Installing TLS/SSL using Let's Encrypt

:warning: This guide has been migrated from our website and might be outdated. Feel free to edit this guide to update it, and to remove this message after that.

:warning: This guide is for users running Home Assistant Core.
If you are using Home Assistant do not use this guide. Instead, use the DuckDNS add-on for Home Assistant.

This guide was added on 16/03/2017 and was valid at the time of writing. This guide makes the following assumptions:

  • You can access your Home Assistant instance across your local network, and access the device that it is on via SSH from your local network.
  • You know the internal IP address of your router and can access your router’s configuration pages.
  • You have already secured your Home Assistant instance, following the advice on this page
  • You want to access your Home Assistant instance when you are away from home (ie, not connected to your local network) and secure it with a TLS/SSL certificate.
  • You have a basic understanding of the phrases I have used so far.
  • You are not currently running anything on port 80 on your network (you’d know if you were).
  • If you are not using Home Assistant on a Debian/Raspian system you will be able to convert any of the terminology I use in to the correct syntax for your system.
  • You understand that this is a ‘guide’ covering the general application of these things to the general masses and there are things outside of the scope of it, and it does not cover every eventuality (although I have made some notes where people may stumble). Also, I have used some turns of phrase to make it easier to understand for the novice reader which people of advanced knowledge may say is inaccurate. My goal here is to get you through this guide with a satisfactory outcome and have a decent understanding of what you are doing and why, not to teach you advanced internet communication protocols.
  • Each step presumes you have fully completed the previous step successfully, so if you did an earlier step following a different guide, please ensure that you have not missed anything out that may affect the step you have jumped to, and ensure that you adapt any commands to take in to account different file placements from other guides.

Steps we will take:

  • 0 - Gain a basic level of understanding around IP addresses, port numbers and port forwarding
  • 1 - Set your device to have a static IP address
  • 2 - Set up port forwarding without TLS/SSL and test connection
  • 3 - Set up a DuckDNS account
  • 4 - Obtain a TLS/SSL certificate from Let’s Encrypt
  • 5 - Check the incoming connection
  • 6 - Clean up port forwards
  • 7 - Set up a sensor to monitor the expiry date of the certificate
  • 8 - Set up an automatic renewal of the TLS/SSL certificate
  • 9 - Set up an alert to warn us if something went wrong

0 - Gain a basic level of understanding around IP addresses, port numbers and port forwarding

An IP address is a bit like a phone number. When you access your Home Assistant instance you type something similar to in to your address bar of your browser. The bit before the colon is the IP address (in this case and the bit after is the port number (in this case 8123). When you SSH in to the device running Home Assistant you will use the same IP address, and you will use port 22. You may not be aware that you are using port 22, but if you are using Putty look in the box next to where you type the IP address, you will see that it has already selected port 22 for you.

So, if an IP address is like a phone number, a port number is like an extension number. An analogy would be if you phone your local doctors on 192-1680-200 and the receptionist answers, you ask to speak to Dr. Smith and she will put you through to extension 8123, which is the phone Dr. Smith is sitting at. The doctors surgery is the device your Home Assistant is running on, Dr. Smith is your Home Assistant. Thusly, your Home Assistant instance is ‘waiting for your call’ on port 8123, at the device IP .

Now, to speak to the outside world your connection goes through a router. Your router will have two IP addresses. One is the internal network number, most likely in my example, and an external IP address that incoming traffic is sent to. In the example of calling the doctors, the external IP is your telephone number’s area code.

So, when we want to connect to our Home Assistant instance from outside our network we will need to call the correct extension number, at the correct phone number, in the correct area code.

We will be looking for a system to run like this (in this example I will pretend our external IP is

Outside world -> -> your router ->

Sounds simple? It really is except for two small, but easy to overcome, complications:

  • IP addresses are often dynamically allocated, so they can change.
  • Because of the way the internet works you cannot chain IP addresses together to get from where you are, to where you want to go.

To get around the issue of changing IP addresses we must remember that there are two IP addresses affected. Your external one (which we will ‘call’ to get on to your network from the internet) and your internal one ( in the example I am currently using).

So, we can use a static IP to ensure that whenever our device running Home Assistant connects to our router it always uses the same address. This way our internal IP never changes. This is covered in step 1 below.

