This has been driving me crazy and I’m hoping someone here can help. I want to setup https so I can start working with Alexa intents but I seem to be missing something. I’m on a RPi3 installed with the AIO installer. Version 0.22.0.
I’ve followed the directions in the blog post and installed certbot-auto. I forwarded my port 80 in my router to my Pi and uninstalled an Apache install I had there previously. (Checked this by going to the port before and after the uninstall via pip and subsequent reboot, everything checked out; no more Apache welcome page).
Ran the certbot-auto with the arguments provided and got a congratulations message.
Went to /etc/letsencrypt/live and saw my domain and verified that in that folder, the .pem files existed.
Went back to router and forwarded 443 to my pi’s 8123.
Edited my config files to add the two ssl entries with the correct paths under my api_password, everything lined up correctly.
Went so far as to set (recursively) the live and archive dirs in /etc/letsencrypt to 744 so any user should be able to read.
Shutdown HASS, rebooted the Pi and expected profit. Was greeted instead with ho frontend access. Nothing.
Hass is running and updating the logs with no error messages at all, but I can’t reach it via http, https at the external domain name or even internally via https://myipaddress. If I take out the ssl entries and restart, I can access the site again.
I’m not sure what I’m doing wrong as I followed all the directions and even tried doing the procedure again from scratch. I know my port forwarding is correct, because if I remove the ssl entries and restart HA, I can get to my frontend via http://westofeast.no-ip.org:443.
If someone could help me while I still have hair, it would be greatly appreciated!
Great. Now my harmony-api, which was previously working fine, no longer works either. Tried reinstalling it and still getting an error trying to start the server. This truly sucks. It’s bad enough when the thing you’re trying to configure doesn’t work; it’s another thing entirely when it starts breaking other things.
Good luck @rpitera. You are always a few steps ahead of me in the HA setup. This was on my list to do, I’ll hold off on this after I fix the various errors I have from existing additions.
Well, as I said at the beginning, I had set the permissions to 744 - but it appears that wasn’t enough and I needed 755 on the archive and live directories (recursively, again) because low and behold, it worked!
@mrmichaelh, you sir, saved me from starting over from scratch. Bless you and should you ever come to NJ, I have a beer with your name on it. Between this and getting Harmony set up and running again, it’s a drastically different day from yesterday.
Np, I just did this Saturday to get my dot working. I just need to learn how self sign next so i dont have to renew in 90 days. Also need the certs for Alexa and Sonos
And it didn’t occur to me until Michael suggested using ls to see the perms. I’d been doing it with WinSCP. Wierd logic as I figured that all SSL had to do was read the certs. I think when I get a chance I’m going to do a PR on the let’s encrypt docs and add the required perms.
And to think this whole thing started because Andrew got me all psyched on doing Alexa intents - I BLAME YOU MR. COCKBURN!! Stop posting exciting stuff you’re doing!!! LOL
No worries; I’ll probably be bugging you for help with intents anyway, so you’ve really just doomed yourself.
I think at this point I will probably ditch my hasska set up, since I would have to redo all the endpoints and settings. Alexa handles all my other devices so I’m really interested primarily in scenes and state queries so it seems to me that haaska isn’t going to offer me much more.
But if you plan on trying to deploy it again, let me know and I’ll redeploy it so I can document the steps for you.
I just found your post as I was about to post a similar thread. I seem to be having the exact same issue as you but Im not knowledgeable enough with this stuff to figure out exactly how you resolved it.
What do I need to do exactly in order to fix this issue? Noob here, sorry…
Mine was the permissions on the certificate files themselves. 744 wasn’t enough; they had to be set to 755.
Don’t make the mistake some do as a shortcut and give full permissions to these or any other files/directories on your setup (777 perms). While it solves the problem, it brings with it a host of new security issues. If not from HA itself, it can come from malicious code from a third party library. Think of 777 as something the system should use itself and you should be hands off. (While not entirely accurate, this is how I prefer to think of it.)
Gotcha. So this is new I am to this…I have no idea how to actually go about setting the permissions. Could I bother you to walk me through it, if thats not too much trouble?
So I actually realized how to do it before I saw your reply and saw the permissions for both certs was actually set to 777 by default so maybe that wasnt the issue.
I thought I figured it out by looking through my configuration.yaml and realizing I had two entries for http so I fixed that.
I was a dummy and forgot to re-enable port forwarding. Now it works! Sorta…
So I have an onhub router which stupidly doesnt have NAT loopback, which means when Im on my home network I cant access HASS via duck dns (mydomain.duckdns.org) but I can access it via the IP address at port 8123.
Now that I have this up and running, I can access it via https://mydomain.duckdns.org when on an external network. But now, when Im on my network, I cant access it at all (via duckdns or IP).