Hass.io doesn't work in https

katanza · January 10, 2019, 8:57am

Hi everybody.
I’m a HA newbie and in the last month I had configured Hass.io on my Raspberry. It works very well, even from outside with DuckDns. The only thing won’t work is HTTPS: I read all the post in this forum about this argument and I tried every suggestion, but without luck.

This is my configuration.yaml:

http:
  base_url: https://XXXX.duckdns.org:8123  
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

I tried every possible combination for base_url: with and without http, with and without https, with and without port, with and without blockquote… but nothing happen!

This is my DuckDns addon configuration:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "my-duckdns-token",
  "domains": [
    "XXXX.duckdns.org"
  ],
  "seconds": 300
}

And this is my Let’s encrypt addon configuration:

{
  "email": "[email protected]",
  "domains": [
    "XXXX.duckdns.org"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

On my router (Vodafone station) I mapped the ports like this:

8123 on Raspberry 8123
443 on Raspberry 8123
80 on Raspberry 80

There aren’t errors in DuckDns and Let’s Encrypt logs, but if I try to reach my duckdns url in https from outside, Chrome say “ERR_SSL_PROTOCOL_ERROR”, Firefox say “SSL_ERROR_RX_RECORD_TOO_LONG”. If I use http, it works well!

Can anyone help me please?

tom_l · January 10, 2019, 9:01am

The hassio duckdns addon comes with lets encrypt. You don’t have to install the lets encrypt addon. In fact you shouldn’t.

This is probably causing some certificate confusion.

katanza · January 10, 2019, 9:11am

I just removed Let’s Encrypt addon, restart HA but nothing changed…

flamingm0e · January 10, 2019, 1:27pm

why does everyone put https:// in their base_url? The documentation does NOT tell you to do that. Remove it.

katanza · January 10, 2019, 1:44pm

I tried with and without https… but nothing changed

flamingm0e · January 10, 2019, 1:54pm

How are you accessing your URL? with a port or without? Making a ton of changes at once is a good way of never figuring out what’s wrong.

katanza · January 10, 2019, 2:01pm

When I receive a suggestion (like yours) I try every possible combination and for everyone I restart HA. I make a try wiht my iPhone (on 4g) and from my office with Chrome and Firefox in anonymouse mode:
https://XXXX.duckdns.org
In this case I use standard 443 port because 8123 is closed from my office lan. In fact, I mapped another port on my router for http access (8080 to raspberry 8123)

BigMal · January 10, 2019, 2:06pm

@katanza, if you figure this out, please post the solution. I am having the EXACT same problem.

flamingm0e · January 10, 2019, 2:15pm

What error do you get when you try from your iPhone? Your work network might have a web filter that is intercepting the certificate, so let’s rule that out.

katanza · January 10, 2019, 2:22pm

“safari cannot open the page because it could not establish a secure connection to the server”

tom_l · January 10, 2019, 2:43pm

There may still be problems with your certificates due to you installing the lets encrypt addon. Try reinstalling the duckdns addon and clear your browser’s cache/history on your phone.

katanza · January 10, 2019, 2:59pm

Always the same…

This is the DuckDns addon log:

# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Done!
Thu Jan 10 15:53:54 CET 2019: OK
130.25.87.54
NOCHANGE
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing XXXX.duckdns.org
 + Creating new directory /data/letsencrypt/XXXX.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for XXXX.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for XXXX.duckdns.org authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

flamingm0e · January 10, 2019, 3:07pm

This indicates it created new certs.

katanza · January 10, 2019, 3:15pm

Yes, but it doesn’t work…

flamingm0e · January 10, 2019, 3:17pm

if it got new certs, it had to be a different domain, or it never got certs to begin with. LetsEncrypt will not allow you to get new certs longer than 30 days before expiration.

katanza · January 10, 2019, 3:27pm

So what can I do?

BigMal · January 11, 2019, 7:05pm

Did you ever get this resolved? I’m still trying to get my setup and running and having same issues as you.

katanza · January 11, 2019, 9:33pm

No, still the same situation

DavidFW1960 · January 12, 2019, 12:51am

If you are forwarding port 443 to 8123 then you shouldn’t specify :8123 in your url to connect to HA.

BigMal · January 12, 2019, 2:35am

Out of curiosity, are you using a Netgear router and/or on FiOS? Trying to narrow what might be the issue.