Also, I tried to change the permissions to 755 per your recomendaitons (Im on a mac using cyberduck) and I get the error failure to write attributes, permission denied. What user should I be doing this as? I cant do it as HASS or Pi.
Are you using private IP while trying to access within home network? Because you won’t be able to use public without loopback.
About certs there’re couple options:
- Copy them to folder where HASS user has access
- Change group ownership of /etc/le to your HASS user group (man chown)
1 Like
Yeah, using private ip
Hm, but you were saying that you’re able to access
but I can access it via the IP address at port 8123.
Or you mean using different port (80/443)? You need to setup port forwarding on device then, not on router.
Not sure if I follow.
Prior to setting up SSL, I could access my Pi IN network via its private IP xxx.xxx.xx.xxx:8123.
Now I cant access it via that same on. I currently have port forwarding set up for SSL at 443>8123.
Sorry, Im knew to all of this so it might be obvious but its going over my head.
What should I do to resolve this, exactly?
So in your config you should have something like
http:
server_port: 8123
ssl_certificate: ..
ssl_key: ..
Could you access httpS://xxx.xxx.xx.xxx:8123? It should say that certificate is invalid blah-blah
Try also
telnet IP 8123
No, it just says site cant be reached which is the same thing it did when I tried to access myname.duckdns.org from in my network before, due to the NAT loopback thing…which is my Im assuming its related to that.
sorry…im dumb again…is that a command in terminal?
Also just noticed Im getting an error in the log:
homeassistant.core: error inside async loop: fatal read error on SSL transport
telnet is terminal, yes, if you have mac/*nix you most likely have it by default.
homeassistant.core: error inside async loop: fatal read error on SSL transport
Seems that HA couldn’t access certificates. Copy them to other location (for example HA home folder) from /etc/letsencrypt/live/domain_name (using sudo cp)
And change owner to HA user
sudo chown usr_name:group_name file
Ok, gotcha.
Do you mind dumbing it down to 4th grade level? Sorry, I know its really annoying but I have the most basic understanding of all of this (trying to learn!) and Im not entirely confident I know what I should do based on your explanation. sorry…I appreciate your help!
Also, if that is the problem…why can I still acess HASS from outsdie the network (such as on my phone)?
Nah, it’s totally OK, don’t worry, we were all there 
Basically your HASS service couldn’t access certificates, so until you fix it (either granting access to folder or moving to other location with changing owner) UI won’t be reachable.
Gotcha. Could you give me a ELI5 for what exactly I need to do (maybe just more in depth if possible then above) as I sorta understand what I need to do but not fully enough to actually do it, if that makes sense. thanks again!
Sorry, without knowing your exact setup it’s hard to do. In general easiest way is to copy pem and key files from /etc/letsencript folder to you local HA folder (where you have your configuration yaml file) and change owner to HASS user. And update config with new location of certificate
Understandable. I have it installed with the all in one installer on a pi if that matters.
I guess the part that Im getting stuck at (its probably going to be obvious once you tell me) is how do I change the owner once I move it?
From your terminal do
ssh pi@ip_address
Enter your password, if you didn’t change it before, most likely it is raspberry
cd to your HA folder where pem and key files are and do
sudo chown hass_usr:hass_group on both files
If you followed HA Pi manual, it should be something like
homeassistant:homeassistant
Run ls -la in HA folder and check user / group combination
Ok so first, If Im getting annoying let me know and I can let this go and figure it out another day. I dont want to take advantage of your patience!
Ssh- ok easy. I changed the password, its like the only command I do know ha.
Would you mind explaining how I cd to that folder, or what the command would look like?
how do I perform the sudo chown hass_usr:hass_group on a specific file?
how do I run -la?
sorry…again…i feel completely incompetent and hope Im not annoying you.
hi vkorn
I have to say thank you to you, i have been struggling to get my HA running on SSL for over a week now and i found this discussion and i followed what you mentioned and i finally i was able to get it working.
Thank you so much vkorn
I struggled with the permissions problem and originally fixed it by using chmod 755. However, I was not comfortable with giving read and execute permission to “other” users (the last 5 in 755). I finally figured out how to do it correctly after much research on the internet:
(Note I have Hassbian installed which has the user group homeassistant)
cd /etc/letsencrypt
sudo groupadd ssl-cert
sudo chown -R root:ssl-cert live/
sudo chown -R root:ssl-cert archive/
sudo chmod -R 750 live/
sudo chmod -R 750 archive/
sudo usermod -a -G ssl-cert homeassistant
I also have the certificate auto-renewal setup in cron like this:
crontab -e
(Choose the nano editor)
51 2,14 * * * ~/certbot/certbot-auto renew --quiet --no-self-upgrade >> ~/certbot/certbot_renew.log
^O (Write out the file)
^X (Exit Nano)
It was recommended to run the renew twice a day here: https://certbot.eff.org/#pi…
I picked two random times in the day to renew: 2:51 am and 2:51 pm. You should change this to a different time of your choosing.
EDIT: Added -R recursive flags to chown/chmod and combined two times into one line in crontab
EDIT 2: Added commands to create new ssl-cert group and assign homeassistant to it. Thanks to Glenn here: http://disq.us/p/1hnp0sv
1 Like
Thanks for this post. Had the same issue and changing the permissions worked for me 
BTW needed to change permission to all directories from etc/letsencrypt (inclusive) onwards.
1 Like
Hi to all, i have try spending hours and hours. still cant get it done…
everything work fine whenever after i install letsencrypt, i cant get into my ha website. but if i # ssl_certificate: …# ssl_key: …
from yaml it work. But is not working on my duckdns.org… i not sure where i did wrong. i’m using Aztech FG7009GR(AC) router to do Port Forwarding . :cry: