Problem installing Hassbian and LetsEncrypt

I’m following the “Remote Access With TLS/SSL via Let’s Encrypt” guide with a Hassbian installation.

But when I get to step 5. After I change the http: lines in configuration.yaml, I cannot access home assistant anymore.

If I type IPaddress:8123 I get a “site can’t be reached error”

I get two warnings in home-assistant.log, but no errors.

any ideas?

If you’re on step 5 you should be using your duckdns address, with https at the start and no port number.

I tried that, but no luck.

Any other ideas for troubleshooting?

Every other check until this point has passed with no issues

Not without knowing exactly which bit you got to.

From SSH you can see a folder named after your duckdns url when you run the command ls /etc/letsencrypt/live/ ?

You’ve updated the access permissions for the letsencrypt folders?

You’ve copied the entries in to your http configuration exactly, changing the url to match yours exactly, and then restarted HA?

You’ve made sure HA did restart, and that there are no yaml errors (indentations / erroneous whitespace)?

You’ve set port forwarding on your router from 443 outside to 8123 inside and removed any other rules for those two ports?

Typing https://YOUR-URL.duckdns.org from outside your network gives you what errors?

Typing https://your.ip.address:8123 from inside your network and accepting the certificate warnings gives you what error?

What does your log say about any of this?

I had a huge problem geting LS to work, so I reseted everything and followed this steps, (note… i made some changes to the steps to fit my needs)
and i did not use duck.org, I use no-ip.

############################################################
################ Installing LetsEncrypt ################
############################################################

  1. Set up a DNS server so that you don’t have to remember your public IP address every time you want to access Home Assistant. (DuckDNS, No-IP, etc)
  2. Set up encryption so that your traffic between your home assistant server and client device cannot be intercepted.
  3. You need temporarily forward ports 80 (http connections) and 443 (https connections) on your router. This is only needed so Let’s Encrypt can verify your network. Check your router specific instructions on how to set this up.
  1. Connect to your Pi using Putty, login with your account name (pi) and password.

  2. enter:
    a. $ git clone GitHub - certbot/certbot: Certbot is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server. It can also act as a client for any other CA that uses the ACME protocol.
    b. $ cd letsencrypt
    c. $ ./letsencrypt-auto certonly --email [email protected] -d your.domain.com
    On the “how would you like to authenticate with the Let’s Encrypt CA?” page select “Automatically use a temporary webserver (standalone)”

  3. Remove the port forwards :80 from setup eariler, and set port 443 (external) to forward to port 8123 (internal) on in your router settings.

  4. Enter:
    $ sudo chmod -R 777 /etc/letsencrypt

You should now be able to access Home Assistant from external networks by going to https://your.domain.com/. As an FYI, this certificate is only good for 90 days. You will need to repeat steps 5 and 6 (making sure you temporarily open ports 80 and 443 first on your router) to get a new certificate.

  1. Add configuration to your configuration.yaml
    http:
    api_password: YOUR_PASSWORD
    ssl_certificate: /etc/letsencrypt/live/your.domain.com/fullchain.pem
    ssl_key: /etc/letsencrypt/live/your.domain.com/privkey.pem
    base_url: your.domain.com

I don’t know what guide that is from, but it’s not my one from the docs.

You probably can just skip through most of it, but make sure that you have definitely done everything in each step. If you haven’t, redo the step in it’s entirety.

This should iron out any issues from using other guides.

If you do decide to redo it all from scratch, that whole guide should take about 40 minutes to an hour depending on your technical ability.

Yes

Yes

yes, I changed the entries to mydomain.duckdns.org
I restarted HA and rebooted my Pi as well

I did a config check_config and I got no errors
I’m not sure how to check that HA did restart.

Yes, I have the 443 to 8123 rule

it takes me to my router configuration page, where it asks for username and password

This site cannot be reached

2017-07-04 07:56:15 WARNING (Recorder) [homeassistant.components.recorder] Ended unfinished session (id=30 from 202017-07-04 07:56:45 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 07:56:55 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 07:57:15 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 406
2017-07-04 07:57:25 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 07:57:35 WARNING (MainThread) [homeassistant.com2017-07-04 07:57:35 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class 'pyatv.exceptions.2017-07-04 07:57:45 WARNING (MainThread) [homeassistant.com2017-07-04 07:57:55 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class 'pyatv.exceptions.2017-07-04 07:58:06 WARNING (MainThread) [homeassistant.com2017-07-04 07:58:06 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class 'pyatv.exceptions.2017-07-04 07:58:16 WARNING (MainThread) [homeassistant.com2017-07-04 07:58:16 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class 'pyatv.exceptions.2017-07-04 07:58:26 WARNING (MainThread) [homeassistant.com2017-07-04 07:58:26 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class 'pyatv.exceptions.2017-07-04 07:58:36 WARNING (MainThread) [homeassistant.com2017-07-04 07:58:36 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class 'pyatv.exceptions.2017-07-04 07:58:46 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 07:58:56 WARNING (MainThread) [homeassistant.com2017-07-04 07:58:56 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.2017-07-04 07:59:07 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 07:59:17 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 07:59:27 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 07:59:47 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 406
2017-07-04 07:59:57 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 08:00:08 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
2017-07-04 08:00:18 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403
AuthenticationError’> error occurred: failed to login: 403
2017-07-04 08:00:28 WARNING (MainThread) [homeassistant.components.media_player.apple_tv] A <class ‘pyatv.exceptions.AuthenticationError’> error occurred: failed to login: 403

Thank you for your help.

Thanks, I may give this a try if I cannot solve my issue without starting again from scratch

The port-forwards aren’t working then. If it’s taking you to your router login page, then you’re only getting as far as your router, and the request is not being forwarded to HA.

You will have to check your router manual to configure your port-forwards correctly.

Thanks, does this explain that I cannot access HA from my internal network (e.g. typing IP:8123)?

Not directly, but there’s some kind of problem routing things on your network.

You must ensure the IP:8123 is preceded by https:// (note the s).

I redid the forward rules in my router, I have two for my pi IP:
80->80
443->8123

Now if I use https://IP:8123 I get to the HA log in page, but if I enter the password (same as in http: API_PASSWORD in configuration.yaml) it says “unable to connect”

If I use https://[redacted].duckdns.org I get error “the site cannot be reached”.

I made a mistake last time when I said that https://[redacted].duckdns.org got me to my router configuration page, it only does that if I enter the address from my network, if I do it from the outside (eg my cell) it doesn’t work.

Thank you very much for your help

OK, we’re getting there :slight_smile:

You need to clear the cache in your browser and cross your fingers

Ok, some progress.

After I cleared my cache, now I can access HA from my home network (e.g. https://IP:8123), but my browser warns me that it’s not a secure connection and I end up with http://IP:8123 (without the s), after this I can enter my password and access HA

Still no luck from outside my network through duckdns.org

That’s normal for the internal connection as the certificate expects the incoming connection to be via DuckDNS, so because you’re not you get the insecure warning.

Can we check that duckdns software is definitely running on your system, and is connecting to the server OK? (obviously if it’s not updating the server with your ip address it won’t go through).

Check the port forwarding on your router.

Check from a device that is not connected to the internal network to discount loopback issues.

I think the duckdns software is running, when I was in step 3, I checked mydomain.duckdns.org:8123 and it worked. I don’t know how to check that the software is running in my pi, but I entered cat duck.log and got OK.

I checked the port forward in my router and I have 2 rules: 80->80 and 443->8123.

I tried duckdns using my cell connecting to LTE instead of wifi, but no response.

Do you think I should continue troubleshooting or should I start my install from scratch again?

Can you confirm you’re definitely specifying https, your duckdns domain and no port number?

If so and it’s still not working, can you try changing the port forwarding rule to 8123 >8123, and then try to connect with

Https://YOUR-URL.duckdns.org:8123

I wouldn’t start from scratch now, it’s obviously working on your pi, we just need to work out why the external connections aren’t getting through.

yes!!

Changing the port forwarding to 8123>8123 worked.

Is the connection still encrypted even if I’m not using port 443?

Thank you so much for your help! I hope I can pay back by helping someone once I get more familiar with HA

1 Like

Yes, the connection is still encrypted.

Looks like it is a problem with your router not saving the 443 - > 8123 port forward correctly.

Either leave it how it is now (as it is working), or play with your port forwarding options until you get 443 to 8123 working so that you can drop the port number from the url.

Glad you’re all sorted :thumbsup: