How to configure Let's Encrypt SSL Certificates for Home Assistant completely 100% free (Updated for 2022/2023)

The biggest barrier you’re facing is reading threads like this where people who don’t understand the technology are incorrectly telling you something can’t be done. I mean, I get it - I’ve been guilty of it as well, from time to time. We’re only human, after all. I try to set something up, the manual is poorly written, it doesn’t work, so I complain the product or solution is garbage and doesn’t work. Then someone comes along and says “no, it works fine. Look here or read this or do this.” Then I learn, and I do that, and the product itself isn’t garbage, and I have my solution. Life is good. This is NOT limited to just Home Assistant, by the way. I’m speaking in generalities here - could be how to get an airbrush to spray the right pattern, could be how to get drivers to install properly, could be how to write TerraForm code to deploy a vNet, could be how to install something using Ansible, could be anything.

Some people in life just never make it to the learning part, and instead have apparently chosen to poison the well for other people who actually would like to use the solution/product. It takes a big person to admit when they were wrong, own it, correct it, learn from it and move on.

Not everyone is big.

That fact aside, the original post that started this thread is also rife with technical errors, such as the use of the word subdomain, among other things. This is another example of how new users are taught incorrectly - “but I read this article that sounded super technical, and that’s the wording that was used there, so it must be right!”. No. This is the internet, and anyone can say whatever they want, right or wrong doesn’t ever play into it. The fact of the matter is that nobody knows anything about who wrote that - or any other article. Critical thinking and the use of multiple source materials are required when dealing with unknown sources. In this day and age, no one is taught how to think critically, and no one wants to spend the additional time to read multiple sources. I get it - we’re all busy. But this is the result.

Further, the entire behavior in this thread by a certain user is a very big part of the reason why people who actually know eventually reach a point where they stop sharing their knowledge. Why? Because they get tired of being told they don’t know what they are talking about by some kid who just started doing X a week ago and read 5 articles about something. Nevermind the fact that the guy they are saying is wrong has been doing X his entire life and owns a HIGHLY respected business doing X. It becomes a waste of energy, so they stop sharing, posting, and teaching.

But now I’m way off topic and a mod will probably remove this, even though I tried my best to be as respectful and objective as possible.

this is what I do every 3 month to create a new certificate for my servers
acme.sh SSL using manual DNS method – ServerOK
my domain provider does not have an interface for acme.sh, thus I have to make changes to the DNS manually
With the first command ( parameter --issue) it tells you the TXT-Records you have to add, with the second command ( parameter --renew) it validates the TXT-Records and, if they are available as expected, issues the certificate.
I use this also because with DNS-Validation acme.sh is able to create wildcard-certificates, I create a certificate for “*.subdomain.example.com” and use the same certificate on all my servers

Thank you @armin-gh for a clear answer. My only puzzle left is getting this to run on my HA install…

Update: YAY!! After a few false starts and tripping over the odd typo I have success. @armin-gh your post was especially valuable as it pointed out that stupidly patronising argument that has been added ( –yes-I-know-dns-manual-mode-enough-go-ahead-please ) Whoever had the stupid idea at ACME to add that managed to break all the other online tutorials…

OMG is that seriously a necessary switch? You can tell that developer ran out of patience…

Yes. That whole darn switch has to be typed out in FULL.

And remember the PLEASE on the end

It is bad enough having to carefully type out the whole darn keys for the DNS as I can never get copy\paste to work out of the weird HA terminal. (Yeah, I know, I should use putty and will do next time ).

Some developers seem to want to make this harder for noobie hobby people. That stupid switch has broken the online tutorials that appear in web searches and doesn’t even make it clear why it is there. It really could have been better worded. But I also understand the need for it when you read the comedy gold in the comments on that issue linked above. The switch will still not stop dumb users being dumb.

The command itself is pretty clear as it spits the DNS record in your face in pretty colours.

This is why the HA journey is fun… all about learning something new.

This guide really helped me when I was pulling my hair out!!