We then have no control over our external IP, as our Service Provider will give us a new one at random intervals. To fix this we will use a service called DuckDNS which will give us a name for our connection (something like and behind the scenes will continue to update your external IP. So no matter how many times the IP address changes, typing in to our browser will convert to the correct, up-to-date, IP address. This is covered in step 3 below.

To get around the issue of not being able to chain the IP addresses together (I can’t say I want to call and be put through to, and then be put through to extension 8123) we use port forwarding. Port forwarding is the process of telling your router which device to allow the outside connection to speak to. In the doctors surgery example, port forwarding is the receptionist. This takes a call from outside, and forwards it to the correct extension number inside. It is important to note that port forwarding can forward an incoming request for one port to a different port on your internal network if you so choose, and we will be doing this later on. The end result being that when we have our TLS/SSL certificate our incoming call will by default be requesting port 443 (because that is the default HTTPS port, like the default SSH port is 22), our port forwarding rule can forward this to our Home Assistant instance on port 8123 (or we can specify the port number in the URL). When this guide is completed we will run something like this:

Outside world -> -> -> your router ->

So, let’s make it happen…

1 - Set your device to have a static IP address

Whenever a device is connected to a network it has an IP address. This IP address is often dynamically assigned to the device on connection. This means there are occasions where the IP address you use to access Home Assistant, or SSH in to the device running Home Assistant, may change. Setting a static IP address means that the device will always be on the same address.

SSH in to your system running Home Assistant and login.

Type the following command to list your network interfaces:


You will receive an output similar to the image below:


Make a note of the interface name and the IP address you are currently on. In the picture it is the wireless connection that is highlighted, but with your setup it may be the wired one (eth0 or similar), make sure you get the correct information.

Then type the following command to open the text file that controls your network connection:

sudo nano /etc/dhcpcd.conf

At the bottom of the file add the following lines:

interface wlan0 <----- or the interface you just wrote down.

static ip_address=  <---- the IP address you just wrote down with a '/24' at the end
static routers=      <---- Your router's IP address
static domain_name_servers= <---- Your router's IP address

It is important to note that the first three bytes of your static IP address and your router’s IP address should be the same, e.g.:




Press Ctrl + x to close the editor, pressing Y to save the changes when prompted.

Reboot your device running HA:

sudo reboot

When it comes back up check that you can SSH in to it again on the IP address you wrote down.

Make sure Home Assistant is running and access it via the local network by typing the IP address and port number in to the browser:

All working? Hooray! You now have a static IP. This will now always be your internal IP address for your Home Assistant device. This will be known as YOUR-HA-IP for the rest of this guide.

2 - Set up port forwarding without TLS/SSL and test connection

Log in to your router’s configuration pages and find the port forwarding options. This bit is hard to write a guide for because each router has a different way of presenting these options. Searching Google for “port forwarding” and the name of your router may help. When you find it you will likely have options similar to:

Service name - Port Range - Local IP - Local Port - Protocol

You may also have other options (like ‘source IP’), these can usually be left blank or in their default state.

Set the port forwarding to:

Service name - ha_test
Port Range - 8123
Local Port - 8123
Protocol - Both

Then save the change. On my router you have to fill these values in, then press an ‘add’ button to add the new rule to the list, then save the changes. All routers have a different interface, but you must ensure that these rules are saved at this point. If you are unsure, you can reboot the router and log back in, if the rule is present it was saved, if not, it wasn’t!

Once you have saved this rule, go to your browser, and go to:

This will tell you your current external IP address

Type the external IP address in to the URL bar with http:// in front and :8123 after like so ( is my example!):

Can you see your Home Assistant instance? If not, your router may not support ‘loopback’ - try the next step anyway and if that works, and this one still doesn’t, just remember that you cannot use loopback, so will have to use internal addresses when you’re on your home network. More on this later on if it’s relevant to you.

Just to verify this isn’t some kind of witchcraft that is actually using your internal network, pick up your phone, disconnect it from your Wi-Fi so that you are on your mobile data and not connected to the home network, put the same URL in the browser on your phone.

Can you see it now, from a device that is definitely not connected to your local network? Excellent! You now have a remotely accessible Home Assistant instance.

But what if your external IP changes? Plus, remembering all those numbers is pretty hard, isn’t it? Read on to get yourself set up with a word-based URL at DuckDNS that will track any changes to your IP address so you don’t have to stress anymore.

