[SOLVED]Error using docker and SSL: Invalid config for HTTP not a file for dictionary value,

Hi everybody,

I’m new to this and I have managed to set up the HA in RPI 3b in raspbian, but when I’m trying to get the SSL to work I encounter problems:
My current setup: HA running in docker using the following docker compose:

Docker compose

version: ‘3’
services:
homeassistant:
container_name: homeassistant
image: homeassistant/raspberrypi3-homeassistant
volumes:
- /home/pi/homeassistant:/config
restart: unless-stopped
network_mode: host

I have created the certs using this guide: https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt

and now when I start the HA I get this (where MYDOMAIN is obviously replaced by my domain):

Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/config/homeassistant/letsencrypt/dehydrated/dehydrated/certs/MYDOMAIN/privkey.pem’. (See /config/configuration.yaml, lin$
2019-01-16 20:29:52 ERROR (MainThread) [homeassistant.setup] Setup failed for http: Invalid config.

The reason why the path begins with /config/ instead of /home/usr/ is because of the use of docker, but I have tried the both.

the http part of the configuration.yaml is as follows (mydomain is replaced in the real file and the double dehydrated is intended):

HTTP

http:
api_password: !secret http_password
ssl_certificate: /config/letsencrypt/dehydrated/dehydrated/certs/MYDOMAIN/fullchain.pem
ssl_key: /config/homeassistant/letsencrypt/dehydrated/dehydrated/certs/MYDOMAIN/privkey.pem
base_url: !secret base_url

Does anyone have good ideas what I have done wrong?
I have given the sudo chmod 755 to all of those paths.
Should I change the certs to some root folders or somehow give the docker some rights or something?

Thank you in advance!

EDIT:
Solved this moving the certs-folder to the config-folder and updating permissions. Now it works.

1 Like

Many thanks…worked for me and saved hours of head banging.

Hi @E1m0. Can you elaborate on this? Thanks

1 Like

Also interested to know if there is a simple fix that doesn’t require moving certs into the config folder.

Whitelist maybe?

A agree we need a more elegant solution.
I tried a symbolic link from the original files to avoid problems at renewal. No way, Home Assistant says it’s not a file…
I finished like the others by a copy of the files, but that suppose I don’t forget to redo the copy after renewal of the certs.

Same problem here. Solved using:
sudo chmod -R 755 /home/homeassistant/dehydrated/certs

1 Like

Is there no other solution than moving the certs to the /config folder, breaking the auto renewal of those certs?

Hi, for me giving absolute path to cert files solved the problem.
So use /home/homeassistant/… instead /config/… at the beginning of paths

To be exact it was /volume1/homeassistant/ in my case since I run HA Core directly on Synology NAS not on RPi, but above should solve your problem :wink:

Now I have problem that I cannot access HA through http://IP_ADDRESS:8123 in local network - I need to use https://IP_ADDRESS:8123 which gives me warning about not secured connection in browser… but that’s problem for another thread I suppose :wink:

I found better solution, more elegant for those of you who have HA installed in Docker container. I had same problem that HA could have not access my ssl cert and key, even I run docker with volume attached which pointed on folder with ssl files. My setup is that I’ve created ssl cert with Let’s Encrypt certbot on host Raspberry Pi4 and then I run HA in Docker container with following command:

docker run --init -itd --name="home-assistant" -e "TZ=Europe/Warsaw" --restart unless-stopped \
-v /home/pi/ha:/config \
-v /etc/letsencrypt/live/mydomain:/ssl \
--net=host homeassistant/raspberrypi4-homeassistant:stable

This caused me same error HA complaining that “Invalid config for [http]: not a file for dictionary value”

I figured out that actually cert files in this live/mydomian folder are symbolic links to /etc/letsencrypt/archive, therefore I figured that HA within Docker containers is trying to access files via symlinks which are outside of the attached volume.

Solution:

I run HA docker attaching whole /etc/letsencrypt folder instead just only /etc/letsencrypt/live/mydomain

docker run --init -itd --name="home-assistant" -e "TZ=Europe/Warsaw" --restart unless-stopped \
-v /home/pi/ha:/config \
-v /etc/letsencrypt:/etc/letsencrypt \
--net=host homeassistant/raspberrypi4-homeassistant:stable

but this was not enough and I had also to created symlink (as a root) within /config folder

pi@raspberrypi:~/ha $ sudo su
root@raspberrypi:/home/pi/ha# ln -s -T /etc/letsencrypt/live/mydomain /home/pi/ha/ssl

then in configuration.yaml I have:

ssl_certificate: ssl/fullchain.pem
ssl_key: ssl/privkey.pem

Hope it helps someone :slight_smile:

13 Likes

You sir, just made my day. Thanks you for your explanation!

1 Like

I’ve created an account on here just to say that ed.cric’s solution worked for me after trying everything for like months.

Thanks man!

1 Like

I had to use “/ssl/…pem” otherwise HA still throws the same error message. But great idea. I use OPNSense to generate Let’s Encrypt SSL-certs. Your idea of mounting an SSL-volume works great! thanks.

1 Like

Solved!!!

