DuckDNS, LetsEncrypt and failing to renew certificate

I have DuckDNS installed with the following config

  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  "token": "684842a7-53ba-49d2-86cc-fda07c239a14",
  "domains": [
    "[not telling]"
  "seconds": 300

and have http support like this in config

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  base_url: !secret base_url 

And the base url is prepended with protocol https and followed by the hassio port number. December 22 my certificate expired and did not renew itself. After fiddling with the config it finally discovered it was outdated and claimed to renew (or so the log entries tell me). However the files in /ssl/ are untouched. I grepped to find any other generated keypairs but found nothing. Any browser pointing at my instance tells me the cert is expired (also incognito/unprimed ones).

When trying to use the duckdns domain the GUI tells me “Unable to connect to Home Assistant.”. This is presumably caused by the invalid SSL certificate as I can circumvent this message on an unprimed browser. I can use HA using hassio.local but of course only on local desktop and not on mobile, tablet, or remote. What could be causing this and how would I solve it? Thanks in advance.

In order to try and break the installation to test it: I moved the keyfiles out of the ssl folder. I then restarted DuckDNS to see what it would produce:

# INFO: Using main config file /data/workdir/config
+ Account already registered!
Tue Jan  1 19:25:32 CET 2019: OK
<IP address removed>
# INFO: Using main config file /data/workdir/config
Processing [domain removed]
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Mar 30 08:11:50 2019 GMT (Longer than 30 days). Skipping renew!
Tue Jan  1 19:30:35 CET 2019: OK
<IP address removed>

So apparently there are keyfiles somewhere, just not where they are needed by the system. The mentioned path does not exist on my system - so I’m a bit clueless as to what to look for. I also tried installing the addon logger to evaluate what was happening, but starting that failed as well.

I am trying to keep spirits up but I must say I am running into some severe issues pretty quickly…

1 Like

Ok, so I uninstalled, reinstalled, reconfigured and restarted.

# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Done!
Tue Jan  1 19:43:11 CET 2019: OK
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing [omitted]
 + Creating new directory /data/letsencrypt/[omitted] ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for [omitted]
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for [omitted] authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

The keys are generated and visible in /ssl/. However, on trying to access the domain it still uses the old certificate and thus is unable to access the installation. One might want to remove ‘effortless’ from the documentation as I found countless topics mentioning issues with this kind of setup. The search for a solution continues.

1 Like

I noticed this issue but got the new certificate in incognito mode which you say you have tried. Was this after reinstalling?

I am awaiting the cached certificate in chrome to expire where it should pick up the new one.

Tried both Inprivate Edge, as well as Incognito Chrome but the browsers insist on getting the (non-existent?) outdated certificate.

What is the datestamp on the files in your SSL folder. If it is today then it will probably be ok?

PM me your URL and I can check with my browser if you want?

Datestamp is yesterday (Jan 1): I made sure the files were properly generated as I emptied the ssl folder before reinstalling DuckDNS. Today, I tried with another machine from another location, but still the browser pulls up the expired certificate. Where on earth does it gets these files from?

Try the checker here

This resolved the duckdns domain, but fails to connect as port 443 should be open. But hassio is running at 8123, so it shouldn’t need 443. Correct?

It gave me certificate info and I don’t use port 443. Just put your port at the end in the URL box as you do in the browser.

Apparently it takes over a week for browsers to recognize a renewed certificate. I don’t think this is according to the SSL spec. Thus, the problem solved itseld. Will reopen the topic in 3 months when the certificate expires, if need be. Fingers crossed. Thanks so far.

Reopening the topic as Hass does not update port mapping in my router after a restart. Please advise, thanks

And we’re back, cert expired and fails to update itself. This combo still fails to work even though config is correct. Any clues?

1 Like

For the record I’d like to note the following statement/documentation is false : " This add-on includes support for Let’s Encrypt and will automatically create and renew your certificates". Judging by my own experience and that of countless others this nothing like the effortless endeavour it’s made out to be. The fact that documentation lacks or contradicts itself proves unhelpful to day the least.

1 Like


I have the same problem today and I had this problem a few times in the past. Please help.

Hey guys,

I ran into a similar problem where I could no longer log into my home assistant app on my iphone or browse to my site externally and I was receiving an error stating my certificate was out of date. After trying a bunch of different things I noticed that I had duckdns in home assistant set to auto update but I didn’t have auto update on for NGINX for the SSL proxy and that it was out of date. I updated NGINX and then restarted the add-on and then it worked!

Hopefully this will help you guys out.


Same here. Looks like the new certificate is picked up only at restart of my system .

Thanks. This was the issue in my case. The certificate is valid. NGINX caches it for some reason. Updated NGINX, restarted and everything is good now.

Just had the same problem. Annoying. Anyone working on fix for the DuckDNS Add-on?

I have this issue too… my cert expired 9 days ago and DuckDns addon is saying that I am good until Feb’20. However, my certificate manager of IE and Chrome do not have the updated cert. I am running Hass.IO