3 - Set up a DuckDNS account

Open your browser and go to

Sign in and create an account using one of the id validation options in the top right corner.

In the domains section pick a name for your subdomain, this can be anything you like, and click add domain.

The URL you will be using later to access your Home Assistant instance from outside will be the subdomain you picked, followed by . For our example we will say our URL is

Set up Home Assistant to keep your DuckDNS URL and external IP address in sync. In your configuration.yaml file add the following:

  domain: examplehome
  access_token: abcdefgh-1234-abcd-1234-abcdefgh

The access token is available on your DuckDNS page. Restart Home Assistant after the change.

What you have now done is set up DuckDNS so that whenever you type in to your browser it will convert that to your router’s external IP address. Your external IP address will always be up to date because Home Assistant will update DuckDNS every time it changes.

Now type your new URL in to your address bar on your browser with port 8123 on the end:

What now happens behind the scenes is this:

  • DuckDNS receives the request and forwards the request to your router’s external IP address (which has been kept up to date by your device running Home Assistant)
  • Your router receives the request on port 8123 and checks the port forwarding rules
  • It finds the rule you created in step 2 and forwards the request to your Home Assistant instance
  • Your browser displays your Home Assistant instance frontend.

Did it work? Super!

You now have a remotely accessible Home Assistant instance that has a text-based URL and will not drop out if your service provider changes your IP. But, it is only as secure as the password you set, which can be snooped during your session by a malicious hacker with relative ease. So we need to set up some encryption with TLS/SSL, read on to find out how.

4 - Obtain a TLS/SSL certificate from Let’s Encrypt

First we need to set up another port forward like we did in step 2. Set your new rule to:

Service name - ha_letsencrypt
Port Range - 80
Local Port - 80
Protocol - Both

Remember to save the new rule.

In cases where your ISP blocks port 80 you will need to change the port forward options to forward port 443 from outside to port 443 on your Home Assistant device. Please note that this will limit your options for automatically renewing the certificate, but this is a limitation because of your ISP setup and there is not a lot we can do about it!

Now SSH in to the device your Home Assistant is running on.

If you’re running the ‘standard’ setup on a Raspberry Pi the chances are you just logged in as the ‘pi’ user. If not, you may have logged in as the Home Assistant user. There are commands below that require the Home Assistant user to be on the sudoers list. If you are not using the ‘standard’ Pi setup it is presumed you will know how to get your Home Assistant user on the sudoers list before continuing. If you are running the ‘standard’ Pi setup, from your ‘pi’ user issue the following command (where homeassistant is the Home Assistant user):

sudo adduser homeassistant sudo

If you did not already log in as the user that currently runs Home Assistant, change to that user (usually homeassistant or hass - you may have used a command similar to this in the past):

sudo -u homeassistant -H -s

Make sure you are in the home directory for the Home Assistant user:


We will now install the certbot software:

sudo apt-get install certbot -y

You might need to stop Home Assistant before continuing with the next step. You can do this via the Web-UI or use the following command if you are running on Raspbian:

sudo systemctl stop [email protected]

You can restart Home Assistant after the next step using the same command and replacing stop with start.
Now we will run the certbot program to get our SSL certificate. You will need to include your email address and your DuckDNS URL in the appropriate places:

sudo certbot certonly --standalone --preferred-challenges http-01 --email [email protected] -d

Once the program has run it will generate a certificate and other files and place them in a folder /etc/letsencrypt/ .

Confirm this file has been populated:

ls /etc/letsencrypt/live/

This should show a folder named exactly after your DuckDNS URL.

Our Home Assistant user needs access to files within the letsencrypt folder, so issue the following commands to change the permissions.

sudo chmod 755 /etc/letsencrypt/live/
sudo chmod 755 /etc/letsencrypt/archive/
sudo chmod -R 777 /etc/letsencrypt/

Did all of that go without a hitch? Wahoo! Your Let’s Encrypt certificate is now ready to be used with Home Assistant. Move to step 5 to put it all together

5 - Check the incoming connection

Following on from Step 4 your SSH will still be in the certbot folder. If you edit your configuration files over SSH you will need to change to our homeassistant folder:

cd ~/.homeassistant

If you use Samba shares to edit your files you can exit your SSH now.

If during step 4 you had to use port 443 instead of port 80 to generate your certificate, you should delete that rule now.