There is renewal-hooks/post in letsencrypt (executed one certs has been renewed)
Create bash script with
/etc/letsencrypt/renewal-hooks/post/copyhass.sh

#!/bin/bash
sudo cp /etc/letsencrypt/live/***.duckdns.org/privkey.pem /usr/share/hassio/ssl/privkey.pem
sudo cp  /etc/letsencrypt/live/***.duckdns.org/fullchain.pem /usr/share/hassio/ssl/fullchain.pem

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/copyhass.sh
make
sudo certbot renew --dry-run

and that is it.

2 Likes

Hey so I thought I would add some clarity to the cause of this problem as I was dealing with it for the last few days and getting no where till I found this post.

First off this problem is very specific to running HA in Docker and using Lets Encrypt for your certs on a Linux system. Now here’s why:

Let’s Encrypt will tell you that your certs are located in the following dir for your use: /etc/letsencrypt/live/<my_url>.duckdns.org/ This is not exactly true. While there are files in that dir that you can “use” they are not the real files. They are symlinks to where the real files are actually located, which is here: /etc/letsencrypt/archive/<my_url>.duckdns.org/ -Note the 3rd dir is different.

Normally this would not be a problem for most applications. However, Docker is one of those exceptions. Docker containers have literally only exactly what a container needs to run, and nothing more. So when you mount the volume /ssl as the dir /etc/letsencrypt/live/<my_url>.duckdns.org/, you are only getting exactly that dir and nothing more. And because the symlinks are more like shortcuts, you have now cut off the link to the real location of the files in the /etc/letsencrypt/archive/<my_url>.duckdns.org/ dir. Thus HA says the file does not exist, because it actually does not as far as the HA docker container is concerned.
And hopefully now you can see why ed.circ’s solution did not work until they mounted the dir before the archive/live dir at /etc/letsencrypt/ As once the real location of /etc/letsencrypt/archive/<my_url>.duckdns.org/ was readable in the HA docker, the symlinks at /etc/letsencrypt/live/<my_url>.duckdns.org/ are working again.

Hopefully this helps someone else not spend days trying to figure out the problem. And maybe we can get an update to the wiki site as well.

3 Likes

Glad I could help :slight_smile:

I faced the same issue and thought I’d say what I did.
I use acme.sh and it’s not that hard with it. I had to move the cert/key in the /ssl directory but the configuration.yaml doesn’t like the symlink: /root/ssl -> /ssl. So, this is config section:

http:
  ssl_certificate: /ssl/hass_crt.pem
  ssl_key: /ssl/hass_key.pem

acme.sh generates the certificates in this directory: /root/.acme.sh/<your_domain> and there should be an auto-generated file, called: <your_domain>.conf, where the renewal-hook can be configured.

I created a directory, called: hooks, under /root/.acme.sh:

cd /root/.acme.sh && mkdir hooks

and created a simple bash script to copy the cert/key from the original location to /ssl directory:

$ cat  hooks/hass.sh
#!/usr/bin/env bash
cp /root/.acme.sh/<your_domain>/<your_domain>.key /ssl/hass_key.pem
cp /root/.acme.sh/<your_domain>/fullchain.cer /ssl/hass_crt.pem
chmod 0400 /ssl/hass_*.pem

And then set the RenewHook in the <your_domain>.conf like this:

Le_RenewHook='bash /root/.acme.sh/hooks/hass.sh'

that should do the job.

am I the only one that can’t get this to actually work? I have followed ed.cric’s directions to the letter and I still get the error, I have added the / before the ssl in the path - /ssl/fullchain.pem, I have left the / off the ssl in the path – ssl/fullchainpem, I have even declared the entire exact path /home/[username]/HASS/ssl/fullchain.pem and NOTHING works

I feel like this is an elaborate ruse to get me to pay for nabu casa and its working!!!

sudo rm -r *
im done

No, you’re not alone. I’ve recently tried to install the DuckDNS addon. It keeps reminding me that I’m only 5 minutes away from securing access. Lies. I also cannot find my certificate files. I’m also doing this the hard way because I want to touch internet as little as possible.

EDIT: Addding thi upfront here-- DOCKER IS NOT YOUR FRIEND WITH SSL CERTS… No matter what I ever did docker refused to allow me to show, move, transfer, copy, or make references to SSL certs. Install the HassOS and live again

I ended up installing the HassOS on debian and skipping the docker install altogether in favor of a single platform that I was able to also install HACS and have the originally supported Add-ons as well. I think docker is installed here as well just incase you want to run things along side it, but honestly I havent had the need for that either. Things like DuckDNS, and NodeRED, and MQTT are supported in Add-ons now. I’ve been running this for about 8 months now with full SSL certs and ZERO problems (besides the ones I create for myself lol). PM me if you need help getting all that set-up and Ill see what I can do! I know its possible now!

Hi all,
I need your help. I have just started to play with Hassio on my pi 4 bu I found the same problem on secure connection:

The system cannot restart because the configuration is not valid: Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/ssl/fullchain.pem’ not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/ssl/privkey.pem’. (See /config/configuration.yaml, line 26).

line 26 is
‘http:
base_url: https://myaddress.duckdns.org:8123
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem’

Thanks for your support
Floriano