This obviously isn’t good and it broke all my integrations. I couldn’t load the Home Assistant UI and Node-Red wasn’t able to connect (breaking all of my integrations). To fix this, I had to disable ssl in configuration.yaml and then once able to connect to Supervisor, I had to go into node-red configuration and disable ssl there as well.
One of the main goals of having Home Assistant is to not be reliant on third party cloud systems, that may not be reachable. If the ssl cert renewal process can fail, due to third parties parties being down, and it results in locking up my entire system, then I haven’t achieved that goal.
Does anyone have any suggestions on how to make this more resilient?
Get a static IP address from your ISP and connect via VPN instead.
Having said that, I use DuckDNS and can only remember one instance of an outage affecting me in the last three years, and it was resolved within an hour or two.
Thanks for the suggestion. I do like the convivence of not having to connect to a VPN to be able to access Home Assistant when away from home. I don’t mind if my remote access occasionally goes down as this could happen for a variety of reasons, including my own ISP having issues. The bigger problem is that my current configuration is reliant on DuckDNS and LetsEncrypt to connect locally as well, which isn’t good. I have Inovelli Red switches which control the smart lights throughout the house which don’t work if node-red can’t connect to home assistant. The WAP goes down pretty hard if she can’t use the switch to turn on the lights.
Somehow my ssl certificate was modified to be a zero byte file. I assume this was because of the DuckDNS outage and it somehow happened while trying to renew the certificate, however, it’s entirely possible that the two events were unrelated. I was able to fix the issue by restoring the certs from a backup and then reinstalling the DuckDNS addon, after that it was able to re-new the certificates successfully now that DuckDNS is back up.
To avoid this ssl dependency for local network access, I’m going to try setting up HTTP only locally and then using Nginx to serve the HTTPS binding for remote access. For anyone having this same issue, there is a good post about the process here: Home Assistant internal URL without HTTPS?
I switched to NGINX Proxy Manager (there is an add-on) with a custom domain name (already had a few domains lying around) and Let’s Encrypt for SSL (built in the add-on). Got a Dynamic DNS server (NO-IP, paid sub) and created a Node-RED automation to keep my IP address updated with the subdomain (in case my ISP changes it for some reason). There is a NO-IP integration btw, but that one is broken. The Node-RED flow works great anyway and allows me to update other subdomains I now use in my home.
Gotta say: haven’t had a single issue and it’s just cool to have your own domain to point at, instead of username.duckdns.org:8123. One major benefit: I can now also access my IP locally with http. If for some reason my internet (or DNS) is down, I can just access using http. With DuckDNS, I couldn’t use http://localip:8123 anymore. Had to use https and then ignore the SSL warning. Could be I did something wrong.
Extra story: I noticed last week my younger brother (I manage his installation as well) had a lot of dropped connections. I kept getting ‘Couldn’t connect to HA’ when I was logged in remotely and worked on his system. This was during a span of 3-4 days. After reloading 5-6x I would get in, but after a few minutes (sometimes hour) I would get the error again. Tried using mobile network and also gave issues. I switched his DuckDNS to to one of my subdomains (same way using NGINX) and zero issues since the moment I switched. Not sure what the issue was, but it went away as soon as I switched to my own domain with a different Dynamic DNS server.
I also get this error. I also cannot access Home Assistant using the Android App.
If I use Incognito, I can successfully login.
I can see that the certificate is expired.
I can also verify it is truly expired by accessing the certificate file.
I am using the DuckDNS with Let’s Encrypt built-in add-on.
Any suggestion on how to force certificate renewal?
I don’t believe that is the case, because even though I can login using Incognito , it still uses an expired certificate.
And when not using Incognito, after clearing the cache it still shows that error after providing credentials.
My certificate expired yesterday causing loss of access from wan. When I stoped and started duckdns addon I saw a renew message in logs with a new expiration date. But the error persisted, so I think the certificate hadn’t been renewed
Stopping duckdns and nginx, starting duckdns first and then starting nginx solved my problem