Encrypt Home Assistant With Let’s Encrypt

You’ve made it this far, you’re almost there. Time to secure your Smart-Home devices. This is really easy with Let’s Encrypt . This is a free automated service that provides Free SSL/TLS Certificates. This keeps your traffic safe.

  1. Forward Ports 80 and 443
  2. Lets Encrypt Add On
  3. Forward Port 8123 to 443

Forward Ports 80 and 443

First you’ll need to forward some ports. If you made it this far, then you already forwarded a port to use Duck DNS.

  • Go back to your router’s forwarding page.
  • First, you need to forward port 80 local (or internal) to part 80 external.
  • Next, do the same thing for port 443.
  • These ports are being forwarded in order to allow Let’s Encrypt verify you’re the one requesting the certificates.
  • Port 443 is also the port that will serve up your secure https traffic.

Screen Shot 2017-09-18 at 5.14.16 PM

  • At this point, you’ll likely have a line up similar to mine with the 3 ports we’ve forwarded up to this point. Now you’re all set up to get your security certificate.

Screen Shot 2017-09-18 at 5.15.02 PM

Let’s Encrypt Add-On

Screen Shot 2017-09-18 at 5.08.41 PM

  • You will be required to provide an email address for the certificate.
  • Fill in the email and domains spaces here.
  • Remember to use “”. Screen Shot 2017-09-18 at 5.10.42 PM
  • Save your settings and press Start.
  • Wait a moment and scroll down to the Logs section.
  • You can refresh the log to verify your certificate was obtained successfully.

Screen Shot 2017-09-18 at 5.16.07 PM

  • Now that you have the certificate, you’ll need to add it to your “configuration.yaml” file.

Screen Shot 2017-09-18 at 5.18.38 PM

ALRIGHT! You’ve got a private, secure Smart-Home app that you can control all of your devices from. Right now, you can reach your set up at http://YOURSUBDOMAIN.duckdns.org:8123 Just one more step to remove the :8123 from your address.

Screen Shot 2017-09-18 at 5.29.00 PM

Forward Port 8123 to 443

  • Go back into your forwarding settings.
  • Change your current internal port 8123 to external 8123 to internal port 8123 to external port 443. Screen Shot 2017-09-18 at 8.42.06 PM.png
  • There you go! Now you can go to https://YOURSUBDOMAIN.duckdns.org and see all your stuff!

Screen Shot 2017-09-18 at 5.32.25 PM

  • You can also reach your set-up locally using https://YOURRASPBERRYPI’SIP:8123
  • You may get a warning, like I did in Chrome saying it might be unsafe.
  • You can click advanced and click again to get in. It’s just saying this because the security certificate matches your URL not the Raspberry Pi’s IP address.

Screen Shot 2017-09-18 at 8.45.40 PM

  • Now that you’ve updated your address to https:// remember to update your web app!


  • Now you have a protected Smart-Home set up that you can control, securely from any device!

Now that you’re your set up is complete, you can start to automate your devices. If these guides have been helpful to you , please share them! If you have any questions, please reach out to me in the comments. Thanks for visiting!

25 thoughts on “Encrypt Home Assistant With Let’s Encrypt

  1. Hi, I’m stuck getting a certificate – getting the following error.

    starting version 3.2.2
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for .duckdns.org
    Waiting for verification…
    Cleaning up challenges
    Failed authorization procedure. .duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
    – The following errors were reported by the server:
    Domain: .duckdns.org
    Type: connection
    Detail: Timeout
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

    I can currently access my HASS.io via .duckdns.org:8123, but when I try and use this at the domain in the Lets Encrypt options, I get the following error.

    starting version 3.2.2
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Obtaining a new certificate
    An unexpected error occurred:
    The request message was malformed :: Error creating new authz :: Invalid character in DNS name

    I assume this is to do with the colon…. any suggestions?? I have ports 80, 433 and 8123 all pointing to my Pi’s internal IP.


