Remote Access, HA OS, Let's Encrypt, DuckDNS Failure

I am new to HA. I am running the latest HA OS VM within VirtualBox on a Windows 10 PC. The VM is bridged so it gets its own private IP address from my DHCP server - I have an existing SmartThings Hub v3 deployment I want to connect to, but I must first get dynamic DNS and public certificates working from what I understand. I have followed the Home Assistant DuckDNS/Let’s Encrypt installation instructions. However, when it states to update the configuration.yaml file with the following lines, I get an error when I try to restart Home Assistant:

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

The message I get when I try to restart HA is:
The system cannot restart because the configuration is not valid: Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/ssl/privvkey.pem’. /config/configuration.yaml,line 13).

Whereas on a Linux box I could SSH in and look at the directory structure, files, etc., on the HA OS I have not been able to find a method to view the directory structure. I have been fighting this installation for three days now with no luck.

If anyone can help me out I would be grateful.

If that is the error it says you have a typo. It says you have miss spelled privkey.pem with two ‘v’ privvkey.pem on line (13)

Please check that.


I rebuilt my VM from scratch to ensure nothing was corrupt and to start fresh.

I installed the add-on.

I configured it with my domain and token.

I set the “accept_terms” variable to “true.”

I then went into Studio Code and edited the configuration.yaml file. I added the following lines ensuring I had no typos:

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

I then went to restart Home Assistant and got this error message:

The system cannot restart because the configuration is not valid: Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/ssl/fullchain.pem' not a file for dictionary value @ data['http']['ssl_key']. Got '/ssl/privkey.pem'. (See /config/configuration.yaml, line 13). 

I don’t know if the paths to the “fullchain.pem” and “privkey.pem” are correct. I bring this up because I see these paths in the DuckDNS logs:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account URL...
+ Done!
[02:59:19] WARNING: 
[02:59:20] INFO: Renew certificate for domains: and aliases: 
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
 + Creating new directory /data/letsencrypt/ ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for
 + 1 pending challenge(s)
 + Deploying challenge tokens...
ERROR: deploy_challenge hook returned with non-zero exit code

I don’t know if I should use these paths, install the “Let’s Encrypt” add-on, or try another DuckDNS article online.

If anyone can point me in the right direction I would appreciate it.

I am pretty certain your paths are incorrect but I don’t use duckdns or https so I can’t be certain what the paths should be.
You may need to copy the files to the correct path then update the configuration.
Hope that helps.

I use encryption and my http section of configuration.yaml looks like your

  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

I do not use DuckDNS as I own my own domain name and generate all the certs I need on another system and then place them on the systems that require them using scp. This requires me to drop the cert files on my HA instance in the directory:


So that I can do things at the os level I use the supervisor install version on debian bullseye. The instructions can be found in this page for a supervised install.

pcwii and Brian,

I gave up on HA OS and installed the Supervised version. That led me down several rabbit holes I would rather not discuss here. I am going to close this thread.

Thank you for your assistance.