General issues with SSL certificates of DuckDNS

I discovered HomeAssistant recently and I instantly loved it, I got a Raspberry Pi 5 to run it on, and i’m slowly working my way up to creating a fully configured system.

A few days ago I tried to set up HTTP SSL access, using the duckdns plugin.
Which ran completely fine, generated the two .pem files.

However when I added the

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

and restarted, I was introduced to the Recovery Mode, and the logs showed this:

2024-02-22 17:15:00.803 ERROR (MainThread) [homeassistant.setup] Error during setup of component http
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 425, in _create_ssl_context
context.load_cert_chain(self.ssl_certificate, self.ssl_key)
ssl.SSLError: [SSL: NO_CERTIFICATE_ASSIGNED] no certificate assigned (_ssl.c:3925)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/setup.py", line 333, in _async_setup_component
result = await task
^^^^^^^^^^
File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 202, in async_setup
await server.async_initialize(
File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 342, in async_initialize
self.context = await self.hass.async_add_executor_job(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 428, in _create_ssl_context
raise HomeAssistantError(
homeassistant.exceptions.HomeAssistantError: Could not use SSL certificate from /ssl/fullchain.pem: [SSL: NO_CERTIFICATE_ASSIGNED] no certificate assigned (_ssl.c:3925)

I removed lines from configuration.yaml and postponed configuring SSL until I had better understanding of the whole HAss system.

Some days later, while trying to setup Mosquitto, it tried taking those .pem files, and it too halted, the logs showing a very similar error:

2024-02-22 17:22:52: Error: Server certificate/key are inconsistent.
2024-02-22 17:22:52: OpenSSL Error[0]: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned
[15:22:52] WARNING: Halt add-on

I went to try and debug the issue, I started by moving the /ssl/*.pem files elsewhere to try and generate them again.
Curiously, the DuckDNS plugin could still locate them just fine!

[17:27:24] INFO: Renew certificate for domains: xxx.duckdns.org and aliases: 
# INFO: Using main config file /data/workdir/config
Processing xxx.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till May  8 13:36:14 2024 GMT (Longer than 30 days). Skipping renew!

However, Mosquitto did not, and neither did http, since I wasn’t even allowed to restart, since:

The system cannot restart because the configuration is not valid: Invalid config for 'http' at configuration.yaml, line 18: not a file for dictionary value 'http->ssl_certificate', got '/ssl/fullchain.pem' Invalid config for 'http' at configuration.yaml, line 19: not a file for dictionary value 'http->ssl_key', got '/ssl/privkey.pem'

So, my observation is that DuckDNS does not look into that /ssl/ folder, and perhaps never even created those two .pem files, even though it claims that in it’s documentation, quoting " The file is stored in /ssl/, which is the default for Home Assistant"

Prior to finding this, I ended up installing ‘openssl’, through apk, although it obviously didn’t change a thing.

I searched and searched and found nothing, except someone having the same SSL error with an apache installation and solving it by changing his apache configurations. (Thus pointing me it’s not OpenSSL that is having the problem)

I would be glad if someone could point me in the right direction, I am able to provide any other information if necessary, and I have a solid understanding of linux and IT in general, but I am totally new in HAss…

Thank you in advance :slight_smile:

I managed to resolve the issue, apparently, DuckDNS did not copy the generated keys to /ssl/, I found it’s certificates hidden in /mnt/data/supervisor/addons/data/core_duckdns/letencrypt/xxx.duckdns.org/

This was a bit of an inconvenience because I needed to get physical access, connect a monitor and a keyboard to the Rpi itself, and then issue the commands from there, as that folder was not visible from neither the Terminal add-on nor from SSH.

So the question now is why was DuckDNS unable to copy the files to the right place, and looking into it a little bit better, i found the exact same issue being reported to github and nothing was being done to it. It is weird because it only seems to affect very few installations, as the vast majority of DuckDNS users didn’t have to take these actions.