DuckDNS and SSL Certificates

Jester · August 7, 2020, 9:03am

Ok after spending whole day reading every similar thread i’m hesitantly starting a new one out of desperation…

Summary;
I was using DuckDNS on RPi3 for a year and i switched to NUC-Proxmox-WM setup and used QCOW2 image to setup my fresh HA.

All is ok except i can’t get a secure connection from outside, i have a static IP and my ports are already routed to same IP from previous RPi setup. 8123-8123 and 443-8123 (Used 443-443 and 80-80 while generating certs. and deleted them now.)

Problem;
I can access my HA by using http://mydomain.duckdns.org but when i try to use https i get errors like;

“This site can’t provide a secure connection”
ERR_SSL_PROTOCOL_ERROR

“Safari cannot open the page because it could not establish a secure connection to the server.”

I checked my DuckDNS logs and it says certs are valid till “Nov 4” but i can’t find any way to refresh my certs to test. I even installed Let’s Encrypt addon and issued certs again but DuckDNS logs still using the same “Nov 4” expiring ones.

My main question is where are certificate files actually located that DuckDNS uses?

I even deleted the ones in the /ssl directory and DuckDNS still re-starts fine.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[11:40:55] INFO: OK
91.93.135.154
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing xxxxxxxx.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Nov  4 14:47:28 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!

Are those certs not on my machine? Or is there another folder with certs since i use a WM?

Hope someone can hold my hand here

Cheers,

nickrout · August 7, 2020, 9:14am

Are you using the addon?

Jester · August 7, 2020, 9:16am

Hi Nick, yes DuckDNS addon is installed and started, or are you referring to another addon?

Jester · August 7, 2020, 10:09am

By the way when DuckDNS restarted logs are;

# INFO: Using main config file /data/workdir/config
+ Account already registered!
[13:05:20] INFO: OK
XX.93.XX.154
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing mydomain.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Nov  4 14:47:28 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!

It says “/data/workdir/config” but there is no such folder…

This must be a joke

DuckDNS still working after deleting certificate .pem files from /ssl folder and it’s using nonexistent folders for config…

nickrout · August 8, 2020, 4:03am

That log looks fine.

You do realise that duckdns.org supplies a DNS entry for your public ip address.

letsencrypt supplies a certificate for your domain.

The duckdns ADDON leverages both services.

Tell us what joke you are seeing?

Jester · August 8, 2020, 6:15am

The part that puzzles me is not knowing where my certificates are located, i deleted the ones in /ssl but that didn’t disturb anything.

I just want to renew my certificates to make sure they are not the part of the problem.

nickrout · August 8, 2020, 6:19am

Were they in /ssl/ or $CONFIG/ssl/?

Jester · August 8, 2020, 6:49am

The ones i deleted are in the root /ssl directory, config folder contains no ssl folder;

nickrout · August 8, 2020, 9:09pm

They appear to still be there.

khouse75 · August 8, 2020, 11:30pm

Should they not be in /config/ssl? Mine are in /usr/share/hassio/homeassistant/ssl which maps to /config/ssl as I’m running hassio docker.

khouse75 · August 11, 2020, 3:18am

I was mistaken, within the docker image, they were under /ssl which maps to /usr/share/hassio/ssl

Jester · August 11, 2020, 8:53am

Hey @khouse75, thanks for the replies but since my installation is not docker i don’t have those ssl folders you mentioned.

I still tried to copy the ssl folder from root to /config folder but didn’t make any difference.

khouse75 · August 11, 2020, 5:13pm

Do you have the entries in your configuration.yaml telling it to use the certs?

Here’s what I have in my configuration.yaml.

http:
    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem

Jester · August 11, 2020, 7:04pm

Omg that solved the issue! Thanks

But i was thinking that using http: in conf.yaml is deprecated and shouldn’t be used anymore. Seems not.

nickrout · August 12, 2020, 6:28am

duststormpettigrew · January 24, 2023, 3:06pm

New here, so didn’t know if bumping was appropriate or not, but I’ve tried adding the SSL configs to my yaml file and it causes HA to not launch at all. I have added the http block as described in the DuckDNS Docs and the post from khouse75 and it doesn’t work. I found that the ssl folder that gets created by the addon is located at /mnt/data/supervisor/ssl in my installation on my raspberry pi. I created a hard link to the files in there to /mnt/data/supervisor/homeassistant/ssl so the config can pick them up. That didn’t work and after trying the absolute path, that doesn’t work either. I did a sanity check to see if there was a problem with the http block and could add it with just the server_port option and HASSIO loads fine with that.