HA wont use DuckDNS / LetsEncrypt current certificate and uses expired one

HA core 2022.8.4 installed on Rpi 4
DuckDNS 1.15.0

For a long time I’ve ignored the messages about security and gone ahead anyway. Its time to look into it, and I see now that DuckDNS reports in the log that the certificate is fine, but Chrome tells me the certificate expired over a year ago.

DuckDNS is installed using the standard approach, configured like this:

domains:
  - xxxxxxx.duckdns.org
token: xxxxxxxxxxxxxxxxxxxxxx
aliases: []
lets_encrypt:
  accept_terms: true
  algo: secp384r1
  certfile: /ssl/fullchain.pem
  keyfile: /ssl/privkey.pem
seconds: 300

DuckDNS Log shows:

Processing xxxxxxxx.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 12 20:33:29 2023 GMT (Longer than 30 days). Skipping renew!

HA config file includes this:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Router shows port 443 forwarded

BUT**

Chrome shows site is not secure, certificate is not valid

Issued To
Common Name ()CN xxxxxxxxxx.duckdns.org
Organisation (O) Not part of certificate>
Organisational Unit (OU) Not part of certificate>

Issued By
Common Name (CN) R3
Organisation (O) Let’s Encrypt
Organisational Unit (OU)

Validity Period
Issued On Friday, 1 October 2021 at 21:41:41
Expires On Thursday, 30 December 2021 at 20:41:40

Fingerprints
blah

There seems to be two certificates here, and I dont know how to sort this out ?

I found a thread suggesting that removing the /ssl from the duckdns config lines may help - it didn’t ! No change to the message shown by Chrome

I used ssh and listed the files in /ssl, and it shows just fullchain and privkey

I’ve tried to load the certificate expiry integration, but it fails when I try the host as both xxxxxx.duckdns.org and the internal 192.168.1.200

I’m sure I’ve done something wrong, but cant figure out what.

A little more information -

Ive removed and reinstalled duckdns. The log shows a new certificate downloaded. Chrome still shows the expired certificate and date.
There are two files (fullchain and privkey) in the ssl folder.

The instructions for duckdns don’t show the two files with the ssl directory in front of them, adn the ssl directory is empty. I added the ssl/ infront of each file in the duckdns config as shown in some guides, and restarted duckdns. no change to the chrome message.

I deleted the two files from the ssl directory, and there’s no change. I assumed that Duckdns would recognise that these files were not present on a restart and grab a new certificate ?

I tried installing the certificate expiry integration, and it reports that the connection was refused. Not sure what this all means ?

Anybody got ideas about where the expired certificate is hiding ?

I’ve located a menu item under settings>system>network and entered the home assistant url as https://XXXX.duckdns.org and the local ip as http://192.168.1.200.

There is a warning about the certificate : You have configured an HTTPS certificate in Home Assistant. This means that your internal URL needs to be set to a domain covered by the certficate.

I’m not sure if this is important, and I dont think the internal IP address would be covered by the certificate. Its not relevant as at the moment the certificate is expired, but i dont want to be locked out if I manage to get a good cert in there !

its possible thta this was related to a complete refused to connect that I’v experienced recently. That appears to be a result of having api-password and base url defined in the configuraiton file. deleting those and restarting has cleareed a few things up.

Hi Tim
I have also just started having this problem!
The certificate HA is offering up was issued in October, and expired yesterday, but when I restart DuckDNS, it says the cert is good until March - a couple of months from now.
I don’t have a base url entry or api-password entry in my config.yaml file. Did you find anything else to fix this?

EDIT:
I manually restarted NGINX, then manually restarted HA, and it seems to be working again. Strange, hopefully it won’t happen again, but I’ll post back here if it does.

I just had the same problem, took me a while to figure out something cached the old certs.
I couldn’t connect from a remote PC or the phone app.
Strangely, even restarting HA didn’t help. Meanwhile the DuckDNS addon reported a different certificate.
I had to restart NGINX specifically, this resolved it instantly.
Can addons run uninterrupted while HA restarts? That would explain why it didn’t fix it.
How should I make sure this doesn’t happen in the future?
I guess I’ll just make an automation to restart NGINX every 20 days for now.