Encrypt Home Assistant With Let’s Encrypt

You’ve made it this far, you’re almost there. Time to secure your Smart-Home devices. This is really easy with Let’s Encrypt . This is a free automated service that provides Free SSL/TLS Certificates. This keeps your traffic safe.

  1. Forward Ports 80 and 443
  2. Lets Encrypt Add On
  3. Forward Port 8123 to 443

Notice:

This post has been marked as a legacy post and has been flagged to be updated.

If you would like to receive updates from Smart Home Hobby, please subscribe below.


Forward Ports 80 and 443

First you’ll need to forward some ports. If you made it this far, then you already forwarded a port to use Duck DNS.

  • Go back to your router’s forwarding page.
  • First, you need to forward port 80 local (or internal) to part 80 external.
  • Next, do the same thing for port 443.
  • These ports are being forwarded in order to allow Let’s Encrypt verify you’re the one requesting the certificates.
  • Port 443 is also the port that will serve up your secure https traffic.

Screen Shot 2017-09-18 at 5.14.16 PM

  • At this point, you’ll likely have a line up similar to mine with the 3 ports we’ve forwarded up to this point. Now you’re all set up to get your security certificate.

Screen Shot 2017-09-18 at 5.15.02 PM

Let’s Encrypt Add-On

Screen Shot 2017-09-18 at 5.08.41 PM

  • You will be required to provide an email address for the certificate.
  • Fill in the email and domains spaces here.
  • Remember to use “”. Screen Shot 2017-09-18 at 5.10.42 PM
  • Save your settings and press Start.
  • Wait a moment and scroll down to the Logs section.
  • You can refresh the log to verify your certificate was obtained successfully.

Screen Shot 2017-09-18 at 5.16.07 PM

  • Now that you have the certificate, you’ll need to add it to your “configuration.yaml” file.

Screen Shot 2017-09-18 at 5.18.38 PM

https://gist.github.com/smarthomehobby/8fd7eed657d8557a4c8dd00e1fd9b102

ALRIGHT! You’ve got a private, secure Smart-Home app that you can control all of your devices from. Right now, you can reach your set up at http://YOURSUBDOMAIN.duckdns.org:8123 Just one more step to remove the :8123 from your address.

Screen Shot 2017-09-18 at 5.29.00 PM

Forward Port 8123 to 443

  • Go back into your forwarding settings.
  • Change your current internal port 8123 to external 8123 to internal port 8123 to external port 443. Screen Shot 2017-09-18 at 8.42.06 PM.png
  • There you go! Now you can go to https://YOURSUBDOMAIN.duckdns.org and see all your stuff!

Screen Shot 2017-09-18 at 5.32.25 PM

  • You can also reach your set-up locally using https://YOURRASPBERRYPI’SIP:8123
  • You may get a warning, like I did in Chrome saying it might be unsafe.
  • You can click advanced and click again to get in. It’s just saying this because the security certificate matches your URL not the Raspberry Pi’s IP address.

Screen Shot 2017-09-18 at 8.45.40 PM

  • Now that you’ve updated your address to https:// remember to update your web app!
  • Now you have a protected Smart-Home set up that you can control, securely from any device!

Now that you’re your set up is complete, you can start to automate your devices. If these guides have been helpful to you , please share them! If you have any questions, please reach out to me in the comments. Thanks for visiting!

25 thoughts on “Encrypt Home Assistant With Let’s Encrypt

  • October 3, 2017 at 3:14 pm
    Permalink

    Hi, I’m stuck getting a certificate – getting the following error.

    starting version 3.2.2
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for .duckdns.org
    Waiting for verification…
    Cleaning up challenges
    Failed authorization procedure. .duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
    IMPORTANT NOTES:
    – The following errors were reported by the server:
    Domain: .duckdns.org
    Type: connection
    Detail: Timeout
    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

    I can currently access my HASS.io via .duckdns.org:8123, but when I try and use this at the domain in the Lets Encrypt options, I get the following error.

    starting version 3.2.2
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Obtaining a new certificate
    An unexpected error occurred:
    The request message was malformed :: Error creating new authz :: Invalid character in DNS name

    I assume this is to do with the colon…. any suggestions?? I have ports 80, 433 and 8123 all pointing to my Pi’s internal IP.

    Reply
    • October 3, 2017 at 4:56 pm
      Permalink

      Have you tried removing the :8123 from the Let’s Encrypt add-on options? Try using just the base URL without the port since the add-on uses ports 80 and 443. Also, double check you used 443, not 433.

