Installing TLS/SSL using Let's Encrypt

Hello,
new to HA (outstanding to me…).

I tried to setup the external access to HA via Let’s Encrypt…

All fine apparently, but when I try to access HA from outside I get:

The webpage at https://myname/?external_auth=1 could not be loaded because
net: ERR_SSL_PROTOCOL_ERROR

A doubt: is the CA provided by certbot within the “common” set of CAs?
Or shall I configure something on the smartphone side?

Any suggestion?
Thanks!

solved …
my mistake: i missed the following configuration.yaml entries:

http:
  base_url: myname:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

now works flawlessly :slight_smile:

1 Like

I have the https working great but I want to use fison67’s HA-Connector SmartApp to bring a few HA only devices over to my ST hub but he states that https will not work with his SmartApp. Is there a way to keep my https setup with duckdns and also have http with an http_password available as well or is that not possible? Thanks for any help.

I followed everything in this guide but I'm getting
ERR_SSL_PROTOCOL_ERROR when connecting to my
domain with https://×××.duckdns.org. Everything still
working fine if I connect with http://×××.duckdns.org
Can anyone help me?
Edit: fyi i'm running hass in a python virtual
environment

EXCELLENT guide, thanks a lot!

Hi

I decided to use this guideline

I’ll reserve this post to note my comments

Assumptions

link to this assumption " You have already secured your Home Assistant instance, following the advice " has to be changed to … https://www.home-assistant.io/docs/configuration/securing/

0,1 ,2,3= OK ( HA android app connected to HA by http:subdomain.duckdns.org:8123 + TFA authentication)

Great guide, however I’m using homeassistant docker and it errors when trying to install certbot. Looks like the docker image is stripped down the bare basics, any idea on how to get around this? thanks

bash-5.0$ apt-get install certbot -y
bash: apt-get: command not found

Is this manual intended for use on a separate install on raspbian. I get stuck when I want to login with SSH. I can’t do sudo there!

1 Like

I’m 75% down the road, currently at the ssl-cert-check step, but I have encountered a couple of problems:

  1. If I delete the ha_test port forwarding rule (8123->local_ip:8123) home assistant becomes unreachable (with the ha_test rule in place, it works perfectly using https://myduckdnsurl:8123)
  2. Even with ha_test rule, when accessing home assistant using the duckdns domain with https, I lose access to several external tools (i.e. node-red, esphome) running in other virtual machines which are accessed with their local ips in a configuration.yaml panel_iframe section.
    Moreover, I have two other local services (appdaemon, and configurator/file-explorer) which also stopped working

btw, my home-assistant is running in a freebsd jail

  • How do I test the port forwarding situation
  • What do I do with integrated external services (either running on the same ip of home assistant or another ip in the same home network)

Hey guys,

I created a video in GERMAN / deutsch how to use Let’s Encrypt together with DuckDNS.
Perhaps it is also helpful for some of you: https://youtu.be/O9J7v08PT9c

Best regards, Tristan

1 Like

Thanks guys for this guide. I have a issue with installing TLS/SSL with Let’s Encrypt. My outside ports ports 80&443 are blocked by Unifi USG Pro-4. So I can do a forward rule on my firewall, but before this rule work the USG Pro-4 takes controll. I could not find anything to switch of this two ports on USG. For this reason I can’t use outside ports 80&443. So when I run

sudo certbot certonly --standalone --preferred-challenges http-01 --email [email protected] -d xxx.yyy.org

I get following error message

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for XXXX
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

Any ideas how I can fix that so that let’s encrypt is using another port

Thanks in advance, Tom

Hi Tom

Good to see you here :smile: Let’s connect tomorrow to check your USG Configuration. I had no problems setting up the PortForwarding on my USG.

BTW: I’m getting blocked by your PI-Hole when accessing your public URL on port 80…

You’ve probably solved this already, but to help others out: when using the dockerized Home Assistant, the correct command is apk add certbot. It’s using Alpine Linux.

Reporting that everything worked fine with hass-in-container on raspbian-buster,
EXCEPT that the android-companion-app cannot contact from inseid my local-network,
since my router does not support lopback, so i’m stuck with https://<local-ip>:8132,
which needs manually overriding security warnings - i guess, the browser embedded in the android-app does not prompt for those overrides.
I can still loginto hass using a browser page, but presence does not work when inside my network.

I can think of 3 ways out:

  1. proxy HASS though apache/nginx so SSL terminates on the proxy, and 8132 remain plain http;
  2. fix android-app to ignore the security warning when accessing the internal-URL / from home-wifi, or even have a separate tick-option to allow this exception;
  3. SplitBrain DNS.

Any suggestion welcomed?

1 Like

Just trying this out, but was wondering if Option 2 would work in a Docker HA installation (on Lubuntu)?
My concern is that the certbot script would be located correctly, and that there would be no permissions issues?

shell_command:
  renew_ssl: certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

Edit: if I try running the renew_ssl command from the HA console I get an error (return code 127)

1 Like

Excellent post! I spent hours looking at how to have SSL in my home assistant core mounted on docker-compose.
I was finally able to do it by following his steps and adding the corresponding volume:

volumes:
  - /home/pi/homeassistant:/config
  - /etc/letsencrypt/archive/mydomain.duckdns.org:/config/ssl
  - /etc/localtime:/etc/localtime:ro

And this in configuration.yaml of Home Assistant:

http:
ssl_certificate: /config/ssl/fullchain1.pem
ssl_key: /config/ssl/privkey1.pem

To renew, your commands didn’t work for me, but this command did work:

certbot renew --cert-name mydomain.duckdns.org

Hope this can help someone if they have the same problems as me, thanks for your tutorial!

1 Like

This tutorial does not work in 2022.

5 Likes

Does this tutorial works for DYNU DDNS?

It works with any DYN DNS. You just need a fixed domain name.

I’m working on creating an update but lack the ability to post it. I’ll reply back in this thread once I do.

EDIT: It looks like I’ve been granted the necessary rights to do so! :tada:

You’ll find my post here