Effortless encryption with Let's Encrypt and DuckDNS


Not sure about that. Im not using homeassistant to update my DDNS ip. I use my router to do this using its built in DDNS features.


Did you set accept_terms:true in the lets encrypt settings?


Not sure what has happened but since upgrading to 78.X I can’t get SSL to work

      api_password: !secret http_password
      base_url: https://xyz.duckdns.org:8123
      ssl_certificate: /ssl/fullchain.pem
      ssl_key: /ssl/privkey.pem

duckdns config:
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  "token": "e001dbdd-333e-4ee9-a7b7-7239de099325",
  "domains": [
  "seconds": 600

and this is the error in the log

2018-09-20 19:15:05 ERROR (MainThread) [homeassistant.core] Error doing job: SSL error errno:1 reason: HTTP_REQUEST
Traceback (most recent call last):
  File "uvloop/sslproto.pyx", line 504, in uvloop.loop.SSLProtocol.data_received
  File "uvloop/sslproto.pyx", line 204, in uvloop.loop._SSLPipe.feed_ssldata
  File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata
  File "/usr/local/lib/python3.6/ssl.py", line 689, in do_handshake
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:841)

umm… any ideas anyone?


Hi, Noob question: Does this process only work with *.duckdns.org addresses or can I use it to create certs for any domain I own? If so, is the process any different?


I believe I have followed it right, but I cant’ get https to work, http works fine.

This is the only error I can see…

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/site-packages/aiohttp/web_protocol.py", line 242, in data_received
messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp\_http_parser.pyx", line 519, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method

any ideas? Thanks!


Im having the exact same issue


Hi all,
I am new with Home Assistant and stil learning from the available documentation.
Trying to access hass.io from the internet I have followed the same steps as described in @Bobby_​​Nobble post from 15th April. The result is that now I can’t access UI neither from my home network neither from external.
Connection via ssh shows that HA is running. Also files fullchain.pem and privkey.pem are in /ssl folder.
Any hint or idea ? Thanks.


Yep, I’ve been spinning my wheels over the apparent same issue as Chewee. Now it’s a month and a half later than Chewie having the problem,so…
Hey, Chewie, did you get that solved?


Thanks to a blog post by Andreas Gohr I realized that DuckDNS supports setting TXT records, making it compatible with the DNS-01 challenge of Let’s Encrypt. The DNS-01 challenge is using the DNS record of the domain instead of interacting with the server. This means that it’s not needed for the user to open any ports!

But I DO have to forward a port on my router. What is meant by this passage?


One documentation I read guided you to first set up a test portforward (8123 --> 8123) and later on advices you to delete that portforwarding and replace it with (443 --> 8123).
Currently I can’t find that doc.

Whats the reason for this?

Is it more unsecure to open the port 8123 to the public than opening 443?

The advantage about the forwarding 8123 to 8123 is that it will be the same URL either in the local or in the public network.

When I change it to 443 --> 8123 than I have to open XXX.duckdns.org in a public network and XXX.duckdns.org:8123 in my local network. Or is there a workarround for that?

So it makes no difference (thats my main question) if you chose 443 or 8123 than why use different ports?

This is the doc I was talking about.


In step 2 we created a port forwarding rule called ha_test . This opens port 8123 to the world, and is no longer necessary.

Hass.io static ip and other network regarding questions

Last passage before section 1 mentions why.
It’s because he aims to get the default behavior of writing https which runs on port 443 instead of having to specify port each and every time.

Personally I have also seen that if you want to run home Assistant as progressive web app (I.e. it shows up as a app on your drawer) on Android. You need to run it on port 443 alt port forward 443 to HA port of choice.

From a local network standpoint you can still run the same https://xxx.duckdns.org address as externally.
This is because the router knows that the endpoint of that address is internal so it will just turn the traffic back around.


But from a security point of view it’s the same, if you open 443 or some other port?
Or is it even more scure have an other port than 443 because it isn’t that obvious for a potential attack from a hacker?

I don’t care if I have to specify the port every time, because I save the url as bookmark, so I don’t have to care about that.
I just want to know if I’m doing it right. So are both ways ok or is one better than the other?

Are you sure about that, I tried it with port 443 but I wasn’t able to open it without the internal port at the end (local).
My router doesn’t support natloop-back maybe thats the issue?


Changing port would be classified as security by obscurity. I.e. Security wise it makes no difference. A bot will port scan you anyway.

What setting you need to do on your router. Unsure. Never had to tweak this on any of mine.
I would say that the router should be able to find the lookup address in its own dns table.

I.e. It knows resolves the duckdns address to its own external address. And hence loops it back internally.

So should not be any nat-loopback involved.


my duck dns works outside my local network - https://XXXXXX.duckdns.org/…but When I use the same address at home on the local network it brings up the login page for my router not home assistant. What I’m I missing? Any help would be greatly appreciated? Thanks!


You haven’t forwarded 443 to 8123


I do have 443 to 8123 setup. I have a Ubuquiti edgerouter…i think this may be the issue.

I thought this might help but it didn’t…https://loganmarchione.com/2017/04/duckdns-on-edgerouter/


figured it out…I removed the lan interfaces from the port forwarding and put switch0