Effortless encryption with Let's Encrypt and DuckDNS

By being outside your lan and checking it from there.

Well I get a 404 Not Found on port 80. So I guess the request is getting through.

I finally solved this by completely changing how I do it.
I used this excellent guide - https://help.konnected.io/support/solutions/articles/32000023964-set-up-hass-io-with-secure-remote-access-using-duckdns-and-nginx-proxy
Port forwarding is just 80 -> 80 and 443 -> 443. No messing with 8123.
Just followed all the steps and it worked like a charm. We’ll see what happens at renewal time!

1 Like

Not sure if this applies in your case, as I use duckdns and nginx but I only forward port 443 to 443.
No other ports exposed. And it renews certs seemlessly.

@Mutt, care to explain step by step how you did it ?

Already done, see : -

I disabled port 80 shortly after doing this and haven’t needed it for any renewals since so I’m pretty sure it wasn’t needed in the first place.

Thanks for linking this, this is a much easier way to handle this!

I followed the official guide to install DuckDNS on a fresh install of Home Assistant 4.11 32-bit on my Raspberry Pi 4 Model B 4GB.

It does not appear to place (possibly not create) the fullchain.pem and privkey.pem files into the /SSL directory… so it does not enable SSL and causes issues if I try to input the http: section in the configuration.yaml file.

DuckDNS Configuration:

  accept_terms: true
  certfile: /ssl/fullchain.pem
  keyfile: /ssl/privkey.pem
token: MY TOKEN
  - MYDOMAIN.duckdns.org
aliases: []
seconds: 300


  base_url: MYDOMAIN.duckdns.org
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

DuckDNS Log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[16:29:47] INFO: OK
# INFO: Using main config file /data/workdir/config
Processing MYDOMAIN.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Oct 19 15:43:43 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!

Does anyone have an idea of what I am doing wrong? I am new to Home Assistant and have spent hours trying different combinations of settings trying to get this to generate the certificates without success.

1 Like

base_url: https://mydomain.duckdns.org

and forward port 443 to 8123 in router or try base_url: https://mydomain.duckdns.org:8123

1 Like

Thanks for the info. I ended up starting fresh and had no issues for about a day until the SD card failed. I think some files were corrupt on the SD card. I have a new one installed now and all is working as it should.

Hello, I have the domain working at duckdns, I forwarded 8123 and I can access HA just with user and password.
I changed the letencrypt to true, and added the api_password and base_url in configuration.yaml but it doesn’t work.

The logs from the DuckDNS addon says that the certificate retrieval is ok.

Do I need to do some additional port forwarding or what did I do wrong?
I tried to access it both with https://mydomain.duckdns.org both without and with :8123 but still it doesn’t work.

My ISP has both ports 80 and 443 blocked. I asked to release but no possibility. So I was able to forward 8123 to 8123.

Although I can access HA through http with my duckdns subdomain, it does not work with https.

Do I have any possibility having the mentioned ports blocked?

It doesn’t matter what port you use, so long as it is directed (forwarded) to your HA instance port 8123.

ssl will work if you have certificates installed properly.

1 Like

Duckdns supports DNS validation so no ports need to be forwarded to get ssl cents issued. The DNS addon supports that.

1 Like

Thanks for all yor help, great community! I have resolved it. I am a very happy newbie!

If helps to other newbies, this worked:

  • forward port 8123 to external 8123
  • DuckDNS addon as mentioned many times above. Make sure there is not any error log.
  • yaml:

external_url: https://YOUR_DOMAIN.duckdns.org:EXTERNAL_PORT
internal_url: http://INTERNAL_IP:EXTERNAL:PORT

ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

Do not put any “api pasword” or any url at http node, just as simple as above.


Just spent an hour or two to get this to work. Scrolled to the end of the comments to write an entry about how I solved it, only to see that you had come to the exact same conclusion and already written about it. :grin:
Next time I will check the latest comments before following a guide…

I am progressing a lot but also investing plenty of time (that I am in fact enjoying)…
So next issue you likely will find out is that accessing from your network will need always https, and it not going to be an issue with the right browser but App will only work out your network with duckdns. Besides some of integrations will need a http address instead of https.
So next step is combining it with a reverse proxy. So NGINX addon has been my solution.
My ISP has 443 and 80 port blocked and no possibility to make an exception. So I still oponed them at my router (probably without any affect) but proxy is working as expected…
Now I can access internally with http://local-IP:8123 and from outside with just https://subdomain.duckdns.org (without adding 8123 that I closed forwarding. Besides if I add 443 or 80 ports it is redirected perfectly as well but no need now to add any port).
I hope this helps and many other nice people helped me before in my, until now, 2 weeks journey.

1 Like

Thanks a lot!
I tried to move my Unifi controller to Home Assistant, but it was impossible to get the devices to show up. NGINX solved that problem.

I am going crazy… I am a newbie with HASS but am not very new to open source and customising. I have got everything up and running, my entire network devices controlled and am absolutely loving it. Great thanks to this entire community!!

Just this encryption bit drives me nuts. I have read every post and guide on how to set this up but somehow nothing works. As far as I understand it in the current version of HASS and addons it should all be easy. I basically took these steps:

  • Install HASS
  • Install DuckDNS and register
  • Config from DuckDNS:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: xxxxxxxx
  - xxxx.duckdns.org
aliases: []
seconds: 300

Logfile looks good, it fetches the certificates without any issues.

But then…it doesn’t seem to work. I read multiple posts about adding lines to the yaml file, but whenever I add a “http” section, HASS doesn’t start up anymore. I have tried all different combinations of port forwardings etc, but somehow…no chance.

So currently only port 8123 is forwarded to 8123 on HASS and the DuckDNS addon installed…Am I missing anything or is there anyone which can explain what else I should be doing?

Well, your configuration should include an http section as that’s where the location of the cert files is defined. Being YAML you may need to look for a formatting issue. Patience is something you need a lot of as you learn how to manage HA.