DuckDNS receives Let's Encrypt certificate but site still insecure

arjant760 · October 29, 2022, 11:54am

Hi,

I want to have a Let’s Encrypt SSL certificate through the addon DuckDNS.
It looks like it receives the certificate but it doesn’t work.

My setup:
Home Assistant 2022.10.5
Raspberry PI
DuckDNS addon 1.15.0

My DuckDNS config:
domains:
- xxxxx.duckdns.org
token: 00000000-0000-0000-0000-000000000000
aliases: []
lets_encrypt:
accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
seconds: 300

The log shows then:
# INFO: Using main config file /data/workdir/config
Processing xxxxx.duckdns.org
+ Creating new directory /data/letsencrypt/xxxxx.duckdns.org ...
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for xxxxx.duckdns.org
+ 1 pending challenge(s)
+ Deploying challenge tokens...
OK + Responding to challenge for xxxxx.duckdns.org authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
OK + Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!

But still there is no certificate when accessing https://xxxxx.duckdns.org:8123

After removing DuckDNS addon, restart HA, reinstall addon, retry for several times i need some help :).

Kind regards,

Arjan

anon63427907 · October 29, 2022, 12:00pm

My basic understanding of SSLs;

let’s encrypt allows you freely to generate your certificate as long as challenge is accepted
home assistant web browser is pointing the certificate with the content to the browser
browser checks if the certificate aligns with the owner, domain and authority

if you are getting insecure certificate error, check the certificate error in the browser, it would tell you more

arjant760 · October 29, 2022, 12:12pm

Hi Fuatakgun,

I know how the SSL process works and all settings in the DuckDNS addon seems OK otherwise i couldn’t get an accepted message.

The browser tells me there isn’t a certificate.

But in the /SSL folder there are the 2 files placed which were created by the DuckDNS plugin.
Also the logs don’t show any error.

Kind regards,

Arjan

WallyR · October 29, 2022, 12:29pm

Let’s Encrypt only generate the certificate files.
You also need to point the programs that needs to use the certificate files to where they are.
And some programs load the certificate files on startup, so adding the files later means you need to restart the programs. (Remember restarting HA does not mean the addons gets restarted)

aceindy · October 29, 2022, 12:35pm

Did you forfill the last part of Effortless encryption with Let's Encrypt and DuckDNS - Home Assistant
and uncommented parts of your configuration.yaml?

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
#http:
#    ssl_certificate: /ssl/fullchain.pem
#    ssl_key: /ssl/privkey.pem

arjant760 · October 29, 2022, 12:43pm

Hi WallyR,

That makes sense that it only generates and stores the certificate.

The restarting i did every time under “settings > system > Restart” instead of a whole restart.
Unfortunetely it makes no difference.

arjant760 · October 29, 2022, 12:45pm

Hi Aceindy,

hmm i pasted the http rules in the configuration.yaml in the DuckDNS addon.
What is the right place to put these lines?

WallyR · October 29, 2022, 12:50pm

I am not sure how much that restart actually does.
If I want to be sure, then I go to Settings → System → Hardware → 3 dots in upper right corner → Restart system.
This will restart the entire host with all addons.

arjant760 · October 29, 2022, 12:52pm

I found out already Learning every day

aceindy · October 29, 2022, 12:54pm

Doesn’t really matter as long as they are in the http section…

http:
    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem

arjant760 · October 29, 2022, 12:58pm

It is already in my DuckDNS configuration:
domains:
- xxxxx.duckdns.org
token: 00000000-0000-0000-0000-0000000000000
aliases: []
lets_encrypt:
accept_terms: true
algo: xxxxx
certfile: fullchain.pem
keyfile: privkey.pem
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
seconds: 300

That was what i understood from the documentation in the addon.

aceindy · October 29, 2022, 1:04pm

Yes, you told the DuckDNS addon where to save the certificates.

But…you also need to tell HA where it can load it from…

So the DuckDNS configuration is for…well…duckDNS
and the HA confiuration is…as you might have guessed …for HA

arjant760 · October 29, 2022, 1:13pm

Okay that seems logic…
Feeling dumb

Found it at:
https://www.home-assistant.io/docs/configuration/

It fixed my problem. It is working now!

Thank you very much.

aceindy · October 29, 2022, 1:25pm

Don’t feel dumb, there is no such thing as dumb questions…not asking something you don’t know is dumb
Please mark as solution

arjant760 · October 29, 2022, 1:29pm

Hehe i know there are no dumb questions only dumb answers .

I will mark this as the solution.

Regards Arjan

anon63427907 · October 29, 2022, 3:51pm

Again, duckdns doesn’t confirm if ssl is correct, it just gives an approval to let’s encrypt program that you are the owner and you can generate the certificate locally.

WallyR · October 29, 2022, 4:48pm

The certificate is not generated locally. It is generated on the Let’s Encrypt servers and the client program then downloads this into the files that is configured in the DuckDNS configuration.

aceindy · October 29, 2022, 4:50pm

Let’s encrypt itself has nothing to do with DuckDNS…
f.e. I use Let’s encrypt for my own domain

WallyR · October 29, 2022, 4:56pm

True Let’s Encrypt is just a CA (Certification Authority) and the addon is just a thirdparty program to automate the process of getting a certificate from that CA.