Letsencrypt on HassIO

I have setup duckdns and letsencrypt and I am now able to access my home assistant with https://xxxx.duckdns.org:8123 .

Having watched the videos from BRUH Automation (both the new HassIO video and the previous video he did for setting up duckdns and letsencrypt on the old home assistant installation) it seems I now need to remove the forwarding I did of port 80, which was no problem, but I also need to forward port 443 external to port 8123 internal.

Now I have tried looking up how to do this on a sky router, but I am unsure how to do it. Maybe its not something Sky allow their customers to do?

So at the moment I have port 8123 and 443 forwarded as you can see below. Its working, but I am worried it may not be secure like this.

Hopefully other people have tried setting this up with a sky router and can help, or can see anything I can change from the screenshot below. All I have covered is my internal IP and the service name I gave to 8123.

1 Like

I have the same issue. I am trying to find a solution. If I come across it … you bet you will be in on it

Thanks, lets hope there is a solution! I have a feeling it may be something Sky routers don’t allow and not being a network expert, would be worried i’m potentially leaving myself vulnerable with this set up.

You can also try with my add-on

How to install let encrypt, i use https://home-assistant.io/hassio/ but can not access to any linux command like sudo

I have installed it and its working fine. That’s not the issue. The issue I am having is not being able to forward port 443 external to port 8123 internal on my sky router, which I am not sure how big a security concern that should be to me.

If its going to leave my network vulnerable with that set up then I need to think about keeping my home assistant local until I get a router which enables me to make the necessary changes.

Can you tell me how to install? I am new to Pi and HA. I am running it on Pi 3.

Sorry I thought you were referring me to the instructions rather than needing help. My bad.

I’m only a couple of weeks into using home assistant too, but the way I did it was by following BRUH Automation’s videos on Youtube. I followed this one from 11:10 to 13:00 >> https://www.youtube.com/watch?v=XWPluWcYRMI&t=761s . He goes through it quickly, so I also watched the older video, which goes into more detail, but you have to ignore the command line parts as they relate to the previous version of home assistant and not HassIO >> https://www.youtube.com/watch?v=BIvQ8x_iTNE&t=557s

Hopefully they will set you on the right path. If you have any questions about any parts I will do my best to answer.

1 Like

I was using the Sky Hub and just forwarded 443 for both external and internal ports.

But the Sky Hub has been really bad for me (timing out when changing settings, setting static IPs, forwarding ports etc.)

I’ve ended up switching to my previous setup of a BT fibre modem plugged into an AirPort Extreme. So much easier to use than Sky :roll_eyes:

Sounds like you had it set up like I have now. I have forwarded 443 as shown in the screen shot, but I am wondering if it is a security issue if I can’t forward external 443 to internal 8123. I’m not a networking expert.

I know what you mean about the sky hub. It has been frustrating me too. Took several attempts to save any changes because of the time out message every time I tried to make a change! I have a 3 story house and on the top floor the wifi is sketchy too. Thinking of getting a better router soon.

Yeah, I’m no security expert either, so have no idea if leaving those ports open could be a security issue.

I read lots of people complaining about the Sky router, so I think using some other hardware is a good way to go.

Thanks, i make it work now.

You can try my setting in configuration.yaml:

server_port: 443
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

With this i can enter it the local LAN use: https://ip and https://duckdnsaddress.
You also can try enable DMZ if port portward not work

Thanks. I was ready to give up on Lets Encrypt. My router won’t let me map 443 to 8123 so I just have 443 to 443. Your suggestion to change server_port to 443 worked.
A few questions.
On the local LAN it comes up Privacy Error, Not Secure which you can ignore and connect anyway. Do you get the same thing?
Externally I get an “i” in a circle warning instead of a padlock icon when I connect. Is that the same for you?

I get the secure padlock when I log in from anywhere. Not sure why you would be getting different.

I use chrome as my browser. It doesn’t work with IE. I get the login box, but when I enter the password and hit enter nothing happens.

Thanks again. I tried uninstalling Lets Encrypt and reinstalling it but the result was the same. Access not secure.

Going back to the WARNING: “This add-on need port 80/443 to verify the certificate request, please stop all add-ons that also use these ports, or you may not be able to start this add-on.” I tried turning off add-ons the only 3 other add-on’s I have installed: Samba, SSH and Duck. I could START Lets Encrypt.and it reported “started” but when I went to another page and came back it had stopped. Is this normal?

Thinking it might be something in my configuration.yaml file I reloaded the default file that comes with the Hassio install. And surprse, it worked! Well not completely. Externally I got the padlock. Internally I got “not secure”. I thought “Great, I can live with that!” But when I reloaded my personal configuration.yaml file it went back to the circle “i” warning. Could “emulated Hue” or some other component be interfering?

I find the WARNING about using Lets Encrypt confusing. First of all there is no mention about port forwarding. To most people the need for port forwarding may be obvious but for me I might think that it is no longer necessary. If it is still required is it only for the first time you start Lets Encrypt? Does it need to be a permanent port forward? And if you don’t have a router that can forward port 443 to 8123 should you not even try? Do you need to open ports whenever the key is renewed?

It would be helpful if there i a list of the built-in add-on’s that should be shut off when starting Lets Encrypt.

Found my problem by process of elimination. Deleted the “Yahoo Weather Sensor” and Lets Encrypt now works. I get the secure padlock externally (but not internally).

hi, i tried few times using Letsencrypt but failed to start it. i have emulated hue running. this is my port forwarding setup:

incoming WAN port 80 map to home assistant LAN port 8123
incoming WAN port 443 map to home asssiatnt LAN port 8123

am i doing it right? cause i couldn’t start Letsencrypt on hassio.

turn off emulated_hue.
ports: 80 to 80
443 to 443
8123 to 8123
get certs, make sure all installs then go abck in to your router and disable the forwards for 80 and 443 amd 8123 and make a single forward for 443 to 8123. Done.

Also, FYI, installing letsencrypt on hass.io will break configurator and hadashboard, if you use those. Consider yourself warned.

You’ll only be secure without warning when accessing the site from the Domain that you have the let’s encrypt certificate for i.e. Xxxx.Duckdns.blah
If you access via ip or internal domain name then the cert will not match, hence you get security warning.

Thank you very much for that explanation. I didn’t know that.