Go to your router’s configuration pages and set up a new port forwarding rule, thus:

Service name - ha_ssl
Port Range - 443
Local Port - 8123
Protocol - Both

Remember to save the rule changes.

Now edit your configuration.yaml file to reflect the SSL entries and your base URL (changing the examplehome subdomain to yours in all three places):

  ssl_certificate: /etc/letsencrypt/live/
  ssl_key: /etc/letsencrypt/live/

You may wish to set up other options for the HTTP integration at this point, these extra options are beyond the scope of this guide.

Save the changes to configuration.yaml. Restart Home Assistant.

In step 3 we accessed our Home Assistant from the outside world with our DuckDNS URL and our port number. We are going to use a slightly different URL this time.

Note the S after http, and that no port number is added. This is because HTTPS will use port 443 automatically, and we have already set up our port forward to redirect this request to our Home Assistant instance on port 8123.

You should now be able to see your Home Assistant instance via your DuckDNS URL, and importantly note that your browser shows the connection as secure.

You will now NO LONGER be able to access your Home Assistant via your old internal IP address in the way you previously have. Your default way to access your Home Assistant instance, even from inside your house, is to use your DuckDNS URL.

In cases where you need to access via the local network only (which should be few and far between) you can access it with the following URL (note the added S after http):


…and accepting the browsers warning that you are connecting to an insecure site. This warning occurs because your certificate expects your incoming connection to come via your DuckDNS URL. It does not mean that your device has suddenly become insecure.

Some cases such as this are where your router does not allow ‘loopback’ or where there is a problem with incoming connections due to technical failure. In these cases you can still use your internal connection and safely ignore the warnings.

If you were previously using a webapp on your phone/tablet to access your Home Assistant you should delete the old one and create a new one with the new address. The old one will no longer work as it is not keyed to your new, secure URL.

All done? Accessing your Home Assistant from across the world with your DuckDNS URL and a lovely secure logo on your browser? Ace! Now let’s clean up our port forwards so that we are only exposing the parts of our network that are absolutely necessary to the outside world.

6 - Clean up port forwards

In step 2 we created a port forwarding rule called ha_test. This opens port 8123 to the world, and is no longer necessary.

Go to your router’s configuration pages and delete the ha_test rule.

You should now have two rules in relation to Home Assistant for your port forwards, named:

ha_ssl and ha_letsencrypt

If you have any more for Home Assistant you should delete them now. If you only have ha_ssl this is probably because during step 4 you had to use port 443 instead of port 80, so we deleted the rule during step 5.

You are now part of one of two groups:

  • If you have BOTH rules you are able to set up auto renewals of your certificates using port 80 and the standard HTTP challenge, as performed above.
  • If you only have one, you are still able to set up auto renewals of your certificates, but will have to specify additional options when renewing that will temporarily stop Home Assistant and use port 8123 for certificate renewal.

Please remember whether you are a ONE-RULE person or a BOTH-RULE person for step 8!

Let’s Encrypt certificates only last for 90 days. When they have less than 30 days left they can be renewed. Renewal is a simple process.

Move on to step 7 to see how to monitor your certificates expiry date, and be ready to renew your certificate when the time comes.

7 - Set up a sensor to monitor the expiry date of the certificate

Setting a sensor to read the number of days left on your TLS/SSL certificate before it expires is not required, but it has the following advantages:

  • You can physically see how long you have left, pleasing your inner control freak
  • You can set automations based on the number of days left
  • You can set alerts to notify you if your certificate has not been renewed and is coming close to expiry.
  • If you cannot set up automatic renewals due to your ISP blocking port 80, you will have timely reminders to complete the process manually.

If you do not wish to set up a sensor you can skip straight to step 8 to learn how to update your certificates.

The sensor will rely on a command line program that needs to be installed on your device running Home Assistant. SSH in to the device and run the following commands:

sudo apt-get update
sudo apt-get install ssl-cert-check

In cases where, for whatever reason, apt-get installing is not appropriate for your installation you can fetch the ssl-cert-check script from bearing in mind that you will have to modify the command in the sensor code below to run the script from wherever you put it, modify permission if necessary and so on.

To set up a senor add the following to your configuration.yaml (remembering to correct the URL for your DuckDNS):

  - platform: command_line
    name: SSL cert expiry
    unit_of_measurement: days
    scan_interval: 10800
    command: "ssl-cert-check -b -c /etc/letsencrypt/live/ | awk '{ print $NF }'"

Save the configuration.yaml. Restart Home Assistant.

