Let's Encrypt SSL Certificate Cannot be Used

Hey guys, I am new to HA and have been playing around with it in Docker. I am trying to access it externally through DDNS, but my personal domain name requires SSL. I have tried all of the guides to add my letsencrypt certificate, but home assistant refuses to work.

This is in my configuration.yaml:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
http:
  ssl_certificate: /ssl/live/server.mydomain.tld/fullchain.pem
  ssl_key:         /ssl/live/server.mydomain.tld/privkey.pem

It keeps giving me this error which breaks the whole system:

2023-01-03 00:18:21.827 ERROR (MainThread) [homeassistant.setup] Error during setup of component http
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 360, in _create_ssl_context
    context.load_cert_chain(self.ssl_certificate, self.ssl_key)
PermissionError: [Errno 1] Operation not permitted

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/setup.py", line 253, in _async_setup_component
    result = await task
  File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 185, in async_setup
    await server.async_initialize(
  File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 277, in async_initialize
    self.context = await self.hass.async_add_executor_job(
  File "/usr/local/lib/python3.10/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 363, in _create_ssl_context
    raise HomeAssistantError(
homeassistant.exceptions.HomeAssistantError: Could not use SSL certificate from /ssl/live/server.mydomain.tld/fullchain.pem: [Errno 1] Operation not permitted

I know some users had issues because HA didn’t have access to the full letsencrypt folder path, but I fixed that by adding the following volume mapping to the compose file:

- /private/etc/letsencrypt:/ssl

I confirmed it worked by using the CLI to test if every folder in the /ssl directory was avalible. They all were. Does anyone know what else may be causing this error?

Personally I’d use a proxy server to handle SSL.

However, if you want to continue this way, I’d open a shell inside the container and see if you can read /ssl/live/server.mydomain.tld/fullchain.pem.

docker exec -it homeassistant bash
head /ssl/live/server.mydomain.tld/fullchain.pem

Yes, it shows the cert.

What is the output of following command when executed from a client machine?

curl --verbose https://<url>

and the URL is the location of HA machine.

* Rebuilt URL to: https://server.mydomain.tld:8123/
*   Trying [ip address]...
* TCP_NODELAY set
* Connected to server.mydomain.tld (ip) port 8123 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* stopped the pause stream!
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

The signed certificate that you have will look something like this:

-----BEGIN CERTIFICATE-----
MIIGsjCCBZqgAwIBAgIQCTaYT9gNC0RFj3x3zaPxZDANBgkqhkiG9w0BAQsFADBw
...
-----END CERTIFICATE-----

Post the output of following command, you may need to install openssl if it is not already installed:

openssl x509 -in <certificate_file> -text

And redact any sensitive information from the output especially location, address, emails and phone numbers.

PS: From the output you posted “CApath: none” is most likely the source of problem, the certificates is not set up properly as the OS cannot find the CA certificate to authenticate.

Here is the output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            [REDACTED]
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Dec 31 03:05:23 2022 GMT
            Not After : Mar 31 03:05:22 2023 GMT
        Subject: CN = server.mydomain.tld
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:20:42:11:6a:8b:b5:87:d1:1e:61:95:f3:33:5f:
                    d3:90:3c:79:6e:98:54:3c:e7:c7:e8:3f:60:52:f8:
                    7e:9c:8e:ca:97:0a:fb:06:5a:5b:1a:29:e8:9d:35:
                    3f:e5:21:f7:5d:0f:bf:b2:49:19:3c:eb:5b:40:a7:
                    5b:88:71:3b:1e
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                F2:64:5D:57:CA:EF:0E:F5:39:71:40:14:3F:34:FD:E2:DC:D0:AA:E0
            X509v3 Authority Key Identifier: 
                keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

            Authority Information Access: 
                OCSP - URI:http://r3.o.lencr.org
                CA Issuers - URI:http://r3.i.lencr.org/

