Lets Encrypt

have you added the SSL cert locations to your config file?

Another possible configuration would be to setup a apache/nginx front end and configure a reverse proxy and keep the ssl configuration separate from the HASS config.

This would give you more options for authentication as well, allowing say ldap or mod_auth_openidc for SSO authentication.

Yes, i have

Finally, with a lot of trying it is working! :grinning:

I have this information in a include secret file, and then by my, it is not working,
Now is have the http: information in the configuration.yaml file and now it works.

Is it not possible if you use https to put the http login information in a include secret.yaml?

Thanks for the information en helping everyone.

…so I followed the instructions as well, but I am getting the following error:

16-12-20 10:50:16 homeassistant.bootstrap: Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/etc/letsencrypt/live/sitename.duckdns.org/fullchain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/etc/letsencrypt/live/sitename.duckdns.org/privkey.pem’. (See /home/hass/.homeassistant/configuration.yaml:22).

Any ideas? Running version 0.33.3

Can you give display this part of your code? Without password :slight_smile:

@rmdejonge I presume you mean from the config file?

http:
api_password: password
ssl_certificate: /etc/letsencrypt/live/sitename.duckdns.org/fullchain.pem
ssl_key: /etc/letsencrypt/live/sitename.duckdns.org/privkey.pem

For sure:
1.In your code you have display it like this, not in one row?
2. And you are sure that the files are in de location as displayed?
3. You must change the link to your website/duckdns name like:
thisismysite.duckdns,org/privley.pem ect…

http:
   api_password: password
   ssl_certificate: /etc/letsencrypt/live/sitename.duckdns.org/fullchain.pem 
   ssl_key: /etc/letsencrypt/live/sitename.duckdns.org/privkey.pem

thanks @rmdejonge

  1. Yes they are indented 2 spaces
  2. files are there - i just double checked
  3. yes the name is a FQDN

funny thing is, HA won’t start with the 2 SSL config lines in there. Once they are commented out, the site is active and the password is enforced.

Try adding single quotes around your ssl paths. Not sure if it matters or not but that’s how i have mine and they work.

ssl_certificate: '/etc/letsencrypt/live/sitename.duckdns.org/fullchain.pem'
ssl_key: '/etc/letsencrypt/live/sitename.duckdns.org/privkey.pem'

My other suggestion is to use Notepad++ to edit your yaml files and set it up to show white space and tabs.

View > Show Symbol > Show white space and tabs

When I was starting out a lot of my issues ended up being related to spacing and tabs, especially if copying and pasting from examples.

thanks @Mike_D but that didn’t work either - although I did verify that there is no white-space/tab issue with Notepad++

could this be caused by a bad SSL?

Hi @pjo I have exactly the same issue. Have you been able to resolve it?

Those of you that have Let’s Encrypt working in a virtualenv, where have you installed certbot? Did you do it from your admin account (I’m running Ubuntu 16.04) or after becoming the virtualenv user (ie after doing step 3 of the virtualenv installation instructions) or after becoming and activating the virtualenv (steps 3 and 5 of the installation)?
I am presuming the latter, so that the same account is running home assistant and managing the certicates, but can’t even get the mkdir certbot command to work because of permissions issues.
I recall seeing somewhere that we may need to make the homeassistant user a sudoer, but doesn’t that negate the benefits of running a virtualenv?

hallo!

anybody tried to setup ssl with the „let‘s encrypt“ add-on?

addon does not start up without ssl in configuration and hassio does not start up WITH ssl path in config!

where do i get the ssl files to put them in the folders manually?

thx in advance

How about using the DuckDNS add-on? it includes Lets Encrypt by default.

This one:
image

thank you. i will try that

hallo!

just set up the duckDNS add-on. seems to work:
the ssl files are located in /ssl/xxx.pem
is it normal that they are OUTSIDE the config folder? do I have to change the path in the config?

in config.yaml is:

http:
  base_url: https://mydomain.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

duckdns add-on log:

# INFO: Using main config file /data/workdir/config
+ Account already registered!
Sun Jun  2 15:46:22 CEST 2019: OK
2xx.xxx.xxx.xxx
NOCHANGE
# INFO: Using main config file /data/workdir/config
Processing panoramabar.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Aug 31 05:38:53 2019 GMT Certificate will not expire
(Longer than 30 days). Skipping renew!

but editing the config with https adress and certificates causes this error(s) after reboot:

2019-06-02 15:35:35 WARNING (ThreadPoolExecutor-1_0) [pycec] Not initialized. Waiting for init.
2019-06-02 15:35:36 WARNING (ThreadPoolExecutor-1_0) [pycec] Not initialized. Waiting for init.
2019-06-02 15:35:37 WARNING (ThreadPoolExecutor-1_0) [pycec] Not initialized. Waiting for init.
2019-06-02 15:35:38 WARNING (ThreadPoolExecutor-1_0) [pycec] Not initialized. Waiting for init.
2019-06-02 15:35:39 WARNING (ThreadPoolExecutor-1_0) [pycec] Not initialized. Waiting for init.
2019-06-02 15:35:40 WARNING (ThreadPoolExecutor-1_0) [pycec] Not initialized. Waiting for init.
2019-06-02 15:35:41 ERROR (MainThread) [homeassistant.core] Error doing job: SSL handshake failed
Traceback (most recent call last):
  File "uvloop/sslproto.pyx", line 500, in uvloop.loop.SSLProtocol._on_handshake_complete
  File "uvloop/sslproto.pyx", line 484, in uvloop.loop.SSLProtocol._do_handshake
  File "/usr/local/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1056)

no clue what the problem is…

thank you in advance guys

That is normal.

No

If you have a working http: config as you posted, what are trying to change which is breaking it?

Hallo

What i mean with edit the http is the file path to the ssl files. And after reboot i get error message:


Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/ssl/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/ssl/privkey.pem'. (See /config/configuration.yaml, line 55). Please check the docs at https://home-assistant.io/components/http/

The files are there.
What i think is that hass.io stores the files /ssl/ and homeassistant want the files /config/ssl/

Not sure how to test that.

thx

HI.
I’m use no-ip ddns. All worked fine. Yesterday i tried renew ssl files. Itake timeout error in config.
Port forwarding is ok.
I use/
Ubuntu host in virtual box
Docker
Hassio
Lets encrypt
Nginx/