Homeassistan doesn't read letsencrypt certificate

pepib · August 27, 2016, 1:49pm

Yes, you’re right the files seems are not accessible. What means “… but maybe it’s a directory up from what you did?” ? What you think I should do?

technicalpickles · August 27, 2016, 4:24pm

You need to find the directory your HA user can’t access. Try this:

ls /etc/letsencrypt/live/mydomain.com/fullchain

If that doesn’t work, then remove a directory, and try again. When it works, you’ve found the directory that needs permissions fixed all the way down to the certificate files. I haven’t used letsencrypt, so I don’t know what they suggest for file permissions.

davehalladay · November 15, 2016, 6:31pm

I have been having the same issue, and I’ve tried chmod’ing every level of folder structure to 777 to no avail. I can cat the key files successfully, but get the same error in HA every time. I’ve even tried copying the key files to my home-assistant folder and putting the path to that location in the configuration.yaml file. I’m running HA using docker on Ubuntu 16.04.1. Has anybody been able to solve this issue?

Thanks,
Dave

Joe_Stan1 · January 15, 2017, 3:01am

How did you resolve this?

balajeek · March 2, 2017, 8:11pm

I have same issue, certs are created and when i put the ssl_certificate and key in the config, HA stops working. any help would be appreciated. thanks.

blackgear · March 10, 2017, 2:01pm

solved with
sudo chmod 755 /etc/letsencrypt/archive/

my problem was 700 on /etc/letsencrypt/archive/
all content of this directory was already 755 (owner root group root)

MadMax1412 · December 10, 2018, 4:37am

`

I’m getting the error message:

Invalid config for [http]: file not readable for dictionary value @ data['http']['ssl_key']. Got '/etc/letsencrypt/live/mydomainname.duckdns.org/privkey.pem'. (See /home/homeassistant/.homeassistant/configuration.yaml, line 83). Please check the docs at https://home-assistant.io/components/http/

yet I followed the instruction here where it says to:

$ sudo chmod 755 /etc/letsencrypt/live/
$ sudo chmod 755 /etc/letsencrypt/archive/

If I go to /etc/letsencrypt/ and do a ls -l, it shows the directories as follows:
live - drwxr-xr-x 3 root root
archive - drwxr-xr-x 3 root root

My cofiguration.yaml file reads:

http:
  # Secrets are defined in the file secrets.yaml
  # api_password: !secret http_password
  api_password: NotForYourEyes
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  ssl_certificate: /etc/letsencrypt/live/mydomainname.duckdns.org/fullchain.pem
  ssl_key: /etc/letsencrypt/live/mydomainname.duckdns.org/privkey.pem
  base_url: mydomainname.duckdns.org

So what’s wrong in my config?

darius · December 10, 2018, 9:58pm

I’ve just used

$ sudo chmod 755 /etc/letsencrypt/live/YOUR_DOMAIN/privkey.pem

MadMax1412 · December 11, 2018, 2:07am

Thank you.

I have run this and restarted my Home Assistant and I’m no longer getting that error message.

Perhaps the instruction page needs to be updated to include this line.

Thanks again.

jonnyrider · February 7, 2019, 11:38am

I have tried everything in this thread (and others) to fix the same issue, but nothing is working!

The error I get is:

2019-02-07 11:32:14 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/etc/letsencrypt/live/xxxx.duckdns.org/fullchain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/etc/letsencrypt/live/xxxx.duckdns.org/privkey.pem’. (See /config/configuration.yaml, line 50). Please check the docs at https://home-assistant.io/components/http/

I have tried chmod 777 on both files and all the folders - I can rename the files so definitely have access to read/write.

Any ideas? I’m tearing my hair out over this!

Thanks

zlatkosh · March 26, 2019, 6:34pm

I’m running hass io on a hassos VDI and for me what worked was something like:

http:
ssl_certificate: /ssl/certificate.pem
ssl_key: /ssl/privkey.pem
base_url: https://XXX.XXX.XXX.XXX:PORT
ip_ban_enabled: true
login_attempts_threshold: 5

Basically it seems any subfolder/symlink under /root/ works.
I am running a self assigned certificate setup but it should work with duckdns as well.

bcarter · May 3, 2019, 6:28pm

I have tried everything here and no dice… my config is straight forward and I am at a loss as to where to turn … I am currently using HA completely unencrypted because of this

config.

http:
  base_url: https://mysubnet.no-ip.biz:8123
  ssl_certificate: ssl/fullchain.pem
  ssl_key: ssl/privkey.pem

Error message in log:

2019-05-03 12:20:43 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got 'ssl/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got 'ssl/privkey.pem'. (See /config/configuration.yaml, line 23). Please check the docs at https://home-assistant.io/components/http/

please help anyone!!

lolouk44 · May 3, 2019, 9:50pm

where is your ssl folder?
You config shows ssl/fullchain.pem so that would mean [config]/ssl/fullchain.pem
Is this correct, or is the ssl folder located at root location and therefore needs to be entered with a slash first:
/ssl/fullchain.pem

bcarter · May 3, 2019, 10:01pm

Thank you for the reply @lolouk44. Turns out that this is on the right track… but it was a bit more complicated, because my homeassistant root folder is not in the same location as my config so my original path was actually [homeassistant]/ssl/fullchain.pem so /ssl/ did not work either because I needed to find the path /config/ssl/. this means I had to change it to “/config/ssl/fullchain.pem” for it to work.