            X509v3 Subject Alternative Name: 
                DNS:server.mydomain.tld
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 7A:32:8C:54:D8:B7:2D:B6:20:EA:38:E0:52:1E:E9:84:
                                16:70:32:13:85:4D:3B:D2:2B:C1:3A:57:A3:52:EB:52
                    Timestamp : Dec 31 04:05:23.631 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:46:02:21:00:96:C3:E7:50:6D:A3:E2:A3:80:68:EC:
                                97:D6:BD:21:89:69:50:1F:25:C6:CC:87:3B:F4:F4:20:
                                9B:49:50:30:74:02:21:00:8B:C4:76:44:7C:F4:07:8A:
                                7F:97:3F:EC:DC:5B:25:8E:B1:5C:FC:70:17:88:38:5F:
                                E6:82:C7:8B:AF:92:57:FA
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : AD:F7:BE:FA:7C:FF:10:C8:8B:9D:3D:9C:1E:3E:18:6A:
                                B4:67:29:5D:CF:B1:0C:24:CA:85:86:34:EB:DC:82:8A
                    Timestamp : Dec 31 04:05:23.755 2022 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:20:1F:C8:45:54:74:F5:98:D9:4D:50:EB:FF:
                                A2:C8:BA:2B:B6:FB:E5:B1:D7:44:9A:D3:0E:ED:7E:97:
                                1B:F6:53:FE:02:21:00:D8:63:CF:AD:FF:60:94:A0:F9:
                                EC:CB:27:39:1B:B2:B9:48:A6:30:E9:41:0C:4B:9E:B6:
                                69:5F:8D:2D:79:40:A2
    Signature Algorithm: sha256WithRSAEncryption
         6d:f7:05:ba:8b:2f:75:fa:56:f7:2c:39:21:59:73:e6:47:2e:
         a8:f5:b0:54:e9:ff:88:43:fc:d1:50:2e:6c:e0:44:b2:1d:48:
         34:be:96:a5:c3:74:ef:d1:7c:80:41:d2:c7:af:b1:fc:aa:d8:
         e5:d9:88:d9:f4:61:25:5d:c8:aa:19:a0:6e:ed:1b:6b:e9:01:
         17:a9:96:68:aa:2c:f3:e8:47:f0:9b:3b:90:6a:78:ee:8e:c4:
         b5:91:c8:27:e7:69:81:8d:a2:f5:d0:7b:40:89:26:55:91:44:
         db:ea:8e:c3:4f:eb:e9:75:f9:b3:a4:c7:c5:54:7e:6d:82:23:
         1b:e7:6b:26:20:2d:87:41:68:22:f7:72:59:ba:48:c3:26:a4:
         60:68:02:93:ad:bc:51:28:ad:0e:68:16:17:5e:32:45:34:5c:
         eb:0c:2b:53:7f:1c:40:8e:9d:32:ed:91:f4:ab:b4:3b:b5:a9:
         cb:db:26:e9:60:07:50:5d:5a:c1:7f:93:7e:6c:16:95:87:e3:
         23:74:ac:b4:54:6e:b7:85:62:81:1b:47:91:94:c8:85:45:59:
         ef:f0:e5:bc:c5:9c:19:82:45:90:76:c2:57:21:b9:1f:7c:79:
         31:e3:63:26:9f:bd:ab:ed:9c:2f:7c:60:25:f1:8b:11:69:c2:
         bc:b5:67:62
-----BEGIN CERTIFICATE-----
MIIEaDCCA1CgAwIBAgISAw9pwxW6qNBxDr6YGY+FCBsUMA0GCSqGSIb3DQEBCwUA
..............
-----END CERTIFICATE-----

Great, seems like you listed the correct domain while requesting certificate:

 Subject: CN = server.mydomain.tld

Now check the output of following command from the client machine accessing HA:

 ls /etc/ssl/certs/

Do you see Let’s Encrypt in the list of names? If not then it means that Let’s Encrypt CA certificate is not installed on the OS.

That directory is completely empty.

Wait. I think I misunderstood. Did you mean that I should run that command in HA? If so, the HA output is

