Help with "Certbot"/Let's Encrypt for remote access

I’ve been following the directions here to setup DuckDNS and certbot on my raspberry pi. I went followed the setup steps on the DuckDNS site and everything seems to check out.

The problem seems to be when I get to the step where I run this command:
./certbot-auto certonly --standalone --standalone-supported-challenges http-01 --email [my email] -d [my doman name]

I receive the following message:


  • The following errors were reported by the server:

    Domain: [my doman name]
    Type: connection
    Detail: Could not connect to
    http://[my doman name]

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

I’ve forwarded the recommended ports with my pi’s IP address, but I can’t seem to get past this error. Anyone have any suggestions?


Do you have anything running on port 80 on your Pi? If you go to ipaddress:80 does anything respond, like a webpage or does it just timeout?

I’ve only installed HASS via the all-in-one installer and SAMBA. Unless there is something within there that is running on port 80 I don’t believe I have anything running on it. Is there an easy way to to find out?

Going to the Pi’s ipaddress:80 times out and gives a “this site cannot be reached/refused connection” error message.

That’s good. You should get the same message when you try to go to

And when you ran the command in the blog, did you include the ""s that create a new line for the sets of commands? I missed that first time around.

Let’s try this: Do a port forward on your router so that any requests to go to http://your.insideIPaddress:8123 and make sure you can get to your HA install. That will make sure your port forwarding rules are working the way they should. It looks like for some reason your firewall isn’t passing the requests through.

I had a lot of trouble setting this up myself, so once you get to the step where the certs are created (hopefully) I will give you another piece of advice that isn’t explained well in the steps. But let’s see if we can get you that far first!

You are correct, when I try to access [my doman name] over my network, I receive the same timeout message.

Just to make sure I follow… should I be running the command as:

./certbot-auto certonly --standalone --standalone-supported-challenges http-01 --email [my email] -d [my doman name]


./certbot-auto certonly --standalone
–standalone-supported-challenges http-01
–email [my email]
-d [my doman name]

I’m starting to wonder if my ISP could possibly be the issue and maybe they have a firewall up that’s not letting me fully forward ports. It appears I don’t have full access to my router settings, but more so a “tool” provided by my ISP that links to minimal settings for my router. For port forwarding I’ll I’m really able to do is put in an IP address, the ports I want to forward, and select tcp/udp. I don’t see a way to forward from DuckDNS to my internal IP address with the settings I have available.

Also, without sounding too dumb… the IP address I want to forward the ports on would be my Pi’s IP address, correct? Not my routers IP address.

I ran the second command, exactly as shown - first time I ever saw backslashes in a command line. Didn’t even know what they did!

Firstly, duckdns needs to somehow know what your router’s outside address is. Sometimes this is done with a client that runs on a computer in your network, sometimes the router has provisions for this itself and can periodically contact the Dynamic DNS provider and give them the router’s outside address. This is what the DNS provider uses to establish your DNS name.

I have a Fios router and use as a DDNS provider. The Fios router has a client built in that you set up with your login info on and it tells them what my router address is. Over on the side, I set up my domain info and point it at my router (which is knows now and allows me to pick from a drop down list).

When it comes to port forwarding on my FiOs router, I usually choose to forward both TCP and UDP. And yes the IPaddress of your Pi is the right address. So without knowing your ISP’s router setup, you basically want to do this:

Take any TCP or UDP calls and accept them in the router, then take those calls and forward them to this specified IP address and specified port.

One way of testing if your setup is working from end to end would be to set up a port forwarding rule to take any calls on port 8123 and forward them to your Pi’s IP address at the same port. Then try to go to your HA site by typing in:

If you see your HA site, then you know you have both duckDNS and your port forwarding setup correctly. Just remember to delete that rule before you try to setup Let’S Encrypt again. This is just for testing!

If that doesn’t work, then you have to figure out what isn’t setup correctly before you go any further.

Ok, initially I was running the code without the “”. I tried running it as I have above and I’m still getting the same “unable to connect” error message.

I believe my DuckDNS situation is ok. In the documentation I linked above there is a section that sends you over to DuckDNS to install some things on the Pi that will send your IP address to DuckDNS ever 5 min. I tested the script and log. Everything appear to be what you would expect, according to the documentation.

I tried you test above, forwarding port 8123 to my Pi’s address, and going to, but had no success. I’m still convinced this might be an issue with my ISP. I gave them a call to see if they had a firewall up somewhere. They claim no and that when the log into my router they can see that the ports are forwarded and open. However, when I check them they still show closed. Sooooo… still kind of at a loss on what to do next. :-/

The only thing I can suggest at this point is to check your IP numbering scheme. I use a Class C address as I don’t have to much traffic to isolate so everything is But if you can ping the router and outside addresses from your Pi, I’m stumped. Have you tried loading aGUI session and trying the RasPi browser to see if you can see outside sites?

i got the same problem here.

when i portforward 8123 to 8123 i can access hass with:
from my pi or from my pc

i forwarded 80 to 80 (tcp and udp)
i forwarded 433 to 433 (tcp and udp)
i disabled 8123

but if i try the certbot command i only get no valid IP address

nslookup does give a normal responce with the actual address

i can ping the inside and outside address from the router without problems.

if there is anyone out there who has an answer why it isnt working?
so i can stop banging my head against the wall…

In my router, I forwarded all traffic (TCP/UDP) on port 443 going to my Pi to redirect to 8123.

I know. that should be done after you have the certification right.

those portforwardings i have already there but made inactive.

i am getting crazy.
this was the second topic i found where the same problem was, and also NO answer at the end. :frowning:

my fritzbox says that i have another outside IP address then the one that the rpi gives with the nslookup.
duckdns gives the same as nslookup

if i try the IP i find in the fritzbox after i set open the 8123 port i get hass
i tried setting that ip in duckdns, started again.

then both give the IP found in the fritzbox, but still the same result with certbot.

also tried a little longer name for duck-dns, without succes.

I’m sorry, Rene - I have no experience with the Fritzbox. And I did my setup so long ago, I can’t remember the order in which I set it up. I used the techniques described in this video, if it’s of any help.

seen it and doesnt help :frowning:

I ran through the few notes I kept on this and compared it to what was in the video and what steps you outlined above.

I don’t have anything about disabling 8123 forwarding until AFTER I got a valid certificate. I forwarded the same ports as you, same way, for the certbot procedure, then I changed forward on 443 to the Pi’s 8123 port.

I have something on my notes about Apache - it might be worth checking to make sure you don’t have another service running on 80 or 443.

I’ve dug through a number of searches on the Let’s Encrypt support site but I couldn’t find anything that seemed to apply to your situation. Most them were authentication failures from the DNS host, but you’re using duckdns and that should be set up to pass through fine by default.

thought about that too.
i can reach my fritzbox settings from the outside.
to be sure thats not the problem i turned that off.
i turned of hass, dashboard and appdaemon this morning too.

i think that the big problem lies in the fakt that the finds another (outside) IP address and gives that to duckdns, then the outside ip address i see in the fritzbox.
why?? what could be the reason that the RPI thinks that the outside address is something else then what the fritzbox says?

Maybe check host file on the Pi?? Also look at ifconfig.

host file???

If you type ifconfig at the command line of your Pi, it will show you the interface configuration (network set up). That will tell you how things are routed and what’s active and what not. Link explains some of this despite the title.

Host file - etc/hosts. This link talks about the host file and how to edit it.

in all the tutorials they say to forward 443 to 8123 AFTER you have the certification.
before that it should be 433 to 433 (according to tutorials)

but i tried it with 433 to 8123 also and still it doesnt work.

thank, rob, i will try it out.