How to get ACME challenge working with Let's Encrypt add-on

Hi,

Just started using hass.io on my Pi and I think it’s common sence these days to get it running on SSL / HTTPS.
So I installed the Let’s Encrypt add-on and forwarded the DNS and ports over my router to the Pi.
I can confirm the proper setup, since I can access HA from outside and get a HTML page (in the /config/www folder) to display. So far so good.

But what ever I do… I cannot get a certificate from Let’s Encrypt validated through the ACME challenge.
Keep getting a 404 error on the /.well-known/… test.
When I SSH through the folders on my Hass.io Pi, there’s indeed no .well-known folder to be found. So the ACME challenge fails every time:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hass.mydomain.com
Waiting for verification...
Challenge failed for domain hass.mydomain.com
http-01 challenge for hass.mydomain.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
 - The following errors were reported by the server:
   Domain: hass.mydomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://hass.mydomain.com/.well-known/acme-challenge/Z9l0cE7r7K_eZJ7_RokskID3agJQ1-YilgxmT7uMha8
   [my.ip.addr.ess]: 404
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

As stated, the domain and DNS records are pointing to the right device… but no succes so far.
Can someone please advise me how to solve this problem?

Thanks in advance!

Edit 29th…
Wow, really no one?
Still having this problem; tried almost everything. The Let’s Encrypt addon is still not correctly generating the URL for the challenge, so it keeps failing…

Check the https: section of your configuration.yaml file. Insure if you are actually using SSL, it says https:/hass.mydomain.com/ Since you’re probably not using SSL yet, it should say http://hass.mydomain.com/. Finally, you should specify the TCP/IP port number on a separate YAML line beneath your domain URL. Don’t include it with the URL.

Putting the TCP/IP port number on a separate line (instead of using ip-address:portnumber) did the trick! Many thanks!

Glad to have helped you get it working!!

NickW,
Could you sanitize and show me what you put in there? I tried a couple of different ways of breaking my port from the URL to no avail.

Thanks!

+1

I have the exact problem as described above, but I cannot figure out what the solution is :slight_smile:

I’m mapping 443:443 & 80:80. I do not use DuckDNS, since I already have my domain registered elsewhere. I’m able to use port 80 from the Internet, e.g. http://domain/lovelace/default_view

I’ve also added the following to my configuration.yaml:

http:
  server_port: 80 

Do I need to create the directory /config/www? The port number that should be added on a separate line, where should I put it? I’m using Home Assistant 2021.3.3 on Rasberry PI 4.

Best Regards,

If Home Assistant is on port 80 then how can the Let’s Encrypt add-on be on port 80? In order for the acme challenge to work its going to reach out to your domain on port 80. Port 80 must be mapped to whatever port the Let’s Encrypt addon is listening on so it can respond correctly to the challenge.

Basically you can map any port on your router that you want to the port ha is listening on except port 80, that has to the addon or you can’t get your certificate. Once you get the certificate, put the paths to the cert and keyfile in the http configuration as described by the doc. And if you didn’t choose port 443 for HA then map port 443 on your router to whatever port you did choose for HA (or specify the port every time on the URL, your choice).

Thank you Mike! I thought Let’s Encrypt plugin was an integrated part of Home Assistant and thereby used the very same port. I finally realized that the port settings under “Network” was related to the container of the plugin, which was not obvious to me at least.

Thanx again,

1 Like

Addon for Let’s Encrypt with ACME.sh (without DuckDNS)