They will be referring to opening ports for LetsEncrypt validation which is not needed if you use the DuckDNS addon for Hass.io as it uses DNS validation instead of http validation.
You DO still need to forward say port 443 to 8123 to access home assistant from outside your network though. Before I used IPv6 I used a port in the high 30000’s range instead of forwarding port 443. You would then access by https://domain.duckdns.org:port
David,
LOL. okay that is what I figured but I thought that maybe there was some magic going on that I didn’t understand.
Okay, back to opening the port (which I really don’t like). Since I recently re-build my HA, I will go back to installing NGINX.
Thank you
Yeah you and almost everyone else. You can use Nabu Casa the HA cloud with no open ports, or use zero tier one (which works really well) with no PF but other than that, if you want external access then you need to open/forward a port.
On my system I use only IPv6 (my duckdns address only has a IPv6 address updated) and I then have to open 443 (no PF) which is more obscure at the least…
Hallo bcarter
can you tell me what is your duckdns add-on configuration? did you also use the /config/ssl/ path there?
I tried that and is NOT working for me.
thanks in advance
hello @mr_white ,
I did not use duckdns for two reasons… I did not install HASS.io and so add-ons are not trival for me to get up and running, and I also have a DDNS provided by noip.com.
What is your set up and I can try to help.
Hallo!
please have a look here:
don´t want to double post.
EDIT: this is the configuration error i get when i am adding the ssl file path in the configuration.yaml:
Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/ssl/fullchain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/ssl/privkey.pem’. (See /config/configuration.yaml, line 55). Please check the docs at HTTP - Home Assistant
thanks in advance
Everything is working great for me using this guide:
https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt
What I would like to do now is allow SSL access to my other services on the same folder: Transmission (port 9091), zoneminder - (port80). I note that @chrisw has used this to enable other things (Emby).
Do I “just” need to reference these cert and key files in apache2 or do I need to make changes to hool.sh also?
Many thanks if anyone has a minute to explain how I can use this as described!
Trux
so I was using duckdns with letsencrypt after several attempts using this
{
"lets_encrypt": {
"accept_terms": true,
"certfile": "fullchain.pem",
"keyfile": "privkey.pem"
},
"token": "my generated token",
"domains": [
"xxxxxxxx.duckdns.org "
],
"seconds": 300
}
I kept getting this error
ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)
and at the bottom of the error
{
"type": "urn:ietf:params:acme:error:malformed",
"detail": "Malformed account ID in KeyID header URL: \"https://acme-v02.api.letsencrypt.org/acme/acct/\"",
"status": 400
}
I eventually just installed letsencrypt manually and it worked fine. I don’t know what the issue is, this is a brand new install, so no chance of me really messing something up
Hi all - can anyone add some clarity around adding additional domains to a working Let’s Encrypt SSL certificate?
I have the DuckDNS/Let’s Encyrpt setup working fine (through hass.io plugin), and I have my personal domain name (though VentraIP) pointing to the xxxxx.duckdns.org domain using the DNS CNAME settings.
I can access HA at xxxx.duckdns.org (and SSL works fine). I can also access HA at my person domain, but I get the “Your connection is not secure” message (i.e. SSL not working).
I presume this is because the certificate is only for the xxxx.duckdns.org address—so can I add my personal domain as well?
Thanks!
Why don’t you point the ventraip domain to your HA instance? Makes no sense going through duckdns. You get free SSL with ventra ip anyway. I don’t understand why you are doing this.
I initially set it up before I had a domain, but figured it’d be best to keep using it for the dynamic DNS (I don’t have a fixed IP address).
As for SSL though VentraIP, all I can see are paid COMODO options. I saw a bunch of articles about VentraIP support for Let’s Encrypt, but that only seems to be through cpanel and/or if you where hosting through VentraIP as well—happy to be corrected though!
Oh yeah you’re right… through cpanel. So you should be able to get a LetsEncrypt hosting your domain on your own server (same as you do now for duckdns) You need the cname to point to HA not duckdns and use the letsencrypt addon.
My HA is running on docker on an OpenMediaVault server (debian based), so I should be fine to set up Let’s Encrypt on there (I saw a few guides around for that).
However, I believe I’d still have dynamic IP issues (I’m not on a fixed IP - just a standard Telstra HFC-based residential plan - not NBN yet (and it’ll be HFC anyway 
). This was one of the main reasons for just having CNAME point to the DuckDNS instance.
One of the earlier posters seemed to be able to do what I was asking about when hosting through Google Domains—so I was hoping I could manage something similar.
Yeah you will. That’s bloody annoying lol. I’m on ABB and have a sticky IPv4 address but I block IPv4 on my HA anyway and I only update the IPv6 address at duckdns (but it’s static) Even with T$ I believe you will have a fixed IPv6 address so perhaps you could be using that. It does not look like you are gaining anything by using your own domain anyway.
I actually have a few domains and was thinking about using one for this with cloudflare but I haven’t looked into that in detail yet and meh… don’t really see the point TBH.
Part of the reason for using my own domain is that my work (QLD public service) seems to block domains that are specially DDNS sites (like DuckDNS). Hence trying to see if I could (a) get it working properly on my own domain and (b) check if work still blocked. Haven’t had a chance to test at work with SSL not working as I only just got the domain set up.
I haven’t really played with IPv6 yet—my ISP before moving back to Brisbane didn’t support it. Might have to look into that.
If you’re with Telstra you def have a static /56 prefix and HA works great with IPv6. So you could use that+LetsEncrypt+Your own domain with cname pointing to HA.
Thanks! Any pointers to guides around using IPv6 (especially with Telstra equipment—though I’m only using the Telstra rounter for 4G failover on my Asus-Merlin router)?
I am using some older Dell and Cisco managed switches though - so that may be an issues.
Much appreciated!
You’ll need to set the AAAA record with your IPv6 address and yes… your router needs to support IPv6 (might need firmware upgrade) but having one that it should just work. I do use Caddy Reverse Proxy which means I only need open one port 443 and 80 for LE certificates.
Doesn’t work. I’ve tried every permutation I’ve found. I get no errors when getting the certs at all, I can see them and they are valid. I added the ssl lines and base_url lines with https://|breaking url|stuff.duckdns.org:8123. Port forwarded 443 to 8123
I do not have ssl locally or externally. I keep getting err_ssl_protocol_err