Homeassistan doesn't read letsencrypt certificate

Hi everybody I’m trying to configure for the first time Home Assistant for remote access. In order to do this I’ve installed letsencrypt:

sudo apt-get install letsencrypt

after:

letsencrypt certonly --standalone -d mydomain.com -d www.mydomain.com

Where mydomain it’s not duckdns.org.
In configuration.yaml the settings are the following

`http:

Uncomment this to add a password (recommended!)

api_password: “123456”
ssl_certificate: /etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/mydomain.com/privkey.pem`

At first launch of HA the log said:

16-08-27 13:47:12 ERROR (MainThread) [homeassistant.bootstrap] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/etc/letsencrypt/live/mydomain.com/fullchain.pem' not a file for dictionary value @ data['http']['ssl_key']. Got '/etc/letsencrypt/live/mydomain.com/privkey.pem' 16-08-27 13:47:12 ERROR (MainThread) [homeassistant.bootstrap] Not initializing history because not all dependencies loaded: http 16-08-27 13:47:12 ERROR (MainThread) [homeassistant.bootstrap] Not initializing api because not all dependencies loaded: http 16-08-27 13:47:12 ERROR (MainThread) [homeassistant.bootstrap] Not initializing frontend because not all dependencies loaded: api ......... 16-08-27 13:47:13 ERROR (MainThread) [homeassistant.bootstrap] Not initializing logbook because not all dependencies loaded: frontend

So at this point I changed the permission and owner of the folder /etc/letsencrypt/live/mydomain.com/

sudo chmod -R 0744 /etc/letsencrypt/live/mydomain.com/ sudo chown -hR myaccount /etc/letsencrypt/live/mydomain.com/

but the result it’s still the same. Where I wrong?

P.S. My current hardware is an Odroid XU4 and O.S. is Ubuntu 16.04 LTS.

Make sure the user you are running HA as can access and read the files:

  • cat /etc/letsencrypt/live/mydomain.com/fullchain.pem
  • cat /etc/letsencrypt/live/mydomain.com/privkey.pem

I see you did chmod & chown, but maybe it’s a directory up from what you did?

Side note, I was curious how HA generates the error, and under the hood it’s confirming the value is a path to a readable file:

Yes, you’re right the files seems are not accessible. What means “… but maybe it’s a directory up from what you did?” ? What you think I should do?

You need to find the directory your HA user can’t access. Try this:

ls /etc/letsencrypt/live/mydomain.com/fullchain

If that doesn’t work, then remove a directory, and try again. When it works, you’ve found the directory that needs permissions fixed all the way down to the certificate files. I haven’t used letsencrypt, so I don’t know what they suggest for file permissions.

1 Like

I have been having the same issue, and I’ve tried chmod’ing every level of folder structure to 777 to no avail. I can cat the key files successfully, but get the same error in HA every time. I’ve even tried copying the key files to my home-assistant folder and putting the path to that location in the configuration.yaml file. I’m running HA using docker on Ubuntu 16.04.1. Has anybody been able to solve this issue?

Thanks,
Dave

How did you resolve this?

I have same issue, certs are created and when i put the ssl_certificate and key in the config, HA stops working. any help would be appreciated. thanks.

solved with
sudo chmod 755 /etc/letsencrypt/archive/

my problem was 700 on /etc/letsencrypt/archive/
all content of this directory was already 755 (owner root group root)

9 Likes

`

I’m getting the error message:

Invalid config for [http]: file not readable for dictionary value @ data['http']['ssl_key']. Got '/etc/letsencrypt/live/mydomainname.duckdns.org/privkey.pem'. (See /home/homeassistant/.homeassistant/configuration.yaml, line 83). Please check the docs at https://home-assistant.io/components/http/

yet I followed the instruction here where it says to:

$ sudo chmod 755 /etc/letsencrypt/live/
$ sudo chmod 755 /etc/letsencrypt/archive/

If I go to /etc/letsencrypt/ and do a ls -l, it shows the directories as follows:
live - drwxr-xr-x 3 root root
archive - drwxr-xr-x 3 root root

My cofiguration.yaml file reads:

http:
  # Secrets are defined in the file secrets.yaml
  # api_password: !secret http_password
  api_password: NotForYourEyes
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  ssl_certificate: /etc/letsencrypt/live/mydomainname.duckdns.org/fullchain.pem
  ssl_key: /etc/letsencrypt/live/mydomainname.duckdns.org/privkey.pem
  base_url: mydomainname.duckdns.org

So what’s wrong in my config?

I’ve just used

$ sudo chmod 755 /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem

1 Like

Thank you.

I have run this and restarted my Home Assistant and I’m no longer getting that error message.

Perhaps the instruction page needs to be updated to include this line.

Thanks again.

I have tried everything in this thread (and others) to fix the same issue, but nothing is working!

The error I get is:

2019-02-07 11:32:14 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/etc/letsencrypt/live/xxxx.duckdns.org/fullchain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/etc/letsencrypt/live/xxxx.duckdns.org/privkey.pem’. (See /config/configuration.yaml, line 50). Please check the docs at https://home-assistant.io/components/http/

I have tried chmod 777 on both files and all the folders - I can rename the files so definitely have access to read/write.

Any ideas? I’m tearing my hair out over this!

