Hello everyone,
I have a HA green and i’m trying to setup lets encrypt
I’m always getting an error and I do not know what I’m doing wrong.
At the let’s encrypt forum they told me to come ask for help here.
What’s the error?
Happen to have any logs?
Yaml config?
without any concrete data we cannot help you🤔
1 Like
When using HTTP challenge you need to open port 80 in your routers firewall and also portforward port 80 to your HA servers IP on port 80.
Your HA should run on another port, which probably could 8123, since that is the normal port for HA.
2 Likes
the error msg:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: XXXX.XXXXXX.net
Type: unauthorized
Detail: PUBLIC IP ROUTER: Invalid response from http://XXXX.XXXXXX.net/.well-known/acme-challenge/XXXXXXXXXXXXX 404 (the XXXX is something else but I don’t know if it’s dangerous to share)
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
I opened public port 80 on my router and pointed it to internal port XXX.XXX.X.XX:8123 (internal ip of my HA)
Thats the only port change I did on my router.
I used the lets encrypt addon:
It says Network at the bottom:
Change the ports on yhour host that are exposed by the add-on
Here I set the port to 80.
Those are my settings on HA
1 Like
You need to open port 80 to somewhere where you run your webserver (not home assistant).
I initially used Apache for that on a different machine.
In fact, i still run apache (as I run HA on a virtual machine, the host I use for many other services, amongst an Apache webserver 
)
Actually, i use Apache also as reverse proxy for HA, which works for me pretty well 
I don’t have webserver.
I just got a home assistant green.
I have a subdomain → I linked it to myh router IP address → I opened port 80 on my router and linked it to my internal ip address of Homeassistant.
So I need to run another server to get ssl?
You need a reverse proxy.
You can run that on your home assistant green. I think nginx proxy manager is a popular one for beginners.
You can install this via an addon I believe.
Ok thank you,
I will try this out and come back .
At the moment i’m blocked from trying encrypt (5 tries/hour)
The reverse proxy enables you to reach your HA machine on your local network using the remote dns address http://XXXX.XXXXXX.net; it will not solve your challenge issue.
Let’s Encrypt offers 2 ways to challenge your request.
You either use a HTTP-challenge, for which you must run a web server and open port 80 to it.
Forwarding port 80 to 8123 is not accepted for the http-challenge.
The other option is a DNS-challenge, but this only works for supported providers
1 Like
Is there anyway to run a webserver on the HA Green?
I tried following this guide without success:
https://theprivatesmarthome.com/how-to/set-up-nginx-proxy-manager-in-home-assistant/
Sadly it didnt work ,
I followed this guide
https://theprivatesmarthome.com/how-to/set-up-nginx-proxy-manager-in-home-assistant/
@Xynklon Have you tried forwarding port 80 to ha on port 80?
If that doesn’t work, you’ll need to use the dns-challenge (which means to use one of the supporters dns providers).
In the past I used the http-challenge (as i ran my own apache webserver, but on a windows host which also ran CertBot. I had a power-shell script in place to move the generated certificates from W10 to a folder within HA.
To simplify things I switched to a supported dns-provider (I now use TransIP ,which was a few bugs cheaper too ) after I changed my host to Debian.
I still use Apache and also use it as reverse proxy server, which means I still don’t use the Let’sEncrypt addon (but instead configured Certbot on Debian).
But there are plenty free providers too, but you are bound to their main domain and only allowed to choose your own subdomain, f.e. xxxx.duckdns.org.
Ps: have a look here
Not sure if it will work, but it says there is is a webserver addon for HA 
Probably not, as the LetsEncrypt addon need to have access to the shared folder .well-known/acme-challenge of the webserver in order to store the token (by default that folder is in the let’sEncrypt addon and it looks like that is not configurable but hardcoded).
1 Like
Calm down!
The Let’s Encrypt addon include a HTTP service that will start up on port 80 (or whatever port you configure in the addon configuration) and provide the challenge.
Once the challenge is accepted and the certificate is received, then the addon and the HTTP service will shutdown again.
It is important to be aware that the internal port for the HTTP service might be something else than port 80, but the external port that have the portforward set up MUST be port 80, because that is a requirement from Let’s encrypt.
Once you got the certificate you can decide if you want to run a reverse proxy, like NGinX (there is an addon for this), or set up HA directly to run HTTPS service or use the certificate for something else.
A reverse proxy will be an extra server in your system, which will translate HTTPS traffic to HTTP.
This will allow HA to run with HTTP, which some devices might require, but still provide a HTTPS access for other stuff, like internet opened services.
The certificate could also be used for setting up VPN services, which provide a better authentication layer than just HTTPS, but some external services do not work with such setup, like Google, Amazon and Apple assistants.
I end up using duckDNS + reserve nginx proxy and its all working now.
Thank you for the great help.
This community is awesome !