Not sure if this applies in your case, as I use duckdns and nginx but I only forward port 443 to 443.
No other ports exposed. And it renews certs seemlessly.
Already done, see : -
I disabled port 80 shortly after doing this and haven’t needed it for any renewals since so I’m pretty sure it wasn’t needed in the first place.
Thanks for linking this, this is a much easier way to handle this!
I followed the official guide to install DuckDNS on a fresh install of Home Assistant 4.11 32-bit on my Raspberry Pi 4 Model B 4GB.
It does not appear to place (possibly not create) the fullchain.pem and privkey.pem files into the /SSL directory… so it does not enable SSL and causes issues if I try to input the http: section in the configuration.yaml file.
DuckDNS Configuration:
lets_encrypt:
accept_terms: true
certfile: /ssl/fullchain.pem
keyfile: /ssl/privkey.pem
token: MY TOKEN
domains:
- MYDOMAIN.duckdns.org
aliases: []
seconds: 300
Configuration.yaml:
http:
base_url: MYDOMAIN.duckdns.org
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
DuckDNS Log:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
# INFO: Using main config file /data/workdir/config
+ Account already registered!
[16:29:47] INFO: OK
MYIP
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing MYDOMAIN.duckdns.org
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Oct 19 15:43:43 2020 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!
Does anyone have an idea of what I am doing wrong? I am new to Home Assistant and have spent hours trying different combinations of settings trying to get this to generate the certificates without success.
1 Like
base_url: https://mydomain.duckdns.org
and forward port 443 to 8123 in router or try base_url: https://mydomain.duckdns.org:8123
1 Like
Thanks for the info. I ended up starting fresh and had no issues for about a day until the SD card failed. I think some files were corrupt on the SD card. I have a new one installed now and all is working as it should.
Hello, I have the domain working at duckdns, I forwarded 8123 and I can access HA just with user and password.
I changed the letencrypt to true, and added the api_password and base_url in configuration.yaml but it doesn’t work.
The logs from the DuckDNS addon says that the certificate retrieval is ok.
Do I need to do some additional port forwarding or what did I do wrong?
I tried to access it both with https://mydomain.duckdns.org both without and with :8123 but still it doesn’t work.
My ISP has both ports 80 and 443 blocked. I asked to release but no possibility. So I was able to forward 8123 to 8123.
Although I can access HA through http with my duckdns subdomain, it does not work with https.
Do I have any possibility having the mentioned ports blocked?
It doesn’t matter what port you use, so long as it is directed (forwarded) to your HA instance port 8123.
ssl will work if you have certificates installed properly.
1 Like
Duckdns supports DNS validation so no ports need to be forwarded to get ssl cents issued. The DNS addon supports that.
1 Like
Thanks for all yor help, great community! I have resolved it. I am a very happy newbie!
If helps to other newbies, this worked:
- forward port 8123 to external 8123
- DuckDNS addon as mentioned many times above. Make sure there is not any error log.
- yaml:
homeassistant:
external_url: https://YOUR_DOMAIN.duckdns.org:EXTERNAL_PORT
internal_url: http://INTERNAL_IP:EXTERNAL:PORT
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
Do not put any “api pasword” or any url at http node, just as simple as above.
2 Likes
Just spent an hour or two to get this to work. Scrolled to the end of the comments to write an entry about how I solved it, only to see that you had come to the exact same conclusion and already written about it. 
Next time I will check the latest comments before following a guide…
I am progressing a lot but also investing plenty of time (that I am in fact enjoying)…
So next issue you likely will find out is that accessing from your network will need always https, and it not going to be an issue with the right browser but App will only work out your network with duckdns. Besides some of integrations will need a http address instead of https.
So next step is combining it with a reverse proxy. So NGINX addon has been my solution.
My ISP has 443 and 80 port blocked and no possibility to make an exception. So I still oponed them at my router (probably without any affect) but proxy is working as expected…
Now I can access internally with http://local-IP:8123 and from outside with just https://subdomain.duckdns.org (without adding 8123 that I closed forwarding. Besides if I add 443 or 80 ports it is redirected perfectly as well but no need now to add any port).
I hope this helps and many other nice people helped me before in my, until now, 2 weeks journey.
1 Like
Thanks a lot!
I tried to move my Unifi controller to Home Assistant, but it was impossible to get the devices to show up. NGINX solved that problem.
I am going crazy… I am a newbie with HASS but am not very new to open source and customising. I have got everything up and running, my entire network devices controlled and am absolutely loving it. Great thanks to this entire community!!
Just this encryption bit drives me nuts. I have read every post and guide on how to set this up but somehow nothing works. As far as I understand it in the current version of HASS and addons it should all be easy. I basically took these steps:
- Install HASS
- Install DuckDNS and register
- Config from DuckDNS:
lets_encrypt:
accept_terms: true
certfile: fullchain.pem
keyfile: privkey.pem
token: xxxxxxxx
domains:
- xxxx.duckdns.org
aliases: []
seconds: 300
Logfile looks good, it fetches the certificates without any issues.
But then…it doesn’t seem to work. I read multiple posts about adding lines to the yaml file, but whenever I add a “http” section, HASS doesn’t start up anymore. I have tried all different combinations of port forwardings etc, but somehow…no chance.
So currently only port 8123 is forwarded to 8123 on HASS and the DuckDNS addon installed…Am I missing anything or is there anyone which can explain what else I should be doing?
Well, your configuration should include an http section as that’s where the location of the cert files is defined. Being YAML you may need to look for a formatting issue. Patience is something you need a lot of as you learn how to manage HA.
Thanks for the quick answer…and yes…the patience part I already learned. Believe me…I restarted this about 100 times over the weekend and after each time HA didnt boot, reset the virtual machine and start again…
As soon as I add an http statement it doesnt start. Formatting should be ok (I think). What I add to the yaml is this:
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
Maybe also a noob question, but how can I verify if the files are there? Telnet doesnt seem to work….
Figured that last one out…files are there.
I’ve also installed NGINX so my configuration is a bit different than yours. Your ssl entries look correct to me. Without errors in your log, it’s hard to determine why http isn’t being accepted. There are several related topics discussing DuckDNS configuration on the forum. Perhaps a search will turn up your issue.
I am now still running a VM, but my Raspberry should arrive today. I will just start experimenting with an entirely empty setup and first try to get this working before I do anything else. It should work…it must work…it will work…
Unfortunately I already did a lot of searching and reading and somehow…haven’t been able to find the answer. What would be the easiest way to extract a log file if I can’t login to the application? It does seem to be running and does respond to ping signals. Maybe a log file could point me (or someone) in the right direction…