002c0b4f.0
02265526.0
03179a64.0
062cdee6.0
064e0aa9.0
06dc52d5.0
09789157.0
0a775a30.0
0b1b94ef.0
0b9bc432.0
0bf05006.0
0f5dc4f3.0
0f6fa695.0
1001acf7.0
106f3e4d.0
14bc7599.0
18856ac4.0
1d3472b9.0
1e08bfd1.0
1e09d511.0
244b5494.0
2923b3f9.0
2ae6433e.0
2b349938.0
32888f65.0
349f2832.0
3513523f.0
3bde41ac.0
3e44d2f7.0
3e45d192.0
3fb36b73.0
40193066.0
4042bcee.0
40547a79.0
406c9bb1.0
4304c5e5.0
48bec511.0
4b718d9b.0
4bfab552.0
4f316efb.0
5273a94c.0
5443e9e3.0
54657681.0
57bcb2da.0
5931b5bc.0
5a7722fb.0
5ad8a5d6.0
5cd81ad7.0
5d3033c5.0
5e98733a.0
5f15c80c.0
5f618aec.0
607986c7.0
626dceaf.0
653b494a.0
66445960.0
68dd7389.0
6b99d060.0
6d41d539.0
6fa5da56.0
706f604c.0
749e9e03.0
75d1b2ed.0
76faf6c0.0
7719f463.0
773e07ad.0
7a3adc42.0
7a780d93.0
7aaf71c0.0
7f3d5d1d.0
8160b96c.0
8508e720.0
8cb5ee0f.0
8d86cdd1.0
8d89cda1.0
8f103249.0
90c5a3c8.0
930ac5d2.0
93bc0acc.0
9482e63a.0
9846683b.0
988a38cb.0
9b5697b0.0
9c8dfbd4.0
9d04f354.0
9ef4a08a.0
9f727ac7.0
a3418fda.0
a94d09e5.0
aee5f10d.0
b0e59380.0
b1159c4c.0
b433981b.0
b66938e9.0
b727005e.0
b7a5b843.0
b81b93f0.0
bf53fb88.0
c01eb047.0
c28a8a30.0
ca-cert-ACCVRAIZ1.pem
ca-cert-AC_RAIZ_FNMT-RCM.pem
ca-cert-AC_RAIZ_FNMT-RCM_SERVIDORES_SEGUROS.pem
ca-cert-ANF_Secure_Server_Root_CA.pem
ca-cert-Actalis_Authentication_Root_CA.pem
ca-cert-AffirmTrust_Commercial.pem
ca-cert-AffirmTrust_Networking.pem
ca-cert-AffirmTrust_Premium.pem
ca-cert-AffirmTrust_Premium_ECC.pem
ca-cert-Amazon_Root_CA_1.pem
ca-cert-Amazon_Root_CA_2.pem
ca-cert-Amazon_Root_CA_3.pem
ca-cert-Amazon_Root_CA_4.pem
ca-cert-Atos_TrustedRoot_2011.pem
ca-cert-Autoridad_de_Certificacion_Firmaprofesional_CIF_A62634068.pem
ca-cert-Baltimore_CyberTrust_Root.pem
ca-cert-Buypass_Class_2_Root_CA.pem
ca-cert-Buypass_Class_3_Root_CA.pem
ca-cert-CA_Disig_Root_R2.pem
ca-cert-CFCA_EV_ROOT.pem
ca-cert-COMODO_Certification_Authority.pem
ca-cert-COMODO_ECC_Certification_Authority.pem
ca-cert-COMODO_RSA_Certification_Authority.pem
ca-cert-Certainly_Root_E1.pem
ca-cert-Certainly_Root_R1.pem
ca-cert-Certigna.pem
ca-cert-Certigna_Root_CA.pem
ca-cert-Certum_EC-384_CA.pem
ca-cert-Certum_Trusted_Network_CA.pem
ca-cert-Certum_Trusted_Network_CA_2.pem
ca-cert-Certum_Trusted_Root_CA.pem
ca-cert-Comodo_AAA_Services_root.pem
ca-cert-D-TRUST_BR_Root_CA_1_2020.pem
ca-cert-D-TRUST_EV_Root_CA_1_2020.pem
ca-cert-D-TRUST_Root_Class_3_CA_2_2009.pem
ca-cert-D-TRUST_Root_Class_3_CA_2_EV_2009.pem
ca-cert-DigiCert_Assured_ID_Root_CA.pem
ca-cert-DigiCert_Assured_ID_Root_G2.pem
ca-cert-DigiCert_Assured_ID_Root_G3.pem
ca-cert-DigiCert_Global_Root_CA.pem
ca-cert-DigiCert_Global_Root_G2.pem
ca-cert-DigiCert_Global_Root_G3.pem
ca-cert-DigiCert_High_Assurance_EV_Root_CA.pem
ca-cert-DigiCert_TLS_ECC_P384_Root_G5.pem
ca-cert-DigiCert_TLS_RSA4096_Root_G5.pem
ca-cert-DigiCert_Trusted_Root_G4.pem
ca-cert-E-Tugra_Certification_Authority.pem
ca-cert-E-Tugra_Global_Root_CA_ECC_v3.pem
ca-cert-E-Tugra_Global_Root_CA_RSA_v3.pem
ca-cert-EC-ACC.pem
ca-cert-Entrust.net_Premium_2048_Secure_Server_CA.pem
ca-cert-Entrust_Root_Certification_Authority.pem
ca-cert-Entrust_Root_Certification_Authority_-_EC1.pem
ca-cert-Entrust_Root_Certification_Authority_-_G2.pem
ca-cert-Entrust_Root_Certification_Authority_-_G4.pem
ca-cert-GDCA_TrustAUTH_R5_ROOT.pem
ca-cert-GLOBALTRUST_2020.pem
ca-cert-GTS_Root_R1.pem
ca-cert-GTS_Root_R2.pem
ca-cert-GTS_Root_R3.pem
ca-cert-GTS_Root_R4.pem
ca-cert-GlobalSign_ECC_Root_CA_-_R4.pem
ca-cert-GlobalSign_ECC_Root_CA_-_R5.pem
ca-cert-GlobalSign_Root_CA.pem
ca-cert-GlobalSign_Root_CA_-_R3.pem
