complaining when a browser uses internal IP instead of its configured SSL Server Address. On my later days I would solve it quickly with Apache Server Alias and doing the trust thing on the devices side (as it is internal anyway). But I have not a clue as not-so-open-nor-standard HA configures it…
Yeah!
After closing the Chrome and Firefox browsers (that were constantly pooling information from the Home Assistant site), the error messages dissappear!
After a power cut, I’ve been experiencing some of the issues mentioned on this thread. I found that I could access HA with my duckdns url from outside of my local network i.e. if I turn my WiFi off and connect using mobile data, I could view my Lovelace UI. I could also view Lovelace UI using hassio.local:8123. I’ve just found a solution and so I’m posting here in case it applies to others.
My external IP had been added to the banned list, held in ip_bans.yaml. I don’t fully understand how that caused this unique situation but deleting that entry from the ip_bans.yaml and then restarting HA solved the problem. You can check your external IP by asking Google “what’s my IP” and then have a look in ip_bans.yaml to see if it is there.
I know this may not be the solution to a lot of the posts here but a few of the issues seemed similar to mine, so it’s worth a look.