Effortless encryption with Let's Encrypt and DuckDNS

You’ve only got one external IP address but you don’t need it to set this up, that’s what duckdns looks after for you.

I run my own DNS servers and have static IP addresses - No DuckDNS here.

The problem appears to be that Home Assistant is not quite correct in it’s html and this causes lynx to fail. I was using lynx to test so that I could see how things work from an out of state machine.

I’ll try to file a bug on this.

The whole objective was to get Google Assistant to work and it still fails.

i changed the default location of my cert files… the one you need is the key and the chain file. As soon as i added those to the folder i specified in my configuration file it picked up and everything worked fine. You added the root and sub domain name when you created your cert right? So prefix.domain.com and domain.com that should allow the cert to work.

I’m afraid I still wouldn’t describe this process as effortless. 1 hour with multiple restart, HASSIO just presenting a blank screen, SSH to reboot over and over, still not working. :sweat_smile:

Take this the right way but, after the initial missing instructions from the article about port forwarding etc were cleared up, it really is effortless BUT heavily relies on first, you do everything exactly as instructed and second, your instance of HA, hardware and network are all exactly as the setup expects, the latter is where most people’s problems lie.

Hi @Bobby_Nobble if we can troubleshoot my issues then I am happy to help fine tune the docs?

I’m on a pi-zero with hassio running 0.67. I’ve got router port 8123 mapped to 8123 on the pi. I’ve documented my issues in this thread.

My issues are related to the .pem files which I recall previously could only be generated by opening ports temporarily. However the new process doesn’t require this, so my first question is:

  • how do I validate that the .pem files have been generated and stored correctly? Using samba share I browse the hassio folders but cannot fined a folder /ssl, should I be able to locate this, or is it hidden within the container?

cheers

Hi @robmarkcole, just had a look at your linked thread and it looks like you’re in the first camp :slight_smile: …you have no base_url in your config!

Given you’ve forwarded 8123 to 8123, your config should be like this…

http:
  base_url: https://your_chosen_name.duckdns.org:8123
  api_password: !secret http_password
  login_attempts_threshold: 5
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem 

…and you’d access HA externally at https://your_chosen_name.duckdns.org:8123

Hi bobby, I tried that (there’s a discrepancy between the docs and the blog post about whether it’s required), without success

It stated quite clearly in the default configuration.yaml you had when first installing HA to uncomment that line if you wanted to access HA externally!

Literally all I did was put this in my config…

http:
  base_url: https://my_chosen_name.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  api_password: my_HA_password

installed the DuckDNS addon, set it like this…

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "my_token_from_duckdns",
  "domains": [
    "my_chosen_name.duckdns.org"
  ],
  "seconds": 300
}

and I forwarded 8123 to 8123 on my router, nothing else whatsoever and it works perfectly.

I consider that fairly effortless :slight_smile:

3 Likes

For some reason I had to manually create the ssl folder to get it to work. I did find that when using duckdns, tts on Google home stops working :frowning: I checked NAT loopback is turned on but it didn’t help.

Where did you create the ssl folder?

I created the SSL folder in the config folder, I’m using Hassio. I did it because HA wouldn’t start up and it seemed to be because the SSL files were missing (sorry I can’t remember the exact error) … anyway I added an SSL folder and everything worked; I could connect using SSL via my duckdns address (after setting up some port forwarding on my router). The really strange thing is that when I look in my SSL folder there is nothing there!

That’s strange. If you’re prepared to try it out, does deleting the ssl folder have any effect?

I’ll have a go!

mine are in /ssl/

if you use winscp, navigate to root and you will see a ssl folder. Thats where my certificates live.

1 Like

OK so I’ve confirmed that the ssl directory exists and the keys are present:

core-ssh:~# pwd
/root
core-ssh:~# cd /ssl
core-ssh:/ssl# ls
fullchain.pem  privkey.pem

My config is as per the docs:

http:
  api_password: !secret http_password
  base_url: https://my_domain.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Finally, I’ve also noticed that the default options from the docs page apparently aren’t actually valid - appear to require the seconds to be configured:

I’ve selected RESET TO DEFAULTS and edited to give the following valid config:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "my_token",
  "domains": [
    "my_domain.duckdns.org"
  ],
  "seconds": 300
}

I am able to reach the HA front-end at https://192.168.0.28:8123/states. With hindsight it is obvious but I was not appending https. However my logs fill with the error:

2018-04-16 06:42:41 ERROR (MainThread) [homeassistant.core] Error doing job: Task was destroyed but it is pending!

Therefore there is an issue here, but the process does work. My PR to clarify the docs is here.

@robmarkcole OK so I tried again after deleting the /config/ssl/ folder I had added and by forwarding port 8123 on my router everything worked. I have since upgraded to hassio 0.67.0 so perhaps there was a bug before. I have confirmed that fullchain.pem and privkey.pem are in /ssl/ as @DavidFW1960 suggested.

I went through my search history and the error I originally got was Got ‘/ssl/fullchain.pem’ not a file for dictionary value @ data[‘http’][‘ssl_key’]

1 Like

So exactly what I said then :rofl:

Just a another way to do that with automatic renew without port fowarding.
There is a simplest way to configure it without care about port forwarding or leave HAS on exposed on WAN just to do automatic renew.

Just to say thank you.

I couldn’t forward external port 443 to internal port 8123 as my router (Netgear D6200) doesn’t have that capability strangely…

Using https://mydomain.duckdns.org:8123 and forwarding external port 8123 to ip.of.my.pi worked for me to access the HA externally.

I am also able to access the HA frontend by adding https:// and :8123 to my internal ip.

I have base url with https://mydomain.duckdns.org:8123 in my configuration.yaml file without the quotes.

I am using HASSIO with DuckDNS addon.

Just one small issue. I have the below error in my log files popping up every 10 seconds or so.

Error doing job: <uvloop.loop.SSLProtocol object at 0x6fe09c50>: SSL error errno:1 reason: HTTP_REQUEST
Traceback (most recent call last):
File “uvloop/sslproto.pyx”, line 496, in uvloop.loop.SSLProtocol.data_received
File “uvloop/sslproto.pyx”, line 204, in uvloop.loop._SSLPipe.feed_ssldata
File “uvloop/sslproto.pyx”, line 171, in uvloop.loop._SSLPipe.feed_ssldata
File “/usr/lib/python3.6/ssl.py”, line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:777)

I haven’t found any other issues yet.

Does anyone know if i need to be concerned? Thanks in advance.