ca-cert-GlobalSign_Root_CA_-_R6.pem
ca-cert-GlobalSign_Root_E46.pem
ca-cert-GlobalSign_Root_R46.pem
ca-cert-Go_Daddy_Class_2_CA.pem
ca-cert-Go_Daddy_Root_Certificate_Authority_-_G2.pem
ca-cert-HARICA_TLS_ECC_Root_CA_2021.pem
ca-cert-HARICA_TLS_RSA_Root_CA_2021.pem
ca-cert-Hellenic_Academic_and_Research_Institutions_ECC_RootCA_2015.pem
ca-cert-Hellenic_Academic_and_Research_Institutions_RootCA_2015.pem
ca-cert-HiPKI_Root_CA_-_G1.pem
ca-cert-Hongkong_Post_Root_CA_1.pem
ca-cert-Hongkong_Post_Root_CA_3.pem
ca-cert-ISRG_Root_X1.pem
ca-cert-ISRG_Root_X2.pem
ca-cert-IdenTrust_Commercial_Root_CA_1.pem
ca-cert-IdenTrust_Public_Sector_Root_CA_1.pem
ca-cert-Izenpe.com.pem
ca-cert-Microsec_e-Szigno_Root_CA_2009.pem
ca-cert-Microsoft_ECC_Root_Certificate_Authority_2017.pem
ca-cert-Microsoft_RSA_Root_Certificate_Authority_2017.pem
ca-cert-NAVER_Global_Root_Certification_Authority.pem
ca-cert-NetLock_Arany_=Class_Gold=_Főtanúsítvány.pem
ca-cert-Network_Solutions_Certificate_Authority.pem
ca-cert-OISTE_WISeKey_Global_Root_GB_CA.pem
ca-cert-OISTE_WISeKey_Global_Root_GC_CA.pem
ca-cert-QuoVadis_Root_CA_1_G3.pem
ca-cert-QuoVadis_Root_CA_2.pem
ca-cert-QuoVadis_Root_CA_2_G3.pem
ca-cert-QuoVadis_Root_CA_3.pem
ca-cert-QuoVadis_Root_CA_3_G3.pem
ca-cert-SSL.com_EV_Root_Certification_Authority_ECC.pem
ca-cert-SSL.com_EV_Root_Certification_Authority_RSA_R2.pem
ca-cert-SSL.com_Root_Certification_Authority_ECC.pem
ca-cert-SSL.com_Root_Certification_Authority_RSA.pem
ca-cert-SZAFIR_ROOT_CA2.pem
ca-cert-SecureSign_RootCA11.pem
ca-cert-SecureTrust_CA.pem
ca-cert-Secure_Global_CA.pem
ca-cert-Security_Communication_RootCA2.pem
ca-cert-Security_Communication_Root_CA.pem
ca-cert-Staat_der_Nederlanden_EV_Root_CA.pem
ca-cert-Starfield_Class_2_CA.pem
ca-cert-Starfield_Root_Certificate_Authority_-_G2.pem
ca-cert-Starfield_Services_Root_Certificate_Authority_-_G2.pem
ca-cert-SwissSign_Gold_CA_-_G2.pem
ca-cert-SwissSign_Silver_CA_-_G2.pem
ca-cert-T-TeleSec_GlobalRoot_Class_2.pem
ca-cert-T-TeleSec_GlobalRoot_Class_3.pem
ca-cert-TUBITAK_Kamu_SM_SSL_Kok_Sertifikasi_-_Surum_1.pem
ca-cert-TWCA_Global_Root_CA.pem
ca-cert-TWCA_Root_Certification_Authority.pem
ca-cert-TeliaSonera_Root_CA_v1.pem
ca-cert-Telia_Root_CA_v2.pem
ca-cert-TrustCor_ECA-1.pem
ca-cert-TrustCor_RootCert_CA-1.pem
ca-cert-TrustCor_RootCert_CA-2.pem
ca-cert-Trustwave_Global_Certification_Authority.pem
ca-cert-Trustwave_Global_ECC_P256_Certification_Authority.pem
ca-cert-Trustwave_Global_ECC_P384_Certification_Authority.pem
ca-cert-TunTrust_Root_CA.pem
ca-cert-UCA_Extended_Validation_Root.pem
ca-cert-UCA_Global_G2_Root.pem
ca-cert-USERTrust_ECC_Certification_Authority.pem
ca-cert-USERTrust_RSA_Certification_Authority.pem
ca-cert-XRamp_Global_CA_Root.pem
ca-cert-certSIGN_ROOT_CA.pem
ca-cert-certSIGN_Root_CA_G2.pem
ca-cert-e-Szigno_Root_CA_2017.pem
ca-cert-ePKI_Root_Certification_Authority.pem
ca-cert-emSign_ECC_Root_CA_-_C3.pem
ca-cert-emSign_ECC_Root_CA_-_G3.pem
ca-cert-emSign_Root_CA_-_C1.pem
ca-cert-emSign_Root_CA_-_G1.pem
ca-cert-vTrus_ECC_Root_CA.pem
ca-cert-vTrus_Root_CA.pem
ca-certificates.crt
ca6e4ad9.0
cbf06781.0
cc450945.0
cd58d51e.0
cd8c0d63.0
ce5e74ef.0
d4dae3dd.0
d52c538d.0
d6325660.0
d7e8dc79.0
d887a5bb.0
dc4d6a89.0
dd8e9d41.0
de6d66f3.0
e113c810.0
e18bfb83.0
e35234b1.0
e36a6752.0
e73d606e.0
e868b802.0
e8de2f56.0
ecccd8db.0
ed858448.0
ee64a828.0
eed8c118.0
ef954a4e.0
f081611a.0
f0c70a8d.0
f249de83.0
f30dd6ad.0
f3377b1b.0
f387163d.0
f39fc864.0
f51bb24c.0
fa5da96b.0
fc5a8f99.0
fd64f3fc.0
fe8a2cd8.0
feffd413.0
ff34af3f.0

