Hass.io doesn't work in https


#1

Hi everybody.
I’m a HA newbie and in the last month I had configured Hass.io on my Raspberry. It works very well, even from outside with DuckDns. The only thing won’t work is HTTPS: I read all the post in this forum about this argument and I tried every suggestion, but without luck.

This is my configuration.yaml:

http:
  base_url: https://XXXX.duckdns.org:8123  
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

I tried every possible combination for base_url: with and without http, with and without https, with and without port, with and without blockquote… but nothing happen!

This is my DuckDns addon configuration:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "my-duckdns-token",
  "domains": [
    "XXXX.duckdns.org"
  ],
  "seconds": 300
}

And this is my Let’s encrypt addon configuration:

{
  "email": "[email protected]",
  "domains": [
    "XXXX.duckdns.org"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

On my router (Vodafone station) I mapped the ports like this:

  • 8123 on Raspberry 8123
  • 443 on Raspberry 8123
  • 80 on Raspberry 80

There aren’t errors in DuckDns and Let’s Encrypt logs, but if I try to reach my duckdns url in https from outside, Chrome say “ERR_SSL_PROTOCOL_ERROR”, Firefox say “SSL_ERROR_RX_RECORD_TOO_LONG”. If I use http, it works well!

Can anyone help me please?


#2

The hassio duckdns addon comes with lets encrypt. You don’t have to install the lets encrypt addon. In fact you shouldn’t.

This is probably causing some certificate confusion.


#3

I just removed Let’s Encrypt addon, restart HA but nothing changed…


#4

why does everyone put https:// in their base_url? The documentation does NOT tell you to do that. Remove it.


#5

I tried with and without https… but nothing changed


#6

How are you accessing your URL? with a port or without? Making a ton of changes at once is a good way of never figuring out what’s wrong.


#7

When I receive a suggestion (like yours) I try every possible combination and for everyone I restart HA. I make a try wiht my iPhone (on 4g) and from my office with Chrome and Firefox in anonymouse mode:
https://XXXX.duckdns.org
In this case I use standard 443 port because 8123 is closed from my office lan. In fact, I mapped another port on my router for http access (8080 to raspberry 8123)


#8

@katanza, if you figure this out, please post the solution. I am having the EXACT same problem.


#9

What error do you get when you try from your iPhone? Your work network might have a web filter that is intercepting the certificate, so let’s rule that out.


#10

“safari cannot open the page because it could not establish a secure connection to the server”


#11

There may still be problems with your certificates due to you installing the lets encrypt addon. Try reinstalling the duckdns addon and clear your browser’s cache/history on your phone.


#12

Always the same…

This is the DuckDns addon log:

# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Done!
Thu Jan 10 15:53:54 CET 2019: OK
130.25.87.54
NOCHANGE
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing XXXX.duckdns.org
 + Creating new directory /data/letsencrypt/XXXX.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for XXXX.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for XXXX.duckdns.org authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

#13

This indicates it created new certs.


#14

Yes, but it doesn’t work…


#15

if it got new certs, it had to be a different domain, or it never got certs to begin with. LetsEncrypt will not allow you to get new certs longer than 30 days before expiration.


#16

So what can I do?


#17

Did you ever get this resolved? I’m still trying to get my setup and running and having same issues as you.


#18

No, still the same situation


#19

If you are forwarding port 443 to 8123 then you shouldn’t specify :8123 in your url to connect to HA.


#20

Out of curiosity, are you using a Netgear router and/or on FiOS? Trying to narrow what might be the issue.