Hi Greg,
could you give me some more details?
I’m new on Hassio that I have installed on RPi 4
Many thanks
Floriano

I have figured it out.
Install DuckDNS and fill all the required info. Do NOT add this to configuration.yaml yet:
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

Restart your home assistant instance and start the DuckDNS add-on. Wait for certificates to generate and after that add this to your configuration.yaml:

http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

Restart home assistant.

I will do it as first thing this evening.
This is valid also for HA on RPi, correct?

Yes, HA on RPi4.

Unfortunately it didn’t work to me.

But on the register of Duck DNS i found some warning / error messages

"s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started

INFO: Using main config file /data/workdir/config

• Generating account key…
• Registering account key with ACME server…
• Fetching account URL…
• Done!
  [19:51:28] INFO: OK
  79.22.150.200
  UPDATED
  [19:51:29] INFO: Renew certificate for domains: mydomain.duckdns.org and aliases:

INFO: Using main config file /data/workdir/config

• Creating chain cache directory /data/workdir/chains
  Processing mydomain.duckdns.org
• Creating new directory /data/letsencrypt/mydomain.duckdns.org …
• Signing domains…
• Generating private key…
• Generating signing request…
• Requesting new certificate order from CA…
• Received 1 authorizations URLs from the CA
• Handling authorization for mydomain.duckdns.org
• 1 pending challenge(s)
• Deploying challenge tokens…
  OK + Responding to challenge for mydomain.duckdns.org authorization…
• Cleaning challenge tokens…
  OK + Challenge validation has failed
  ERROR: Challenge is invalid! (returned: invalid) (result: [“type”] “dns-01”
  [“status”] “invalid”
  [“error”,“type”] “urn:ietf:params:acme:error:dns”
  [“error”,“detail”] “DNS problem: SERVFAIL looking up CAA for mydomain.duckdns.org - the domain’s nameservers may be malfunctioning”
  [“error”,“status”] 400
  [“error”] {“type”:“urn:ietf:params:acme:error:dns”,“detail”:“DNS problem: SERVFAIL looking up CAA for solarflor.duckdns.org - the domain’s nameservers may be malfunctioning”,“status”:400}
  [“url”] “https://acme-v02.api.letsencrypt.org/acme/chall-v3/236228515457/aHvHRg”
  [“token”] “mytoken”
  [“validationRecord”,0,“hostname”] “mydomain.duckdns.org”
  [“validationRecord”,0] {“hostname”:“mydomain.duckdns.org”}
  [“validationRecord”] [{“hostname”:“mydomain.duckdns.org”}]
  [“validated”] “2023-06-12T17:51:39Z”)"

Please help

It looks like you are not using your duckdns.org domain. You must fill it in.

yes, I’m using it. I have just edited the words.

I’m using it and it seems it works well.
with htpp:// …duckdns,org:8123 I’m able to connect

Excellent example!

I got it applied but I can see in my Docker Bash that the symlink is red, meaning it cannot be reached from within the docker

Do you know what to do with that?

The folder(s) is already chmod 777

I have nginx running in docker container and i added ssl certs for my domain and subdomains. Subdomains are my containers ie. adgurad.
This is my docker-compsoe.yml config

  nginx:
    container_name: nginx_proxy
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - /opt/nginx/data:/data
      - /opt/letsencrypt:/etc/letsencrypt

I bought a domain name because you can have only four subdomains on a free domain. I use dynu. I use this service to set up my domain and to add subdomains. In nginx I created proxy hosts for a domain and subdomains. I got ssl cert from nginx using lets encrypt. I use dns challenge and for a cert I added token which I got from the provider mentioned above.
Domain and all subdomains have a vaild certs and cert renewal is working out of the box.
My domain and subdomains are not accessible over internet as I don’t update my dynamic ip address and I don’t forward any ports. Instead I’m using adguard for dns rewrite to point my domain and subdomain fqdn to my server ip.

I am in the same situation, I have tried changing the site certificates, but I still get the same error, I have tried everything that has been posted here, but I cannot solve it. Can you help me please

invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/home/domotica/ha/config/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/home/domotica/ha/config/privkey.pem'. (See /config/configuration.yaml, line 22).

Post your configuration.yaml

Now this is:

http:
#  server_port: 8123
  base_url: https://XXXX.duckdns.org:8123 
#  ssl_certificate: /home/domotica/ha/dehydrated/certs/XXXX.duckdns.org/fullchain.pem
#  ssl_key: /home/domotica/ha/dehydrated/certs/XXXX.duckdns.org/privkey.pem

Figured it out.

The reason why moving it into HA’s config folder works is because the container does not have access to the cert folder located outside of it.

The easiest (and imo better) fix is to add a volume mapping for the cert folder (eg. /etc/letsencrypt) in the container config. For simplicity’s sake, you can just map it so that it’s found in the same location within the container. That way, the cert and key paths in the HA’s configuration.yaml can be consistent with the Docker host filesystem.

Docker compose file (docs - Bind mounts | Docker Docs):

volumes:
      - type: bind
        source: /etc/letsencrypt
        target: /etc/letsencrypt,readonly

Or alternatively, via docker run command:

--mount type=bind,source=/etc/letsencrypt,target=/etc/letsencrypt,readonly

Note that the target (within the container) need only be read-only for this to work. Write isn’t required if the cert is generated on the outside by letsencrypt. This is the ideal route since come cert renewal time, which should be handled automatically, you won’t have to recopy the cert files back into HA’s config folder.

And then my HA configuration.yaml is just simply:

http:
  ssl_certificate: /etc/letsencrypt/live/xxx.duckdns.org/fullchain.pem
  ssl_key: /etc/letsencrypt/live/xxx.duckdns.org/privkey.pem

As a final note, make sure the cert files are readable for the HA container to properly access them. This should do the trick without giving too much access to the files (777 is overkill)

sudo chmod -R 755 /etc/letsencrypt

Reboot after all is said and done and HA should start up properly and be HTTPS accessible.

Hope this helps everyone

I did not have the letsencrypt directory, I created it, and I wrote as user and as root

root@domotica:/etc/letsencrypt# --mount type=bind,source=/etc/letsencrypt,target=/etc/letsencrypt,readonly
bash: --mount: orden no encontrada

And as a user

jose@domotica:~$ --mount type=bind,source=/etc/letsencrypt,target=/etc/letsencrypt,readonly
-bash: --mount: orden no encontrada

my certificates are here

[image]

The folder I mentioned only applies if you generated your cert using Certbot like I did (Certbot Instructions | Certbot). Looks like you did it thru some other method so you should follow my steps but substitute your user folder that’s shown in your screenshot (/home/jose…)