Not from HA machine but from the machine where you are trying to access server.mydomain.tld.

If you see blank directory or Let’s Encrypt missing then run this command:

update-ca-certificates

And check the output of:

ls /etc/ssl/certs/

That command was not found. Also, the issue is not with accessing HA. It is with starting HA. HA is failing to start http because it cannot read the SSL cert for some reason. See my initial post:

Try moving “fullchain.pem” and “privkey.pem” to /ssl folder and then try a simpler configuration like below to see if you still get the error:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key:         /ssl/privkey.pem

Actually, I think the error has magically disappeared. I have zero clue what I did differently, but it is gone. I do have to use the complex path configuration though because fullchain.pem and privkey.pem are aliases for files in a different folder that docker says it does not have access to. This is just how LetsEncrypt does things.

Now the issue is all of my computers (Windows, Mac, and iOS) all say ERR_SSL_PROTOCOL_ERROR when I try to use https to access the site.

Wait. Nope. I lied. Docker was using the wrong config file and was not looking at the one where I had my SSL files listed. We’re right back to getting the original error.

What if you point it directly to the actual files?

It appears to start without any errors, but it still does not let me access it with https.

It’s either going to start without errors with HTTPS, or no HTTPS and errors… or you’ve not actually configured it correctly.

You’re right. Silly mistake. Modified the config in nano instead of my normal VS code and forgot to remove the comments because I didn’t have the colors to remind me. It still says that operation is not permitted.

That error is likely permissions. The user running HA in the container can’t read the file(s).