DuckDNS not generating certificates from Let's Encrypt

ScottCLT · October 29, 2023, 10:25pm

I want to secure Home Assistant internally so that browsers will let me use the microphone on my iPhone to give commands to Assist. Sure, it’s inconvenient to go to Assist and press the microphone button in the text box then speak a command, but I want to be able to do it anyway.

So I installed the DuckDNS Add-on thinking it would make the necessary calls to Let’s Encrypt to generate the certs, but it just won’t create the ssl folder with the privkey.pem and fullchain.pem file when I start it, nor do the pem files appear in the config or root folder. Here is my config for the add-on (domain name and token redacted):

domains:
  - xxxxxxxx.duckdns.org
token: "f9d8e5ad-dbc3-40e0-8616-exxxxxxxxxxx"
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: fullchain.pem
  keyfile: privkey.pem
seconds: 300

I setup my internal router to send clients to the HA IP address, so that I can access HA by typing http://ha.mallonee.org (my domain) only inside my network.

Is there something I am missing? From what I have read, as long as accept_terms is set to true, it should just create the certs in the config folder or make an ssl subfolder with the certs there. Any idea why it won’t create the certs?

starob · October 30, 2023, 8:26am

DuckDNS is not generating certificates. For that you need the Letsencrypt add-on in addition. And since the certificates are only valid for 90 days you also need an automation that renews your certificates automatically. There are blueprints you can use for renewing certs.

Or you subscribe to Nabu Casa which takes care for all of this. This is the easiest way.

Tinkerer · October 30, 2023, 8:37am

The DuckDNS add-on can do it too.

Tinkerer · October 30, 2023, 8:52am

What do the add-on logs tell you?

starob · October 30, 2023, 9:12am

I did not know that. It this a new feature or did I just miss this?
Does it also do the certfification renew?

Tinkerer · October 30, 2023, 9:51am

That’s been a feature for years now, probably since the beginning.

And yes, it handles the renewal too as far as I know.

ScottCLT · October 30, 2023, 10:33am

I do actually subscribe to Nabu Casa. This might be a stupid question (I am an IT guy, but my knowledge of tls/ssl/https is admittedly a little fuzzy). I have a purchased wildcard cert from Comodo and applied it to my other subdomains/websites using a reverse proxy on a Kemp LoadMaster virtual appliance (but I can’t find my private key!).

But how does subscribing to Nabu Casa get you the certs generated?

Thanks for any help you may be able to provide.

ScottCLT · October 31, 2023, 12:31am

Should it just generate the certs in a particular folder? That was my understanding too! I’m just not seeing the certs being created.

exx · October 31, 2023, 6:17am

@starob Kindly explain to the rest of the class how nabu casa will accomplish his goals of providing secure INTERNAL access. Did you even read the post?

Op - nabu casa doesn’t get you certs.

Why are you looking for the cert? You should simply specify their use in the config file. Then HA will respond to https requests instead of http. There is no need to actually worry about the file locations. This information is in the documentation for the duckdns add on.

Tinkerer · October 31, 2023, 8:04am

As far as I know they’re generated in /ssl, but I don’t use add-ons and can only go by the docs.

starob · October 31, 2023, 8:19am

Sorry for the confusion. I suggested Nabu Casa because it provides you with encrypted access to HA. That would allow @ScottCLT to use a browser for voice commands. For internal only SSL access you don’t need Nabu Casa and it will not solve this problem either.