  2. i got all working so far but im stuck at this one point: i cant reach mysubdomain.duckdns.org if i add the ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem

    i only can reach mysubdomain.duckdns.org:8123 if i remove the ssl stuff above.
    my log shows me this message: Listen IP address not specified, auto-detected address is: 192……
    my ports are: TCP/UDP 8123/443


      1. im not sure what the problem is i can reach the website by using https or http:subdomain.duckdns.org:8123 but i cant reach the same site without the :8123 same for my raspi-ip site. In my router i only can use one port at the same time with the same name and there is no internal or external port only: 1. Port and 2.Port:

        Computer: (here my Raspi IP)
        Port option: (choose between 1 or 2 ports)
        1. Port: (I think this could be the internal port)
        2. Port: (maybe the external port)

        im not sure what the problem is all about, my log is empty only the system crashes if i reboot my hass:io, but only if i use the ssl_ stuff


      2. Try removing the http or https from your base URL, so it’s just subdomain.duckdns.org (keep the :8123) at the end if you’re not forwarding 443 to 8123)

        When you say you can only use one port at the same time with the same name, what do you mean by that? If you’ve already got the SSL certificate from LetsEncrypt, you can turn off the port 80 and 443 forwards, then you can route 8123 to 443.


    1. Correct. The 80 to 80 and 443 to 443 port forwards are only used to set up the certificates. They don’t need to be kept active afterwards. Let’s encrypt uses port 443 to your system and Home Assistant uses port 8123. By forwarding 8123 to 443, you should be able to remove the :8123 from your address.


  3. hey, i can reach my raspi vis https://raspyip:8123 but i cant reach my home assistant via https://mysubdomain.duckdns.org
    this are my current ports:

    both set for my raspi ip and also both had the the both protocol before.

    my log shows me this error: (MainThread) [aiohttp.access] Error in logging

    could it be that i used the wrong ip adress? so that i should use my raspi ip once and otherwise my ip where i get here: http://www.whatsmyip.org/

    if i use https://www.yougetsignal.com with my ip for 443 it shows closed….


    1. If you can reach it at https://raspyip:8123 while on your network, you should be able to reach it at https://mysubdomain.duckdns.org:8123 from outside your network. Does that work?

      If if does, you’re almost there. Just need to figure out how to forward 8123 to 443

      The forwarding should be to your Pi, not your public IP address. What Make and Model is your router? Your forwarding is different than mine. It doesn’t look like you’re forwarding one port to another since it only allows you to connect one port. Consider calling your internet provider for help forwarding one port number to another.


  4. Hello Alex, wonderful guides, and your response to others are very helpful too. I have similar issue to Johnny, I got my certificate successfully, in fact my Let’s Encrypt log looks exactly the same as your guide, but when I add it to my config yaml file, home assistant would not restart… the only way i can get it to restart is to hash tag the SSL certificate and SSL key (or remove them entirely). Any suggestions?
    “non-standard path(s), might not work with crontab installed by your operating system package manager” <– is this line a concern?
    Thanks heaps in advance.


    1. Hmm, I’m not having much luck figuring that one out… It looks like the warning is tied to something like the certs not being in the right place. Are you able to pull up the Error log when restarting? Perhaps consider using the new DuckDNS addon’s (fairly) new built in LetsEncrypt abilities. That way you’re just using a single addon. I haven’t used it yet, but some clarification can be found here: https://home-assistant.io/blog/2017/09/27/effortless-encryption-with-lets-encrypt-and-duckdns/


      1. Thanks so much for your quick help. I did a google search for that “non-standard path” message, and apparently this is the fix https://community.home-assistant.io/t/problem-with-letsencrypt-installation-via-addon/27220/3, I need python3-openssl installed. It continues to say, To do this go to a command prompt on your pi and type
        sudo apt-get install python3-openssl.
        So I went to PuTTY, log in as root, type that line in and press enter, I get -ash: sudo: not found. Should I be typing that elsewhere?
        Might be a stupid question but how do I access my log file?
        Also, read somewhere we need to turn off all addons before running the Let’s Encrypt addon, I didn’t know I had to turn off my addons but it still generated the certificate no issues, but can’t restart home assistant, then I found out I had to turn off all other addons except Let’s Encrypt, so I did that and got what I think is a second certificate, still can’t restart home assistant.
        My last resort is to format my SD card and start completely over again.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s