Adding this reply to hopefully save someone some pain where googling didn’t bring up any results…

If you get an 10000 auth error from cloudflare - you’ve added your API token and EMAIL as in the docs! Remove the email if you have the token, this will go away.

Next - once it succeeds - if you get anything like a SSL / TLS VALIDATION ERROR - you’ve not changed your configuration.yaml with the http: … section above - following this AND a restart it’ll be just fine.

• TLSv1.0 (OUT), TLS header, Certificate Status (22):
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• (5454) (IN), , Unknown (72):
• error:0A00010B:SSL routines::wrong version number
• Closing connection 0
  curl: (35) error:0A00010B:SSL routines::wrong version number

Thanks for the guide!

Gibt es die Anleitung auch auf deutsch? Google übersetzter oder andere produzieren müll.

I always get this error:

Error creating new order :: Domain name “home-assistant.domain.de” is redundant with a wildcard domain in the same request. Remove one or the other from the certificate request.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Can I only use wildcard if I have no other certificates?

Scroll up and watch the video I posted already. It shows how to resolve that issue.

This continues to be the best write up. Thank you! Do you know if there is a way to get it to work without having to also pass the port? I.e., ‘https://ha.domain.tld’ as opposed to ‘https://ha.domain.tld:8123’?

acme.sh have support for loopia DNS, is it possible for you @HoneypotLeopard to integrate that also?

Would this solution be considered secure?

I setup up a random port for home assistant, let’s say 24903.
Then I set up DynDNS under a domain. Let’s say homeassistant.mydomain.com
I set up port forwarding in my router which exposes that random port.

Then I setup a reverse proxy on a different server (which I already had) which redirects all the traffic from another domain (home.mydomain.com) to homeassistant.mydomain.com on port 24903.

The connection between the client and home.mydomain.com is secured by SSL.

My concern is: the traffic via the reverse proxy and the actual home assistant instance is just routed with http, not https. Is that a problem? Is the random port enough or should I try to setup a certificate on the home assistant instance as well?
If I wanted to use lets encrypt, I would need to open port 80 for the http challenge, which I absolutely do not want.

Thanks for your help!

Yes.

You should never ever ever expose any endpoint to the internet that unencrypted or not appropriately security trimmed and challenge-protected. (even if you intend to keep the endpoint ‘secret’)

Can you make DNS challenge work

Hi All,
I use Letsencrypt Addon and configured with my custom dns, HA is currently use the ssl in the configuration.yaml
/ssl/fullchain.pem
/ssl/privkey.pem
However, when the certbot start it complained the following:
cp: can’t create ‘/ssl//ssl/privkey.pem’: No such file or directory
There is a redundant back slash on the path so i think there might be problem with the copying scripts of the certbot in its docker image.
can you tell me how to resolve it, such as access the docker container to revise this.
Thanks and best regard

Sorry for the late reply. Generally speaking, so http behind your router should be fine so long as you trust the other devices on your network.

If you trust every connection on your network with clear-text traffic, exposing passwords, API keys, etc. then yes, it’s fine. This is an acceptable risk for some people, but not others. But given the large number of IoT devices that are don’t take security seriously, I would highly advise against doing this.

That’s not what he’s doing. What he is doing is called ssl offload, and it is done by THE largest web providers in the world.

Perhaps you need to reread what he said.

No, you don’t need to open tcp 80 to use let’s encrypt. I have no idea why so many people seem to think this.

Here’s a video that shows how to set up duckdns and let’s encrypt.

Can someone please explain to me why I cannot just use my own DNS servers? Why does this addon want to force you to use a specific list of DNS servers? It’s really simple enough to manually create a validation record as part of the cert request process.

I have been using my own DNS servers for decades. I feel this should be an option available in this addon.

Or am I missing something? Other than my age that I just gave away…

Isn’t there an easier solution to just secure httpS://homeassistant.local or something else without all the hassle?

For someone that has their own dns servers to be asking such a rudimentary question is troubling.

The fact that you neglect to mention which add-on you are referring to is doubly so.