Effortless encryption with Let's Encrypt and DuckDNS

keep the leading / so /privkey.pem etc

had to uninstall and reinstall duckdns addon.
the /ssl/ folder was empty so it had to recreate the files. that was the error.

back to square 1 that the url didnt work.

for the record:
my network consists of a cablemodem with routing capabilities and a router. I thought i had disabled the routing capabilities, but that was not so.


1 Like

If i have a wireless hub attached to a google fiber modem, do i need to port forward on both of them?

You only portforward on the router

that’s what i was missing. in my previous attempts I only enabled port forwarding on the attached wireless hub. now that i’ve enabled it on the router the duckdns URL communicates with my home assistant. thnx!

1 Like

Is anyone able and willing to help me troubleshoot my setup? I am NOT using duckdns, and I am NOT using hass.io.

I have a domain and successfully generated certs from letsencrypt, no matter what I add to my configuration.yaml file… I get the following error in the log

2019-05-03 12:32:25 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got 'ssl/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got 'ssl/privkey.pem'. (See /config/configuration.yaml, line 23). Please check the docs at https://home-assistant.io/components/http/

what I have tried:
different directories and different permissions for the cert files, including 777 wide open
different port forwarding rules, though this does not matter as these errors are on start up, and not when connecting.
adding and removing a bunch of different compinations of leading “/” and “” and ‘’ to see… the error has always been the same

Thanks for any help!

hello all… I have fixed it!

my issue was a docker issue… and so I was not actually placing the certs where I thought I was. I changed

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  base_url: mysubdomain.no-ip.biz:8123


  ssl_certificate: /config/ssl/fullchain.pem
  ssl_key: /config/ssl/privkey.pem
  base_url: mysubdomain.no-ip.biz:8123

because within my docker install the config folder is not where the homeassistant root folder is, and so there was no <>/ssl/ folder, nor a /ssl/ folder in the docker install. so I had to fully qualify the proper location, and everything worked perfect.

Interesting! I’ll try it.

Hi Petermj,
Did you ever got this fixed for the ios app. I currently have the same issues.

Works perfectly trough webbrowser externally, but the HA ios app fails :
An SSL error has occured and a secure connection to the server cannot be made.
I setup an duckdns address.

Hi, I never tried again :roll_eyes:

I should give a try again sometime, but have no time right now. For now I have installed the HomeKit plugin and can control all my devices using the Home app on my iPhone, which I believe is secure.

Exactly the same problem here.
I got Duckdns + caddy and works perfectly in internal network as well as externally by browser (even safari on iphone). But with the IOS app (2.0) fail with the same SSL error.
Already posted on IOS but no support so far. I guess the app cannot handle this configuration.

Greeting everyone,

I just noticed this thread and have a question.

I have HassIO setup with DucksDNS and LetsEncrypt.

My question is.
The main comment on the steps described in thr beginning of the thread state that we do not need to open any ports.

This means that it’s not needed for the user to open any ports!

However, I see many responses that say you still need to open and forward a port.

Can someone please clarify?.

I was able to access HA from outside and after closing the port I can’t access HA from outside.

Thank you


They will be referring to opening ports for LetsEncrypt validation which is not needed if you use the DuckDNS addon for Hass.io as it uses DNS validation instead of http validation.

You DO still need to forward say port 443 to 8123 to access home assistant from outside your network though. Before I used IPv6 I used a port in the high 30000’s range instead of forwarding port 443. You would then access by https://domain.duckdns.org:port


LOL. okay that is what I figured but I thought that maybe there was some magic going on that I didn’t understand.

Okay, back to opening the port (which I really don’t like). Since I recently re-build my HA, I will go back to installing NGINX.

Thank you

Yeah you and almost everyone else. You can use Nabu Casa the HA cloud with no open ports, or use zero tier one (which works really well) with no PF but other than that, if you want external access then you need to open/forward a port.

On my system I use only IPv6 (my duckdns address only has a IPv6 address updated) and I then have to open 443 (no PF) which is more obscure at the least…

Hallo bcarter

can you tell me what is your duckdns add-on configuration? did you also use the /config/ssl/ path there?
I tried that and is NOT working for me.

thanks in advance

hello @mr_white ,

I did not use duckdns for two reasons… I did not install HASS.io and so add-ons are not trival for me to get up and running, and I also have a DDNS provided by noip.com.

What is your set up and I can try to help.


please have a look here:

don´t want to double post.

EDIT: this is the configuration error i get when i am adding the ssl file path in the configuration.yaml:

Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/ssl/fullchain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/ssl/privkey.pem’. (See /config/configuration.yaml, line 55). Please check the docs at https://home-assistant.io/components/http/

thanks in advance

Everything is working great for me using this guide:


What I would like to do now is allow SSL access to my other services on the same folder: Transmission (port 9091), zoneminder - (port80). I note that @chrisw has used this to enable other things (Emby).

Do I “just” need to reference these cert and key files in apache2 or do I need to make changes to hool.sh also?

Many thanks if anyone has a minute to explain how I can use this as described!