Thanks

I’m running hass io on a hassos VDI and for me what worked was something like:

http:
ssl_certificate: /ssl/certificate.pem
ssl_key: /ssl/privkey.pem
base_url: https://XXX.XXX.XXX.XXX:PORT
ip_ban_enabled: true
login_attempts_threshold: 5

Basically it seems any subfolder/symlink under /root/ works.
I am running a self assigned certificate setup but it should work with duckdns as well.

I have tried everything here and no dice… my config is straight forward and I am at a loss as to where to turn … I am currently using HA completely unencrypted because of this :frowning:

config.

http:
  base_url: https://mysubnet.no-ip.biz:8123
  ssl_certificate: ssl/fullchain.pem
  ssl_key: ssl/privkey.pem

Error message in log:

2019-05-03 12:20:43 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got 'ssl/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got 'ssl/privkey.pem'. (See /config/configuration.yaml, line 23). Please check the docs at https://home-assistant.io/components/http/

please help anyone!!

where is your ssl folder?
You config shows ssl/fullchain.pem so that would mean [config]/ssl/fullchain.pem
Is this correct, or is the ssl folder located at root location and therefore needs to be entered with a slash first:
/ssl/fullchain.pem

Thank you for the reply @lolouk44. Turns out that this is on the right track… but it was a bit more complicated, because my homeassistant root folder is not in the same location as my config so my original path was actually [homeassistant]/ssl/fullchain.pem so /ssl/ did not work either because I needed to find the path /config/ssl/. this means I had to change it to “/config/ssl/fullchain.pem” for it to work.

This is all because I used the docker install of HA and my certbot install is external from that container :slight_smile:

1 Like

Just wanted to chime in here with how I fixed this problem in my setup:

I am running certbot outside of Hassio, and was manually creating symlinks to the two certificate files. Well, it turns out that Docker containers can’t use symlinks from the host system unless the target of the link is also inside the container.

My fix was to copy the cert files to the /use/share/hassio/ssl folder rather than creating a symlink. I’ll probably set up an automatic sync so they’ll get re-copied each time they renew.

You should point HA to /etc/letsencrypt/live// but the ‘live’ level is a link, make sure your HA account has read rights to the actual folder:
/etc/letsencrypt/archive/

Basically what is already said, in other words.

Was there ever a resolution on this?

I’ve spent the better part of a day trying to get SSL setup on my Hass.io (RPi3 and RPi4).

I first tried using my existing domain name and getting my key from the Let’sEncrypt Add-on at the Hassio store.

When that failed to work, I preceeded to try the DuckDNS method since there seems like a lot more documentation on this process.

Both methods I get a positive confirmation that everything was successful and I get the certificate and key created in the Hassio directory: root/ssl/
I have chmod’d my directory and files to 755

I have tried these version of port-forwarding

8123 --> 8123 --> 192.168.1.205
443 --> 8123 --> 192.168.1.205
80 --> 8123 --> 192.168.1.205

I have the following lines in the configuration.yaml file

--http:
----base_url: mysite.duckdns.org:8123
----ssl_certificate: /ssl/fullchain.pem
----ssl_key: /ssl/privkey.pem

when I try to access Hassio via: https://mysite.duckdns.org I get “This site can’t provide a secure connection”

I have no issues accessing the site through http://mysite.duckdns.org

What am I doing wrong? Is there another step I am missing? I have tried all of these steps on a brand new setup of Hassio as well as my existing setup.

I have an indenting question for the http: section. When I look at everyone’s configuration.yaml file online, there is NO indent for the ‘http:’ and a 2 space indent for everything under it. If I use this indentation method, my frontend will fail to load once I add the ssl_certificate and ssl_key sections. If I indent the ‘http:’ 2 spaces and everything else 4 spaces, I have no issue. I have checked spacing and confirmed no tabs more times than I can count. What is the correct way to indent this section and could this be causing me the problem I am having?

Thanks for any help

I found better solution, more elegant for those of you who have HA installed in Docker container. I had same problem that HA could have not access my ssl cert and key, even I run docker with volume attached which pointed on folder with ssl files. My setup is that I’ve created ssl cert with Let’s Encrypt certbot on host Raspberry Pi4 and then I run HA in Docker container with following command:

docker run --init -itd --name="home-assistant" -e "TZ=Europe/Warsaw" --restart unless-stopped \
-v /home/pi/ha:/config \
-v /etc/letsencrypt/live/mydomain:/ssl \
--net=host homeassistant/raspberrypi4-homeassistant:stable

This caused me same error HA complaining that “Invalid config for [http]: not a file for dictionary value”

I figured out that actually cert files in this live/mydomian folder are symbolic links to /etc/letsencrypt/archive, therefore I figured that HA within Docker containers is trying to access files via symlinks which are outside of the attached volume.

Solution:

I run HA docker attaching whole /etc/letsencrypt folder instead just only /etc/letsencrypt/live/mydomain

docker run --init -itd --name="home-assistant" -e "TZ=Europe/Warsaw" --restart unless-stopped \
-v /home/pi/ha:/config \
-v /etc/letsencrypt:/etc/letsencrypt \
--net=host homeassistant/raspberrypi4-homeassistant:stable

but this was not enough and I had also to created symlink (as a root) within /config folder

pi@raspberrypi:~/ha $ sudo su
root@raspberrypi:/home/pi/ha# ln -s -T /etc/letsencrypt/live/mydomain /home/pi/ha/ssl

then in configuration.yaml I have:

ssl_certificate: ssl/fullchain.pem
ssl_key: ssl/privkey.pem

Hope it helps someone :slight_smile:

3 Likes