Hass.io doesn't work in https

Hi everybody.
I’m a HA newbie and in the last month I had configured Hass.io on my Raspberry. It works very well, even from outside with DuckDns. The only thing won’t work is HTTPS: I read all the post in this forum about this argument and I tried every suggestion, but without luck.

This is my configuration.yaml:

http:
  base_url: https://XXXX.duckdns.org:8123  
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

I tried every possible combination for base_url: with and without http, with and without https, with and without port, with and without blockquote… but nothing happen!

This is my DuckDns addon configuration:

{
  "lets_encrypt": {
    "accept_terms": true,
    "certfile": "fullchain.pem",
    "keyfile": "privkey.pem"
  },
  "token": "my-duckdns-token",
  "domains": [
    "XXXX.duckdns.org"
  ],
  "seconds": 300
}

And this is my Let’s encrypt addon configuration:

{
  "email": "[email protected]",
  "domains": [
    "XXXX.duckdns.org"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

On my router (Vodafone station) I mapped the ports like this:

  • 8123 on Raspberry 8123
  • 443 on Raspberry 8123
  • 80 on Raspberry 80

There aren’t errors in DuckDns and Let’s Encrypt logs, but if I try to reach my duckdns url in https from outside, Chrome say “ERR_SSL_PROTOCOL_ERROR”, Firefox say “SSL_ERROR_RX_RECORD_TOO_LONG”. If I use http, it works well!

Can anyone help me please?

2 Likes

The hassio duckdns addon comes with lets encrypt. You don’t have to install the lets encrypt addon. In fact you shouldn’t.

This is probably causing some certificate confusion.

I just removed Let’s Encrypt addon, restart HA but nothing changed…

why does everyone put https:// in their base_url? The documentation does NOT tell you to do that. Remove it.

I tried with and without https… but nothing changed

How are you accessing your URL? with a port or without? Making a ton of changes at once is a good way of never figuring out what’s wrong.

1 Like

When I receive a suggestion (like yours) I try every possible combination and for everyone I restart HA. I make a try wiht my iPhone (on 4g) and from my office with Chrome and Firefox in anonymouse mode:
https://XXXX.duckdns.org
In this case I use standard 443 port because 8123 is closed from my office lan. In fact, I mapped another port on my router for http access (8080 to raspberry 8123)

@katanza, if you figure this out, please post the solution. I am having the EXACT same problem.

What error do you get when you try from your iPhone? Your work network might have a web filter that is intercepting the certificate, so let’s rule that out.

“safari cannot open the page because it could not establish a secure connection to the server”

There may still be problems with your certificates due to you installing the lets encrypt addon. Try reinstalling the duckdns addon and clear your browser’s cache/history on your phone.

Always the same…

This is the DuckDns addon log:

# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Done!
Thu Jan 10 15:53:54 CET 2019: OK
130.25.87.54
NOCHANGE
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing XXXX.duckdns.org
 + Creating new directory /data/letsencrypt/XXXX.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for XXXX.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for XXXX.duckdns.org authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!

This indicates it created new certs.

Yes, but it doesn’t work…

if it got new certs, it had to be a different domain, or it never got certs to begin with. LetsEncrypt will not allow you to get new certs longer than 30 days before expiration.

So what can I do?

Did you ever get this resolved? I’m still trying to get my setup and running and having same issues as you.

No, still the same situation

If you are forwarding port 443 to 8123 then you shouldn’t specify :8123 in your url to connect to HA.

Out of curiosity, are you using a Netgear router and/or on FiOS? Trying to narrow what might be the issue.