Setting up SSL Remote Access

Hi everyone, I’ve been trying to get Home Assistant remote access working with SSL but am getting the following error in the log:

2020-09-22 18:39:41 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/home/pi/homeassistant/dehydrated/certs/[name-redacted].duckdns.org/fullchain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/home/pi/homeassistant/dehydrated/certs/[name-redacted].duckdns.org/privkey.pem’. (See /config/configuration.yaml, line 57). Please check the docs at HTTP - Home Assistant

Some background: I’m using RaspberryPi4-64 in docker. Everything works fine if I comment out the “ssl_certificate” and “ssl_key” entries from the config. I used this guide: splitbrain(dot)org/blog/2017-08/10-homeassistant_duckdns_letsencrypt

Here’s my config:

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Text to speech
tts:
  - platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

http:
  ssl_certificate: /home/pi/homeassistant/dehydrated/certs/[name-redacted].duckdns.org/fullchain.pem
  ssl_key: /home/pi/homeassistant/dehydrated/certs/[name-redacted].duckdns.org/privkey.pem

I believe it’s related to something like this: Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate'] · Issue #31513 · home-assistant/core · GitHub however I believe my permissions are fine:

Any advice on what to check next?

Well, after realizing how docker works (never having used it before) I changed my config to the following:

# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:

# Text to speech
tts:
  - platform: google_translate

group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

http:
  ssl_certificate: /config/dehydrated/certs/[name-redacted].duckdns.org/fullchain.pem
  ssl_key: /config/dehydrated/certs/[name-redacted].duckdns.org/privkey.pem

If anyone is wondering why, when home assistant is set up in Docker using the official guide, the command:

docker run --init -d --name="home-assistant" -e "TZ=America/New_York" -v /home/pi/homeassistant:/config --net=host homeassistant/raspberrypi3-homeassistant:stable

This means “/config” from the Docker instance is mapped to “/home/pi/homeassistant” on the local machine. The config file needs to reference the internal path, not the path on the host.

However, I still have an issue. In the guide (https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt) they use “api_password: !secret hass_pass”. As far as I know this is deprecated, and I should be using long lived tokens, correct? Do I have to use a token for DuckDNS somehow, or a token when using a service call (such as IFTTT)?

Ah to be a beginner in Docker :slight_smile:


I encourage you to use docker-compose as you will start accumulating containers without a means of backing up the configuration or easily making changes.

This:

docker run --init -d --name="home-assistant" -e "TZ=America/New_York" \ 
-v /home/pi/homeassistant:/config \ 
--net=host homeassistant/raspberrypi3-homeassistant:stable

Translated becomes:

version: '3'
services:
  home-assistant:
    container_name: home-assistant
    image: homeassistant/raspberrypi3-homeassistant:stable
    restart: always
    network_mode: 'host'
    volumes:
      - /home/pi/homeassistant:/config
    environment:
      - TZ=America/New_York

(I ignored --init as from my reading it doesn’t provide much value here :man_shrugging:)


And so is base_url. You should try and find documentation that isn’t 3 years old, as Home Assistant has moved quickly in that time. You should at the least check the HA documentation when you are not sure about something.

There is no api_key or base_url anymore, you you just need the path to your certificates.


Also, also, it’s bad practice to place persistent/necessary files/scripts within a Docker volume as it is intended to be ephemeral. As soon as you recreate or destroy your container, you are going to have to manually run all your steps again to generate new certificates.

Couple of options here:

  1. A dedicated and separate container that creates your certificates (just look up “Let’s Encrypt” or “Dehydrated docker container”)
  2. Have the host create the certificates and mount them to the container
  3. At least mount a folder from your host (Pi) to where the dehydrated certificates will be created so you can reference them in your docker run or docker-compose.

Hope this assists you and makes sense