This is all because I used the docker install of HA and my certbot install is external from that container

OverloadUT · May 14, 2019, 8:17pm

Just wanted to chime in here with how I fixed this problem in my setup:

I am running certbot outside of Hassio, and was manually creating symlinks to the two certificate files. Well, it turns out that Docker containers can’t use symlinks from the host system unless the target of the link is also inside the container.

My fix was to copy the cert files to the /use/share/hassio/ssl folder rather than creating a symlink. I’ll probably set up an automatic sync so they’ll get re-copied each time they renew.

Rudhan · May 16, 2019, 7:09pm

You should point HA to /etc/letsencrypt/live// but the ‘live’ level is a link, make sure your HA account has read rights to the actual folder:
/etc/letsencrypt/archive/

Basically what is already said, in other words.

Grandfx · January 12, 2020, 6:17pm

Was there ever a resolution on this?

I’ve spent the better part of a day trying to get SSL setup on my Hass.io (RPi3 and RPi4).

I first tried using my existing domain name and getting my key from the Let’sEncrypt Add-on at the Hassio store.

When that failed to work, I preceeded to try the DuckDNS method since there seems like a lot more documentation on this process.

Both methods I get a positive confirmation that everything was successful and I get the certificate and key created in the Hassio directory: root/ssl/
I have chmod’d my directory and files to 755

I have tried these version of port-forwarding

8123 --> 8123 --> 192.168.1.205
443 --> 8123 --> 192.168.1.205
80 --> 8123 --> 192.168.1.205

I have the following lines in the configuration.yaml file

--http:
----base_url: mysite.duckdns.org:8123
----ssl_certificate: /ssl/fullchain.pem
----ssl_key: /ssl/privkey.pem

when I try to access Hassio via: https://mysite.duckdns.org I get “This site can’t provide a secure connection”

I have no issues accessing the site through http://mysite.duckdns.org

What am I doing wrong? Is there another step I am missing? I have tried all of these steps on a brand new setup of Hassio as well as my existing setup.

I have an indenting question for the http: section. When I look at everyone’s configuration.yaml file online, there is NO indent for the ‘http:’ and a 2 space indent for everything under it. If I use this indentation method, my frontend will fail to load once I add the ssl_certificate and ssl_key sections. If I indent the ‘http:’ 2 spaces and everything else 4 spaces, I have no issue. I have checked spacing and confirmed no tabs more times than I can count. What is the correct way to indent this section and could this be causing me the problem I am having?

Thanks for any help

ed.cric · June 9, 2020, 11:07pm

I found better solution, more elegant for those of you who have HA installed in Docker container. I had same problem that HA could have not access my ssl cert and key, even I run docker with volume attached which pointed on folder with ssl files. My setup is that I’ve created ssl cert with Let’s Encrypt certbot on host Raspberry Pi4 and then I run HA in Docker container with following command:

docker run --init -itd --name="home-assistant" -e "TZ=Europe/Warsaw" --restart unless-stopped \
-v /home/pi/ha:/config \
-v /etc/letsencrypt/live/mydomain:/ssl \
--net=host homeassistant/raspberrypi4-homeassistant:stable

This caused me same error HA complaining that “Invalid config for [http]: not a file for dictionary value”

I figured out that actually cert files in this live/mydomian folder are symbolic links to /etc/letsencrypt/archive, therefore I figured that HA within Docker containers is trying to access files via symlinks which are outside of the attached volume.

Solution:

I run HA docker attaching whole /etc/letsencrypt folder instead just only /etc/letsencrypt/live/mydomain

docker run --init -itd --name="home-assistant" -e "TZ=Europe/Warsaw" --restart unless-stopped \
-v /home/pi/ha:/config \
-v /etc/letsencrypt:/etc/letsencrypt \
--net=host homeassistant/raspberrypi4-homeassistant:stable

but this was not enough and I had also to created symlink (as a root) within /config folder

pi@raspberrypi:~/ha $ sudo su
root@raspberrypi:/home/pi/ha# ln -s -T /etc/letsencrypt/live/mydomain /home/pi/ha/ssl

then in configuration.yaml I have:

ssl_certificate: ssl/fullchain.pem
ssl_key: ssl/privkey.pem

Hope it helps someone

crixyd · July 6, 2020, 7:23am

Thanks very much Ed, that was most helpful I was going around and around on this and overlooking the fact that the files in /live were symlinks.

Interestingly, after changing the docker volume to mount /etc/letsencrypt, and then subsequently updating the .pem paths in HA configuration.yaml everything worked… I didn’t need to create additional symlinks as you did.

tupique · September 22, 2020, 2:31am

Thank Ed, your solution has directed me to a good solution for my problem.

My solution was this:

cd /usr/share/hassio
sudo mv ssl ssl.ori
sudo ln -s -T /etc/letsencrypt/live/<your domain name>/  ssl

Basically I just created a symbolic link to lets encrypt live directory and named it as ssl inside hassio directory. HA can read the symbolic link inside let’s encrypt live directory without problem (doing this by HA config check button).

UPDATE: The HA config check button can read the symbolic link cert files just fine without problem. However, after restarting HA, I got a network error message in my browser and I had to restart my linux server. So the above solution is not working actually. Daymn.

UPDATE 2: The Let’s Encrypt add-on actually is making my life much easier, if only I could remember this add-on sooner!