Set up encryption using Let's Encrypt

The instructions in this blog post are outdated. Please have a look at the new instructions.

Exposing your Home Assistant instance outside of your network always has been tricky. You have to set up port forwarding on your router and most likely add a dynamic DNS service to work around your ISP changing your IP. After this you would be able to use Home Assistant from anywhere but there is one big red flag: no encryption.

This tutorial will take you through the steps to setup a dynamic DNS for your IP and allow trusted encrypted connection to it - for free using DuckDNS and Let’s Encrypt.


Updated 2016-06-18


The DuckDNS part of this tutorial has no requirements but there are a few requirements as of now to run the Let’s Encrypt client.

  • Direct connection to the internet or admin access to your router to set up port forwarding.
  • A machine running a Unix-ish OS that include Python 2.6 or 2.7 (Docker can be used).
  • Root access, to write to default config, log and library directories and bind port 80.



The first step is to set up DuckDNS. This is a free dynamic DNS service that you can use to get a subdomain to point at your house. A dynamic DNS service works by having your home computer tell every 5 minutes what its IP is so that DuckDNS can make sure your domain name is set up correctly.

For this example we will assume our domain is

First step is to acquire and set up our domain name. For this, go to DuckDNS, log in with any of the supported login providers and add a domain. After this check out their installation instructions to finish your installation of DuckDNS. If you’re on a Raspberry Pi, see ‘Pi’ in the category ‘Operating Systems’.


Let’s Encrypt

Let’s Encrypt is a free, automated, and open certificate authority (CA). We will use this to acquire a certificate that can be used to encrypted our connection with Home Assistant.

Let’s Encrypt will give you a free 90-day certificate if you pass their domain validation challenge. Domains are validated by having certain data be accessible on your domain for Let’s Encrypt (they describe it better themselves).

Assuming that your home is behind a router, the first thing to do is to set up port forwarding from your router to your computer that will run Let’s Encrypt. For the Let’s Encrypt set up we need to forward external port 80 to internal port 80 (http connections). This can be set up by accessing your router admin interface (Site with port forwarding instructions per router). This port forward must be active whenever you want to request a new certificate from Let’s Encrypt, typically every three months. If you normally don’t use or have an app that listens to port 80, it should be safe to leave the port open. This will make renewing certificates easier.

Now you’re ready to install and run the client that requests certificates from Let’s Encrypt. The following example will use the platform independent script to install and run the certbot client from Let’s Encrypt. If there is a certbot package for your OS, it’s recommended to install the package instead of the platform independent script. Read the docs for more information. There are also other clients that might offer more customization and options. See the client options page at Let’s Encrypt.

$ mkdir certbot
$ cd certbot/
$ wget
$ chmod a+x certbot-auto
$ ./certbot-auto certonly --standalone \
                          --standalone-supported-challenges http-01 \
                          --email [email protected] \

If you’re using Docker, run the following command to generate the required keys:

sudo mkdir /etc/letsencrypt /var/lib/letsencrypt
sudo docker run -it --rm -p 80:80 --name certbot \
                -v "/etc/letsencrypt:/etc/letsencrypt" \
                -v "/var/lib/letsencrypt:/var/lib/letsencrypt" \
       certonly \
                --standalone --standalone-supported-challenges http-01 \
                --email [email protected] -d

With either method your certificate will be generated and put in the directory /etc/letsencrypt/live/ As the lifetime is only 90 days, you will have to repeat this every 90 days. There’s a special command to simplify renewing certificates:

./certbot-auto renew --quiet --no-self-upgrade --standalone \
                     --standalone-supported-challenges http-01


Home Assistant

Before updating the Home Assistant configuration, we have to forward port 443 (https connections) to port 8123 on the computer that will run Home Assistant. Do this in your router configuration as previously done for port 80.

The final step is to point Home Assistant at the generated certificates. Before you do this, make sure that the user running Home Assistant has read access to the folder that holds the certificates.

  api_password: YOUR_SECRET_PASSWORD
  ssl_certificate: /etc/letsencrypt/live/
  ssl_key: /etc/letsencrypt/live/

You can now navigate to and enjoy encryption!

Big thanks to Fabian Affolter for his help and feedback on this article.