On your default_view you should now see a sensor badge containing your number of days until expiry. If you’ve been following this guide from the start and have not taken any breaks in between, this should be 89 or 90. The sensor will update every 3 hours. You can place this reading on a card using groups, or hide it using customize. These topics are outside of the scope of this guide, but information can be found on their respective integrations pages: Group and Customize

Got your sensor up and running and where you want it? Top drawer! Nearly there, now move on to the final steps to ensure that you’re never without a secure connection in the future.

8 - Set up an automatic renewal of the TLS/SSL certificate

The certbot program we downloaded in step 4 contains a script that will renew your certificate. The script will only obtain a new certificate if the current one has less than 30 days left on it, so running the script more often than is actually needed will not cause any harm.

If you are a ONE-RULE person (from step 6), you can automatically renew your certificate with your current port mapping by temporarily stopping Home Assistant and telling certbot to bind port 8123 internally, and using a tls-sni challenge so that the Let’s Encrypt CA binds port 443 externally. The flags used to specify these additional steps are shown below.

If you are a TWO-RULE person (from step 6), you can automatically renew your certificate using a http-01 challenge and port 80.

There are a number of options for automating the renewal process:

Option 1

Your certificate can be renewed as a ‘cron job’ - cron jobs are background tasks run by the computer at specified intervals (and are totally independent of Home Assistant). Defining cron is outside of the scope of this guide but you will have had dealings with crontab when setting up DuckDNS in step 3

To set a cron job to run the script at regular intervals:

  • SSH in to your device running Home Assistant.

  • Change to your Home Assistant user (where homeassistant is the name of the user):

    sudo -u homeassistant -H -s
  • Open the crontab:

    crontab -e
  • If you are a TWO-RULE Person: Scroll to the bottom of the file and paste in the following line

    30 2 * * 1 certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
  • If you are a ONE-RULE Person: Scroll to the bottom of the file and paste in the following line

    30 2 * * 1 certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop [email protected]" --post-hook "sudo systemctl start [email protected]"
  • Let’s take a moment to look at the differences here:

    1. This method uses a tls-sni challenge, so the Let’s Encrypt CA will attempt to bind port 443 externally (which you have forwarded)
    2. --tls-sni-01-port 8123 tells certbot to bind port 8123 internally, which matches with the port forwarding rules that are already in place.
    3. We define pre-hooks and post-hooks that stop our Home Assistant service before certbot runs, freeing port 8123 for certificate renewal, and restart Home Assistant after renewal is complete.
  • Save the file and exit

Option 2

You can set an automation in Home Assistant to run the certbot renewal script.

Add the following sections to your configuration.yaml if you are a TWO-RULE person

  renew_ssl: certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

  - alias: 'Auto Renew SSL Cert'
      platform: numeric_state
      entity_id: sensor.ssl_cert_expiry
      below: 29
      service: shell_command.renew_ssl

If you are a ONE-RULE person, replace the certbot command above with certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop [email protected]" --post-hook "sudo systemctl start [email protected]"

Option 3

You can manually update the certificate when your certificate is less than 30 days to expiry.

To manually update:

  • SSH in to your device running Home Assistant.

  • Change to your Home Assistant user (where homeassistant is the name of the user):

    sudo -u homeassistant -H -s
  • Change to your certbot folder

    cd ~/certbot/
  • Run the renewal command

    certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
  • If you are a ONE-RULE person, replace the certbot command above with certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop [email protected]" --post-hook "sudo systemctl start [email protected]"

So, now were all set up. We have our secured, remotely accessible Home Assistant instance and we’re on track for keeping our certificates up to date. But what if something goes wrong? What if the automation didn’t fire? What if the cron job forgot to run? What if the dog ate my homework? Read on to set up an alert so you can be notified in plenty of time if you need to step in and sort out any failures.

9 - Set up an alert to warn us if something went wrong

We set up our automatic renewal of our certificates and whatever method we used the certificate should be renewed on or around 30 days before it expires. But what if a week later it still hasn’t been? This alert will go off if the expiry time on the certificate gets down to 21 days. This will give you 3 weeks to fix the problem, get your new certificate installed and get another 90 days of secure Home Assistant connections in play.

