Home assistant wont restart with ssl certificate

Configuration
#1

after changing the directory for the ssl certificate and placing them in the correct folder and checking config and verifying it is valid home assistant core wont restart

http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

thats the config, and its home asistant running on a docker image on a rpi4b, i got the certs from letsencrypt. not sure what to do from here. smb still worked so i added # before stuff and now itll restart if i do it manually and then work fine, but i cant add the certs.

#2

Do you have supervisor in your install?

How did you generate the SSL certs?

If you run a docker install without supervisor (Home Assistant Container) I suggest installing swag, you get a reverse proxy and SSL certificates and much more, everything handled by swag.

#3

I’ve you’d used code markup (as explained here) we’d know if the problem was because you missed spaces.

It should be:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
#4

I bet that homeassistant does restart. What you mean is you can’t access the frontend.

And the reason you can’t access the frontend is because you are still trying to access with http, in spite of telling homeassistant to only allow connections via https.

@Tinkerer - there should really be a sticky thread for this somewhere, there’s at least 3 people a month come here with this exact problem “Homeassistant won’t restart with http/ssl in my configuration.yaml” and every time it turns out that it does restart and they forgot to add the S to the url to access the frontend.

1 Like
#5

I think actually it needs some better notice in the docs, which totally skips over that.

1 Like
#6

I think if they made it too easy people might not lay 5$ a month for cloud services so I can’t really blame them :sweat_smile: but I do feel dumb for not thinking of that, I’ll try it when I get home in like 20 minutes. Is it still port 8123 on the lan or do I have to use 443? Just to be sure.

#7

I tried to explore this with another user who made the same mistake and he/she basically said that they’d followed the instructions inside the duckdns addon (rather than the homeassistant docs) and that it didn’t say anything about it.

Of course my opinion is that it wouldn’t, because if you’re installing the addon you should know why you’re installing it, but tbh with the amount of these coming through maybe that should be updated too. Belt and braces like.

#8

Should be external port 443 to internal 8123, and then don’t put a port number on the url.

Internally is https://your.ip.address:8123 (note the S), and you’ll have to accept the security warning because the url in the bar doesn’t match the one on the certificate. But usually you would use your duckdns url both internally and externally unless you have an issue with your router allowing loopback.

#9

it says “the connection might not be private” i got the certs from letsencrypt. are they like unreliable or something? because it seems everyone thinks their the bees knees lol. works though, just wanna get google to work with it and idk if it will.

#10

also, can i get letsencrypt installed on the home assistant in a manner which allows it to generate new certficates to ssl automatically every three months upon expiry? jw.

#11

As I explained above, the browser will consider the connection secure if the certificate is in date and the url you accessed matches the one on the certificate.

So if your certificate says “my-amazing-homeassistant.duckdns.org” but your url bar in your browser says “192.168.1.200:8123” then they don’t match, and it will be marked insecure.

Connecting Google would use my-amazing-homeassistant.duckdns.org , which would match the certificate, and would therefore be accepted.

Ideally you need to research SSL a bit and understand the process rather than just chuck it together and hope it works.

#12

ohhh, ya i guess if the certificate is stapled or whatever to the external address it wont match a different port and url. makes sense. also is there a way to not add all the devices to google home, because it added, like, everything, lol. could i make another user and somehow grant them selective access and use those credentials to log in?

#13

also can i get the home assistant to install letsencrypt in a way to get it to generate the certificates into the ssl folder directly? as its running on a docker image.

#14

Did you read my comment?

#15

i have, thank you :slight_smile: