Host: xxxxxxx.duckdns.org
Port:443
That’s not correct? 
Same result with port:80
BTW: Let’s Encrypt was used for certificate.
That should be ok. Are you sure you have a Le cert? What install on what o/s do you have? I have seen a self signed cert in a chain on a windows pc running a downloaded that inserts itself so it can d/l from ssl sites…
Thanks for trying to help me David!
My setup is running on
Pi 4,
core-2021.2.3,
Home Assistant OS 5.11
supervisor-2021.02.11
Regarding cert:
Your certificate and chain have been saved at:
/data/letsencrypt/live/xxxxxx.duckdns.org/fullchain.pem
Your key file has been saved at:
/data/letsencrypt/live/xxxxxxx.duckdns.org/privkey.pem
Your cert will expire on 2021-05-16.
So I just went and added my sub-domains (they have seperate certificates)
The correct format to enter is domain.com and then 443 as the port (if you use 443)
Mine look like this if I show them in Lovelace:
Are you using the LetsEncrypt addon for HA or the Duckdns one?
EDIT***** also do you use Pihole of some firewall that might block this?
I have both DuckDNS and LetsEncrypt addons and don’t know any firewall rule.
I’ve might done something wrong during the remote access setup, actually thinking to setup the whole remote access again from scratch having in mind to avoid any possible threat for self signed cert. 
Can be time consuming, but I consider as a part of the learning path…
I’ve re-installed the whole HA from scratch, setting remote access via duckdns using instruction of Effortless encryption with Let’s Encrypt and DuckDNS - Home Assistant (home-assistant.io)
The first (previous) attempt was based on this tutorial:
Installing TLS/SSL using Let’s Encrypt - Community Guides - Home Assistant Community (home-assistant.io)
Same result 
Error message: “self signed certificate in certificate chain”
Any idea what can be the problem?
Other question: Is it problematic from security point of view to use a self signed cert?
Thanks!
Yo obtengo el mismo resultado rn dos hosts diferentes,un nuc con hass io y una pi 4 con debian 10 y homeassistant supervised en docker
I have this sensor defined but the expiry value is not being returned (i.e. it is blank). I’m running HA in a Docker container, with a LetsEncrypy cert, and have mapped the LE folder to my Docker /ssl container. So my config looks like this:
http:
ssl_certificate: ssl/fullchain.pem
ssl_key: ssl/privkey.pem
sensor:
- platform: command_line
name: SSL cert expiry
unit_of_measurement: days
scan_interval: 10800
command: "ssl-cert-check -b -c ssl/cert.pem | awk '{ print $NF }'"
The http config is fine - the SSL cert works - but the cert-check is not populating the expiry sensor with a value. The ssl-cert-check script is in my HA config folder.
Any ideas??
Does that command work in a ha console? The command probably isn’t available in the container. I use the cert integration.
Good question. I get an error - return code 127 - when I run the command from the HA console.
I guess that Docker is causing complications? As an alternative, could I simply run this as a monthly cron job from outside Docker?
certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo docker stop home-assistant" --post-hook "sudo docker start home-assistant"
It’s not docker causing complications. It you are running HAOS or a Supervised install the container just doesn’t have those commands in the shell. Probably also the container install doesn’t have them available either. Is there any reason you don;t want to use the inbuilt integration for this? It works perfectly.
Do you mean this one?
If so, yes I have installed it but it doesn’t seem to offer a method of auto-renewing a LE-generated SSL certificate.
That is the one yes… all it does is show the date it won’t renew the certificate. (I thought that was what you wanted by the thread title)
Sorry yes I was confusing two threads that I’d recently posted in!
I’m looking for a solution for SSL cert auto-renewal, but was struggling to get the sensor to work to monitor for certificate expiry, to ended up on this thread trying to resolve that part of the problem.
I’m still hunting for a complete solution for SSL automatic renewal, as the methods that I’ve found so far assume that (a) you’re not using Docker, and (b) you are permanently forwarding port 80 to your HA host (which I am unable to do).
Doesn’t the LetsEncrypt addon do the renewals? I used to use an automation to start that addon at midnight every night and it stops running itself. Of you could use the expiry date via cert to trigger it.
I personally use Caddy2 addon which supports DNS domain validation so no port forwarding needed.
LetsEncrypt does have a facility for renewals, but I haven’t managed to get it to work. I have been following these instructions:
I think I have 2 complicating factors:
- I am running HA in a Docker container, and have been unable to run the renewal script (certbot) from within the HA environment
- I am unable to permanently forward port 80 to my HA host (I run a separate web server on my network) - I believe that the LetsEncrypt certbot requires access via port 80.
If you’re not running HAOS or Supervised you should be able to find a docker container for LE like at linuxserver.io
Also look at Caddy with a DNS validation plugin as I already suggested.
Thanks for that. I’ll see if I can find a docker container for LE. I’m not sure if Caddy is a little more than I need. If I can find a LE docker container that handles auto-renewals would I need Caddy?
It’s totally up to you. I like a reverse proxy for the security it provides.
Does anyone use the isValid attribute? I’m trying to use it as an automation, I have to generate a pks file from the LE cert whenever it updates, but it’s only checking if the cert is valid and not if it’s valid for the URL you are checking on. This should be invalid IMO and consequently means I can’t trigger on isValid when the site shows as invalid SSL cert. If this is expected then I need to find an alternative sensor to determine if the cert is invalid for the site.