Trying to install my Godaddy ssl certificate in HA - error reading the certificate

I’m almost there (I think) to get HA use ssl with my Godaddy certificate but I’m stuck with this error:

2018-11-07 10:27:15 ERROR (MainThread) [homeassistant.components.http] Could not read SSL certificate from /home/homeassistant/.homeassistant/ssl/certificate.pem: [SSL] PEM lib (_ssl.c:2964)

I’m far from an expert so I’ll describe what I I did:

  • I generated a CSR and apply it on Godaddy for my domain name (to use with HA) and got two files: gd_bundle-g2-g1.crt and c038d3055fa2c1f1.crt.
  • Renamed gd_bundle-g2-g1.crt to certificate.pem and c038d3055fa2c1f1.crt to privkey.pem (since they were in pem format already, could read it with “-----BEGIN CERTIFICATE-----…”)
  • I placed them in a folder named ssl in HA folder and gave full permission (777) on it and the files in it.
  • I changed the configuration.yaml:
http:
  # Secrets are defined in the file secrets.yaml
  api_password: !secret http_password
  # trusted_networks:
    # - 192.168.1.0/24  
  ssl_certificate: /home/homeassistant/.homeassistant/ssl/certificate.pem
  ssl_key: /home/homeassistant/.homeassistant/ssl/privkey.pem  
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: *the domain name for ha*
  • rebooted the HA NUC

I won’t talk about port forwarding since it gets to it from external IP and the certificate seems OK but I get this long “connecting” and it asks me for legacy password (when it should prompt me for the user/password) plus the error:

It seems HA user can’t read the certificate but it works (I think…)

Can anyone help me and take me by the hand lol, I woulkd appreciate it. I didn’t find anything specifically for this issue…

Just curious, anybody else uses a third party ssl certificate (other than let’s encrypt)?

bump
Can’t anyone give me any hint on this?

SSL is… not intuitive. :frowning:

The c038d3055fa2c1f1.crt certificate you received is the signed certificate. The other file you received, gd_bundle-g2-g1.crt, contains the intermediate certificate that was used to sign your certificate.

Home Assistant needs to know about both of these, so it’s customary to create a new text file, and copy and paste the contents of both of the files you received in to it, one above the other (order isn’t important, I think). The convention most places is to name this file fullchain.pem, but it does the same job as the certificate.pem you talked about.

That leaves privkey.pem. This should be your private key. You will have generated a private key as part of creating the CSR. If you created it all locally using openssl or similar, then you will have explicitly created a new private key as part of that process, and it will be in a file in the working dir you used for that process. If you created your CSR through the godaddy website, then there’ll be some way to download the private key through the management interface. I can’t really advise further without knowing the full steps you followed to create the CSR.

ohhh… ok, so both those files are just the fullchain.pem, and I need the private key, right?
I merged both in fullchain.pem based on what you said.
How would I generate the privkey.pem? When I do the CSR (created from a website for this purpose) and apply it in Godaddy, I end up just getting the two certificate file, where would my privkey.pem be?
If I understood correctly, I need to do the CSR directly from the HA device (Intel NUC in Linux), right?

Again, sorry, I’mfar from an expert in this area…

There are a couple of steps involved in creating a CSR.

  1. Generate a key pair. This gives you a private key, and an (unsigned) certificate.
  2. Take the certificate, and use that to create a Certificate Signing Request.

All you’re sending to Godaddy is the CSR, so they never know your private key. So it comes down to how the website you used for the CSR works.

If you uploaded a certificate to the site to create the CSR, then the private key will be on your HA device or wherever you generated the cert. If it generated the key pair, then it should give you the option to download the private key.

Again, sorry, I don’t understand enough about how you created the CSR to offer more than vague advice. Precisely what did you do to create a CSR?

I tried doing it this way but it still doesn’t work at the end…

  • I used openssl to get the CSR and my private key:
    openssl req -new -newkey rsa:2048 -nodes -keyout your-domain.key -out your-domain.csr
    I got the csr and the private key.

  • I renamed the private key to privkey.pem and place it where HA configuration.yaml is pointing to

  • I used the CSR to rekey the certificate on Godaddy then redownload the files

  • I merged both certificate files into fullchain.pem and placed it where HA configuration.yaml is pointing to.

  • I made sure both files had permission 777

I really thought this would work…

***Although, I don’t have any error about it in logs but same behaviour mentioned originally when logging in…

Is your browser chrome? Click the padlock icon in the address bar and check the dropdown that appears. That will tell you what chrome thinks of the certificate. Also might be worth turning up the log level for the http component, following the directions at https://www.home-assistant.io/components/logger/ and changing the log level for homeassistant.components.logging.

Sorry, I’m running out of ideas here. I don’t use the SSL support built in to home-assistant, but have an nginx proxy set up instead.

I don’t know if you ever got your GoDaddy SSL certificate working, but this might solve your problem if you are using GoDaddy to host your domain:

New Home Assistant Add-on: GoDaddy DNS

im using my SSL certificate as well. everytime i enter config in configuration.yaml my HA reboots but cant access it. can you share how exactly you configured your HA with your SSL cert.

what did you enter in secrets.yaml file? ```
api_password: !secret http_password