Problem with Letsencrypt installation via addon

Hi, hope you will be able to help me with that issue (I saw some similar threads but not the exact problem):

First - I’ll try to describe the current situation:

  • I have raspberry pi (2) running Hass,io on a local static IP
  • I have access to my HA from outside world with port 8123 using DNSduck (mydomain.duckdns,org:8123) while I forwarding port 8123 > 8123
  • Port 80 is blocked (I guess by the ISP - I opened it in the router but to access to this port)
  • Port 443 is open and forwarding to 443 inside my network

After setting the letencrypt configuration like that:

{
  "challenge": "https",
  "email": "xxxxx@gmail,com",
  "domains": [
    "mydomain.duckdns,org"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

I installed the plugin and I got this log via addon:

 starting version 3.2.2
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Obtaining a new certificate
 Performing the following challenges:
 tls-sni-01 challenge for mydomain.duckdns,org
 Waiting for verification...
 Cleaning up challenges
 Non-standard path(s), might not work with crontab installed by your operating system package manager
 IMPORTANT NOTES:
  - Congratulations! Your certificate and chain have been saved at
    /data/letsencrypt/live/mydomain.duckdns.org/fullchain.pem. Your
    cert will expire on 2017-12-14. To obtain a new or tweaked version
    of this certificate in the future, simply run certbot again. To
    non-interactively renew *all* of your certificates, run "certbot
    renew"
  - If you like Certbot, please consider supporting our work by:
    Donating to ISRG / Let's Encrypt:   https:// letsencrypt,org/donate
    Donating to EFF:                    https:// eff,org/donate-le

After that I added the relevant lines to configuration file:

http:
  api_password: "mypassword"
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Also I’m able to see this files via SSH in the ssl dir.
On the other hand - I’m not able to see letsencrypt folder under /data folder - looks like it’s not exist…

Now I set port 443 to 8123 and I was hoping I’ll be able to access https:// mydomain.duckdns,org and get my HA but it didn’t work…

This is what I get when I’m trying to access with Google Chrome:

This site can’t provide a secure connection

mydomain.duckdns,org sent an invalid response.
Try running Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

I tried multiple solutions I found online but nothing worked for me.
Looks like letsencrypt was installed properly but I’m doing somthing wrong on the way to get access to my HA with secured connection.

Thanks in advance and hope you’ll be able to help me with that issue.

(The comma before the domains extensions was necessary to send this post due to a links limitation - ignore it)

1 Like

I am having the exact same problem, I have tried lots of ways to do the let’s encrypt, using the letsencrypt script, the dehydrated script and by using the certbot script directly, all of them get the certs fine, and I have checked local file access to the certs and it’s wide open (and to the containing directories). I have also tried with the firewall pointing external port 443 to port 8123 on my, pointing external port 443 to internal 443 on my pi, and still get the same error.

If I try this from a desktop running chrome I just get a ‘suddenly disconnected’ error, from my phone I get the ERR_SSL_PROTOCOL_ERROR

There are no errors whatsoever in the log files, and the status on the service is showing all as fine.

Any ideas? It’s driving me crazy… :frowning:

my config file looks like:

http:
  api_password: !secret http_password
  ssl_certificate: !secret ssl_cert
  ssl_key: !secret ssl_key
  base_url: !secret base_url
  ip_ban_enabled: True
  login_attempts_threshold: 10

and everything in my secrets file is formed correctly.

Right, I think I just stumbled upon the fix for this, it looks like from here: SSL Config Error - #2 by josh in October last year was the answer, you need python3-openssl installed.

To do this go to a command prompt on your pi and type

sudo apt-get install python3-openssl

Once that’s complete reboot your pi…

sudo reboot

Make sure your external port 443 is being redirected to your internal port 8123 and it should all work.

Hope this helps
Tony

how do you install this in HASSIO?

@TonyM @anon35356645
Did you had a chance to install it on HassIo?

Can’t run this sudo command after connecting with ssh to my hassio

I tried to go here: https://pypi.python.org/pypi/pyOpenSSL#downloads and use pip to install the wheel available for download. That seemed to install it but didn’t make a difference for it continuing to fail.

I can access it locally but not through duckdns.