Effortless encryption with Let's Encrypt and DuckDNS


I’m afraid I still wouldn’t describe this process as effortless. 1 hour with multiple restart, HASSIO just presenting a blank screen, SSH to reboot over and over, still not working. :sweat_smile:


Take this the right way but, after the initial missing instructions from the article about port forwarding etc were cleared up, it really is effortless BUT heavily relies on first, you do everything exactly as instructed and second, your instance of HA, hardware and network are all exactly as the setup expects, the latter is where most people’s problems lie.


Hi @Bobby_Nobble if we can troubleshoot my issues then I am happy to help fine tune the docs?

I’m on a pi-zero with hassio running 0.67. I’ve got router port 8123 mapped to 8123 on the pi. I’ve documented my issues in this thread.

My issues are related to the .pem files which I recall previously could only be generated by opening ports temporarily. However the new process doesn’t require this, so my first question is:

  • how do I validate that the .pem files have been generated and stored correctly? Using samba share I browse the hassio folders but cannot fined a folder /ssl, should I be able to locate this, or is it hidden within the container?



Hi @robmarkcole, just had a look at your linked thread and it looks like you’re in the first camp :slight_smile: …you have no base_url in your config!

Given you’ve forwarded 8123 to 8123, your config should be like this…

  base_url: https://your_chosen_name.duckdns.org:8123
  api_password: !secret http_password
  login_attempts_threshold: 5
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem 

…and you’d access HA externally at https://your_chosen_name.duckdns.org:8123


Hi bobby, I tried that (there’s a discrepancy between the docs and the blog post about whether it’s required), without success


It stated quite clearly in the default configuration.yaml you had when first installing HA to uncomment that line if you wanted to access HA externally!

Literally all I did was put this in my config…

  base_url: https://my_chosen_name.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  api_password: my_HA_password

installed the DuckDNS addon, set it like this…

  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  "token": "my_token_from_duckdns",
  "domains": [
  "seconds": 300

and I forwarded 8123 to 8123 on my router, nothing else whatsoever and it works perfectly.

I consider that fairly effortless :slight_smile:


For some reason I had to manually create the ssl folder to get it to work. I did find that when using duckdns, tts on Google home stops working :frowning: I checked NAT loopback is turned on but it didn’t help.


Where did you create the ssl folder?


I created the SSL folder in the config folder, I’m using Hassio. I did it because HA wouldn’t start up and it seemed to be because the SSL files were missing (sorry I can’t remember the exact error) … anyway I added an SSL folder and everything worked; I could connect using SSL via my duckdns address (after setting up some port forwarding on my router). The really strange thing is that when I look in my SSL folder there is nothing there!


That’s strange. If you’re prepared to try it out, does deleting the ssl folder have any effect?


I’ll have a go!


mine are in /ssl/

if you use winscp, navigate to root and you will see a ssl folder. Thats where my certificates live.


OK so I’ve confirmed that the ssl directory exists and the keys are present:

core-ssh:~# pwd
core-ssh:~# cd /ssl
core-ssh:/ssl# ls
fullchain.pem  privkey.pem

My config is as per the docs:

  api_password: !secret http_password
  base_url: https://my_domain.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Finally, I’ve also noticed that the default options from the docs page apparently aren’t actually valid - appear to require the seconds to be configured:

I’ve selected RESET TO DEFAULTS and edited to give the following valid config:

  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  "token": "my_token",
  "domains": [
  "seconds": 300

I am able to reach the HA front-end at With hindsight it is obvious but I was not appending https. However my logs fill with the error:

2018-04-16 06:42:41 ERROR (MainThread) [homeassistant.core] Error doing job: Task was destroyed but it is pending!

Therefore there is an issue here, but the process does work. My PR to clarify the docs is here.


@robmarkcole OK so I tried again after deleting the /config/ssl/ folder I had added and by forwarding port 8123 on my router everything worked. I have since upgraded to hassio 0.67.0 so perhaps there was a bug before. I have confirmed that fullchain.pem and privkey.pem are in /ssl/ as @DavidFW1960 suggested.

I went through my search history and the error I originally got was Got ‘/ssl/fullchain.pem’ not a file for dictionary value @ data[‘http’][‘ssl_key’]


So exactly what I said then :rofl:


Just a another way to do that with automatic renew without port fowarding.
There is a simplest way to configure it without care about port forwarding or leave HAS on exposed on WAN just to do automatic renew.


Just to say thank you.

I couldn’t forward external port 443 to internal port 8123 as my router (Netgear D6200) doesn’t have that capability strangely…

Using https://mydomain.duckdns.org:8123 and forwarding external port 8123 to ip.of.my.pi worked for me to access the HA externally.

I am also able to access the HA frontend by adding https:// and :8123 to my internal ip.

I have base url with https://mydomain.duckdns.org:8123 in my configuration.yaml file without the quotes.

I am using HASSIO with DuckDNS addon.

Just one small issue. I have the below error in my log files popping up every 10 seconds or so.

Error doing job: <uvloop.loop.SSLProtocol object at 0x6fe09c50>: SSL error errno:1 reason: HTTP_REQUEST
Traceback (most recent call last):
File “uvloop/sslproto.pyx”, line 496, in uvloop.loop.SSLProtocol.data_received
File “uvloop/sslproto.pyx”, line 204, in uvloop.loop._SSLPipe.feed_ssldata
File “uvloop/sslproto.pyx”, line 171, in uvloop.loop._SSLPipe.feed_ssldata
File “/usr/lib/python3.6/ssl.py”, line 689, in do_handshake
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:777)

I haven’t found any other issues yet.

Does anyone know if i need to be concerned? Thanks in advance.


Great tutorial. I may have missed something, how to get HASSio to update the Google Domain? It seems mine is pointed to my provider local office for some reason. This is what I have in my Config.yaml file
domain: homeassistant.***************.com
username: !secret google_domain_user
password: !secret google_domain_pass

Any suggestions?


Hi all,

I had all working properly. During my holidays i guess my certificate expired. I was only able to access my setup without https. I figured ot that my duckdns add-on had stopped, but i’m not able to start it again. My logs on the add-on page is empty. Can someone help me out?




I installed DuckDNS (and not let’s encrypt, because of the warning not to use them both).
I followed the instructions above for the configuration.yaml, but got this error when checking the config: invalid config for [http]: not a file for dictionary value @ data[‘http’] [‘ssl_certificate’] Got ‘/ssl/fullchain.pem’
And the same for the ssl_key.
What did I do wrong