Unable to connect to Home Assistant - certificate error

Configuration
41

This worked in the end after spending 2-3 hours to get it working. Thanks.
FYI, To delete the SSL certificate, you have to do it from inside HA with Terminal access. Docker container didn’t allow me to delete from the SSL folder.

42

I just encountered the same problem - logged in with my mobile to a public hotspot. I would harden the idea that something (maybe router or firewall) is blocking the certificate request. As I do not have access to the equipment it is just a vague guess.
By switching to mobile data everything was working fine again.

43

Check the date of your certificate and the other data.
You might be using an old certificate.

44

I recently faced a similar issue, and after troubleshooting, I discovered that the root cause was my internet service provider (ISP) blocking my DuckDNS subdomain.

Observations & Diagnosis:

  1. Certificate Errors in Home Assistant App & Browser:

Initially, I received a certificate validation error when trying to connect via the Home Assistant Companion app (Android).

The browser returned a NET::ERR_CERT_COMMON_NAME_INVALID error, which usually indicates an issue with SSL/TLS certificate validation.

  1. Confirming the Block by ISP:

When I attempted to access my DuckDNS subdomain via mobile data, my browser first showed a certificate error.

After refreshing the page, I was redirected to a blocking page from my ISP (Orange Belgium), stating that the domain was flagged as potentially unsafe.

  1. Cause:

Some ISPs, including mine (Orange Belgium), seem to block access to DuckDNS subdomains due to their use in dynamic DNS services. This is likely a blanket security policy rather than an actual detection of a malicious site.

The blocking mechanism replaces my valid SSL certificate (Let’s Encrypt) with their own intercepting SSL, leading to certificate mismatches and connection failures.

Possible Fixes:

  1. Check if your ISP is blocking your DuckDNS domain:

Try accessing your DuckDNS subdomain over a mobile data connection (not Wi-Fi).

If you receive a browser security warning or are redirected to an ISP blocking page, this is likely the cause.

  1. Temporarily Bypass the Block:

Some ISPs allow users to manually proceed past the warning (like mine did). However, this may not be a permanent solution.

  1. Alternative Solutions:

Use a VPN: This bypasses ISP filtering entirely.

Switch to another DDNS provider: Some ISPs don’t block all dynamic DNS services.

Contact your ISP: Request that they whitelist your domain. I sent a formal request to Orange Belgium to remove the block.

If anyone else is facing similar SSL issues with DuckDNS and Home Assistant, it might be worth investigating whether your ISP is interfering with the connection.

Hope this helps!

45

You could also try using 1dot1dot1dot1.cloudflare-dns.com as a workaround to bypass the blockage of the Duck DNS subdomain for Home Assistant by your current ISP. To do this, you can set Cloudflare as your private DNS server in your Android settings. Here’s how you can configure it for both Wi-Fi and mobile data:

For Wi-Fi (may differ depending on your Android device):

  1. Open Settings on your Android device.

  2. Scroll down and tap Network & Internet (this may vary depending on your device, it could also be labeled “Connections”).

  3. Tap Wi-Fi, then select the Wi-Fi network you’re connected to.

  4. Tap Advanced (you may need to scroll down).

  5. Under IP settings, select Static (instead of DHCP).

  6. In the DNS 1 and DNS 2 fields, enter:

DNS 1: 1.1.1.1 (Cloudflare’s DNS)

DNS 2: 1.0.0.1 (optional, for Cloudflare’s secondary DNS)

  1. After entering the DNS addresses, tap Save or just back out of the settings.

For Mobile Data (may differ depending on your Android device):

  1. Open Settings on your Android device.

  2. Scroll down and tap Network & Internet.

  3. Tap Private DNS (under the “Advanced” section).

  4. Select Private DNS provider hostname.

  5. Enter 1dot1dot1dot1.cloudflare-dns.com in the field.

  6. Tap Save.

This will set Cloudflare as your private DNS for both Wi-Fi and mobile data connections, helping you bypass DNS-related issues with your ISP.

46
  1. Solution.
    Use a tunnel to move you point of interconnection to the internet further out, like a Cloudflare tunnel.

My recommendation is to use a VPN though, because it adds another layer of security/authentication and security is the main goal of that product, where HA have convenience over security.

1 Like
47

None of the above worked for me (well ok, different domain technically works but switching back to original one breaks it again). My DuckDNS addon would always claim that certificate does not need renewal no matter what i did.

Below is how is fixed my expired certificate. Please be advised that this a bit more advanced way. If you decide to do this, make sure to backup all files you’re going to touch before touching them so that you have fallback. I hold no responsibility for any problems that may occur.

With that said, here’s how.

  1. Download Advanced SSH & Web Terminal addon, install it, make sure it’s working and DISABLE protection mode (on Info page of the addon)
  2. Make sure DuckDNS addon is running
  3. Open terminal (using the addon we installed)
  4. Using docker ps -a | grep duck check for container ID of duckdns
  5. Go into the container using docker exec -it -- <container ID from above> "/bin/bash"
  6. Check what domains you have in /data/letsencrypt/ with ls /data/letsencrypt/; You should see my-domain.duckdns.org directory which if you list files inside of it, you will see cert-.csr, privkey-.pem files as well as some symbolic links named cert.csr, cert.pem, chain.pem, fullchaim.pem and privkey.pem
  7. Rename/move/delete whole directory, for example mv /data/letsencrypt/my-domain.duckdns.org /data/letsencrypt/my-domain.duckdns.org_old
  8. Type exit to exit the container
  9. Now back in HA OS run ls -al /ssl you should see 2 files - fullchain.pem and privkey.pem
  10. Rename/move/delete these files with for example mv /ssl/fullchain.pem fullchain.pem_old and mv /ssl/privkey.pem /ssl/privkey.pem_old
  11. Stop and start DuckDNS addon in HA settings and watch the log, there should be log showing that addon is requesting new certificates
[14:20:16] INFO: Starting DuckDNS...
[14:20:18] INFO: Renew certificate for domains: my-domain.duckdns.org and aliases: 
# INFO: Using main config file /data/workdir/config
Processing my-domain.duckdns.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for my-domain.duckdns.org
 + Found valid authorization for my-domain.duckdns.org
 + 0 pending challenge(s)
 + Requesting certificate...
Warning: Will read cert request from stdin since no -in option is given
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
 + Done!
  1. Back in terminal in HA OS run ls -al /ssl and you should see new files fullchain.pem and privkey.pem with new time and date corresponding to the creation in the logs
  2. Start NGINX addon and verify that mobile app is working using new certificates
  3. Optional - clean up of old thing
  4. Using step 4. and 5. connect to container and delete _old directory from /data/letsencrypt
  5. In HA OS delete _old files in /ssl (steps 9. and 10.)