In your configuration.yaml add the following automation, adding your preferred notification platform where appropriate:

  - alias: 'SSL expiry notification'
      platform: numeric_state
      entity_id: sensor.ssl_cert_expiry
      below: 21
      service: notify.[your_notification_preference]
        message: 'Warning - SSL certificate expires in 21 days and has not been automatically renewed'

If you receive this warning notification, follow the steps for a manual update from step 8. Any error messages received at that point can be googled and resolved. If the manual update goes without a hitch there may be something wrong with your chosen method for automatic updates, and you can start troubleshooting from there.

So, that’s it. We’ve taken a Home Assistant instance that was only reachable on the local network, made it accessible from the internet, secured it, and set up a system to ensure that it always stays secure. Well done, go and treat yourself to a cookie!

iOS app won't connect *inside* home network
Problem accessing PI from external network
Unable to get letsencrypt certificate on Synology NAS
DuckDNS docs: json instead of YAML
Cannot connect anymore to hassbian.local
Add host name
HASS won't boot after renewing Letsencrypt certificate, think I may have screwed up port forwarding
Trouble with setting up remote access
Letsencrypt Hassbian issue
Cleaning New Installation after failed SSL configuration
UI won't load after including http in configuration.yaml
Help with making secure SSL without duckDNS
Setting up remote access?
Renewing LetsEncrypt on my Netgear router
Home Assistant access from outside of your home network
Install Home Assistant, Mosquitto broker and Node-Red on android
Sensor to show expiry date of SSL certificate
CLOSED - Http integration in configuration.yaml prevents HA UI to start
Home Assistant Core -- TrueNAS CORE Community Plugin
How to configure Let's Encrypt SSL Certificates for Home Assistant completely 100% free (Updated for 2022/2023)
Sensor to show expiry date of SSL certificate
Help with external access to HA on Virtual Box
Auto-renew SSL Lets Encrypt SSL certificate within VPN
No NAT loopback / DuckDNS / NGINX / AdGuard
How to configure Let's Encrypt SSL Certificates for Home Assistant completely 100% free (Updated for 2022/2023)
DuckDNS add-on makes HA GUI crash
Home Assistant remote access but only via http://
Home Assistant security concern
Duck Dns Breaking
Hue discovered Light(s) don't go away after exclude hue
Effortless encryption with Let's Encrypt and DuckDNS
Install Home Assistant, Mosquitto broker and Node-Red on android
.pfx Certificate File Install
Can't access Grafana over SSL
Auto update of let's encrypt failes with code -2
Where to configure the server for https and port listening?
Ssl expiry sensor in docker
Duckdns website
Info needed
Google Assistant and SSL cert
Problem with duckdns/lets encrypt/http/port forwarding I dunno what
Lets Encrypt on
Error in renewing Letsencrypt ...?
Init configration with Alexa
Shopping list
Problem installing Hassbian and LetsEncrypt
duckDns issues
Ant idea about Duck DNS

Thanks for the guide, but is Let’s Encrypt really fixed with outside ports 80&443 so I can’t use a custom port?

1 Like

This is still a good guide for HA Core, but when using HA Core, you might also run the Mosquitto MQTT Broker on the same machine in a secured mode (like for Owntracks or MQTT bridging). The broker will not automatically pick up changed/renewed SSL certs, so the renew_ssl shell command would probably look more like:

  renew_ssl: 'certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01 --pre-hook "sudo systemctl stop mosquitto.service" --post-hook "sudo systemctl start mosquitto.service"'

Now certbot can run without sudo if it has write access to the cert folders/files, but
sudo is still needed to start/stop services (like the Mosquitto MQTT Broker), so this will hang, because the homeassistant user would ask for a sudo password.

I didn’t want to make the homeassistant user part of the sudo group, so I used a sudoers file /etc/sudoers.d/030_homeassistant_shell_commands for this:

%homeassistant ALL=(ALL) NOPASSWD: ALL

This will allow members of the homeassistant group to use sudo without a password and should eventually be more refined (much as the old hassbian scripts sudoer rules), because as shown it poses a certain security risk to systems that are reachable from “outside” your network.

This is just to show how it can be done, so your HA Core can automate even more things. For more detailed information, please check man sudoers.5.

This worked for me running HASS on 8123. I do have port 80 exposed with no service listening to the port, though. Just have to use as the URL.

I’ve followed this guide through #5, but can’t get any further.

I have a DuckDNS account, and have managed to create port forwards and SSL cert files… but get the error:

Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/storage/homeassistant/ssl/***'
not a file for dictionary value @ data['http']['ssl_key']. Got '/storage/homeassistant/ssl/***'. (See /config/configuration.yaml, line 14)

I moved my key files, but they are valid, and so are the paths. Somehow, it’s as if I don’t have the http integration?

1 Like

I’ve a problem the expiry time.

When I run the command in a terminal on my Pi

ssl-cert-check -b -c /usr/share/hassio/ssl/fullchain.pem | awk '{ print $NF }'

I’ve the correct value in return

But the sensor don’t show any value.

An idea?

Im wondering if there is a write-up on installing the TLS/SSL on a HA docker install…
Im very green on Docker.


new to HA (outstanding to me…).

I tried to setup the external access to HA via Let’s Encrypt…

All fine apparently, but when I try to access HA from outside I get:

The webpage at https://myname/?external_auth=1 could not be loaded because

A doubt: is the CA provided by certbot within the “common” set of CAs?
Or shall I configure something on the smartphone side?

Any suggestion?

solved …
my mistake: i missed the following configuration.yaml entries:

  base_url: myname:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

now works flawlessly :slight_smile:

1 Like

I have the https working great but I want to use fison67’s HA-Connector SmartApp to bring a few HA only devices over to my ST hub but he states that https will not work with his SmartApp. Is there a way to keep my https setup with duckdns and also have http with an http_password available as well or is that not possible? Thanks for any help.

I followed everything in this guide but I'm getting
ERR_SSL_PROTOCOL_ERROR when connecting to my
domain with https://××× Everything still
working fine if I connect with http://×××
Can anyone help me?
Edit: fyi i'm running hass in a python virtual

EXCELLENT guide, thanks a lot!


I decided to use this guideline

I’ll reserve this post to note my comments


link to this assumption " You have already secured your Home Assistant instance, following the advice " has to be changed to …

0,1 ,2,3= OK ( HA android app connected to HA by + TFA authentication)

Great guide, however I’m using homeassistant docker and it errors when trying to install certbot. Looks like the docker image is stripped down the bare basics, any idea on how to get around this? thanks

bash-5.0$ apt-get install certbot -y
bash: apt-get: command not found

Is this manual intended for use on a separate install on raspbian. I get stuck when I want to login with SSH. I can’t do sudo there!

1 Like

I’m 75% down the road, currently at the ssl-cert-check step, but I have encountered a couple of problems:

  1. If I delete the ha_test port forwarding rule (8123->local_ip:8123) home assistant becomes unreachable (with the ha_test rule in place, it works perfectly using https://myduckdnsurl:8123)
  2. Even with ha_test rule, when accessing home assistant using the duckdns domain with https, I lose access to several external tools (i.e. node-red, esphome) running in other virtual machines which are accessed with their local ips in a configuration.yaml panel_iframe section.
    Moreover, I have two other local services (appdaemon, and configurator/file-explorer) which also stopped working

btw, my home-assistant is running in a freebsd jail

  • How do I test the port forwarding situation
  • What do I do with integrated external services (either running on the same ip of home assistant or another ip in the same home network)

Hey guys,

I created a video in GERMAN / deutsch how to use Let’s Encrypt together with DuckDNS.
Perhaps it is also helpful for some of you:

Best regards, Tristan

1 Like

Thanks guys for this guide. I have a issue with installing TLS/SSL with Let’s Encrypt. My outside ports ports 80&443 are blocked by Unifi USG Pro-4. So I can do a forward rule on my firewall, but before this rule work the USG Pro-4 takes controll. I could not find anything to switch of this two ports on USG. For this reason I can’t use outside ports 80&443. So when I run

sudo certbot certonly --standalone --preferred-challenges http-01 --email [email protected] -d

I get following error message

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for XXXX
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Any ideas how I can fix that so that let’s encrypt is using another port

Thanks in advance, Tom

Hi Tom

Good to see you here :smile: Let’s connect tomorrow to check your USG Configuration. I had no problems setting up the PortForwarding on my USG.

BTW: I’m getting blocked by your PI-Hole when accessing your public URL on port 80…

You’ve probably solved this already, but to help others out: when using the dockerized Home Assistant, the correct command is apk add certbot. It’s using Alpine Linux.