This is a companion discussion topic for the original entry at

standalone supported challenged is depreciated. Please update it to preferred challenges.


I cant update my certs now… If you know the correct command for this can you maybe share that?

Start a fresh thread, explain how you set up Let’s Encrypt, what the problems/errors you’re having are, and somebody will help you.

Perhaps an update to the HASS Wiki is in order?

Hi @335iguy,

Would you be able to please share the latest commands? I am on NGNIX and have my own domain but above commands doesn’t work.

Thanks in advance.


./certbot-auto certonly
without all the other parameters worked for me… just fill in the form that is presented.

I run the renewal script from /home/homeassistant and it worked fine, didn’t work as an automation though.

Problem binding to port 80: Could not bind to IPv4 or IPv6.

Hi everyone,
I just installed HA on my RasPI 3B, port 80 and 443 forwarded, duckdns domain registered.

Everything was good and i could reach http…

Then I installed Let’s Encrypt to enable https, completed the installation but https… was not working.

I scrolled up the log and found a first issue “The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead.”

I relaunched the installation process (to renew the certificate) using

./certbot-auto certonly --standalone --preferred-challenges http-01
–email myemail

instead of --standalone-supported-challenges but got the error:

Requesting to rerun .certbot-auto with root privileges…
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugin selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
Cleaning up challenges
Problem binding to port 80: Could not bind to IPv4 or IPv6.

I read that the problem concerns the port 80 which is already being used by another application and that I should stop the application but I cannot find the way to do it and I’m stuck at this point for a long time. I do not have a web server.
I’m basically new to these things, can you please tell me what I have to do to solve this issue?

Thank you.

I’ve seen the same error on my installation. In same system I have the homea assistant and pi-hole. All I needed to do to solve your problem is stop lighttpd service (stopping pi-hole webserver) and then certificate validation went well.

sudo service lighttpd stop

Now I’m stucked on this error from my web-browser:

Some posts refer to http: configuration.yaml format problems, but I can’t see it.

Good afternoon, I am trying to setup let’s encrypt on my Odroid C2 using the image hassos_odroid-c2-2.3.img.gz.
Where Let encrypt is start iot is reported the following error : I can not understand where this 444 port is cvoming from.

Failed authorization procedure. my_server_name (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://my_server_name:444/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: Invalid port in redirect target. Only ports 80 and 443 are supported, not 444
 - The following errors were reported by the server:
   Domain: my_server_name
   Type:   connection
   Detail: Fetching
   Invalid port in redirect target. Only ports 80 and 443 are
   supported, not 444
   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

Anyone already get this concern or know where it could come from?

Hi, i have the same problem.
There is way to create the certificate from another server and later put in the HA configuration?


This thread has some problem.
HA installation was instructed based on “homeassistant” user which is not root user.
But this Letsencrypt thread is based on root user.
Normal user can not access to directory /etc/letsencrypt/live/domain_intended.

HA is normally used for private purpose. So maybe private SSL key will be good solution rather than Letsencrypt

Perhaps you didn’t read the very first line in the thread.

I am using the latest version of Ubuntu and installed HA via VirtualBox.
Inside VirtualBox, any ssh command shows as it’s invalid, probably since that’s the HA cli.
Followed this article very carefully step by step, I was able to add my domain and ip to duckdns which points with no errors outside the network but i am currently stuck with let’s encrypt as I was even trying using the ubuntu terminal and the commands looks deprecated.

Does anyone has found a solution yet? please let me know, thanks.

See the first line of this thread.

Thank you very much @nickrout
The updated tutorial worked like a charm

I have a different problema about Alexa redirects,How did i do to this Works with sub-subdomains? I have a duckdns https certificate with subdomains allowed (like and i cannot make Alexa detect my homeassistant like this,and i have other subdomains to my other nas applications , there are any configurations needed to allow It? Or It is Impossible?wich should be the Turnaround or whathever to make this Works?
Btw: i have 2 raspberry pi , 1 with hassio and other with my other apps and nginx+loadbalancing to redirects the homeassistant to subdomain

Dude, just set-up a nginx instance to handle it!

Is there a way of setting up auto-renewal if port 80 is NOT permanently forwarded to the HA host? (I’m running HA in a Docker container on Lubuntu)