      Reply
  • October 3, 2017 at 3:16 pm
    Permalink

    Just to point out – I am writing my subdomain in the above (mydomain).duckdyn.org – its been removed for some reason.

    Reply
  • October 19, 2017 at 12:40 pm
    Permalink

    i got all working so far but im stuck at this one point: i cant reach mysubdomain.duckdns.org if i add the ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem

    i only can reach mysubdomain.duckdns.org:8123 if i remove the ssl stuff above.
    my log shows me this message: Listen IP address not specified, auto-detected address is: 192……
    my ports are: TCP/UDP 8123/443

    Reply
      • October 19, 2017 at 1:48 pm
        Permalink

        im not sure what the problem is i can reach the website by using https or http:subdomain.duckdns.org:8123 but i cant reach the same site without the :8123 same for my raspi-ip site. In my router i only can use one port at the same time with the same name and there is no internal or external port only: 1. Port and 2.Port:

        Computer: (here my Raspi IP)
        Port option: (choose between 1 or 2 ports)
        1. Port: (I think this could be the internal port)
        Protocol:
        2. Port: (maybe the external port)
        Protocol:

        im not sure what the problem is all about, my log is empty only the system crashes if i reboot my hass:io, but only if i use the ssl_ stuff

        Reply
        • October 19, 2017 at 2:19 pm
          Permalink

          Try removing the http or https from your base URL, so it’s just subdomain.duckdns.org (keep the :8123) at the end if you’re not forwarding 443 to 8123)

          When you say you can only use one port at the same time with the same name, what do you mean by that? If you’ve already got the SSL certificate from LetsEncrypt, you can turn off the port 80 and 443 forwards, then you can route 8123 to 443.

          Reply
      • October 19, 2017 at 1:49 pm
        Permalink

        That’s a great question! It’s blacked out in the guide. If you can, try both ways. I can check my own configuration at home when I get home later today.

        Reply
  • October 19, 2017 at 2:48 pm
    Permalink

    so you mean i set up port 80 and 443 then i remove both and make one 8123 and one 443?

    Reply
    • October 19, 2017 at 2:53 pm
      Permalink

      Correct. The 80 to 80 and 443 to 443 port forwards are only used to set up the certificates. They don’t need to be kept active afterwards. Let’s encrypt uses port 443 to your system and Home Assistant uses port 8123. By forwarding 8123 to 443, you should be able to remove the :8123 from your address.

      Reply
  • October 20, 2017 at 3:41 am
    Permalink

    hey, i can reach my raspi vis https://raspyip:8123 but i cant reach my home assistant via https://mysubdomain.duckdns.org
    this are my current ports:
    https://i.imgur.com/r3XVG3x.png
    both set for my raspi ip and also both had the the both protocol before.

    my log shows me this error: (MainThread) [aiohttp.access] Error in logging

    could it be that i used the wrong ip adress? so that i should use my raspi ip once and otherwise my ip where i get here: http://www.whatsmyip.org/

    if i use https://www.yougetsignal.com with my ip for 443 it shows closed….

    Reply
    • October 20, 2017 at 6:54 am
      Permalink

      If you can reach it at https://raspyip:8123 while on your network, you should be able to reach it at https://mysubdomain.duckdns.org:8123 from outside your network. Does that work?

      If if does, you’re almost there. Just need to figure out how to forward 8123 to 443

      The forwarding should be to your Pi, not your public IP address. What Make and Model is your router? Your forwarding is different than mine. It doesn’t look like you’re forwarding one port to another since it only allows you to connect one port. Consider calling your internet provider for help forwarding one port number to another.

      Reply
  • October 20, 2017 at 12:59 pm
    Permalink

    I think it should work just fine. If you end up figuring out the forwarding on your router, you’ll just need to go in and remove the :8123 from your skill. Otherwise, it should all work fine.

    Reply
  • January 24, 2018 at 6:09 am
    Permalink

    Hello Alex, wonderful guides, and your response to others are very helpful too. I have similar issue to Johnny, I got my certificate successfully, in fact my Let’s Encrypt log looks exactly the same as your guide, but when I add it to my config yaml file, home assistant would not restart… the only way i can get it to restart is to hash tag the SSL certificate and SSL key (or remove them entirely). Any suggestions?
    “non-standard path(s), might not work with crontab installed by your operating system package manager” <– is this line a concern?
    Thanks heaps in advance.

    Reply
    • January 24, 2018 at 10:14 am
      Permalink

      Hmm, I’m not having much luck figuring that one out… It looks like the warning is tied to something like the certs not being in the right place. Are you able to pull up the Error log when restarting? Perhaps consider using the new DuckDNS addon’s (fairly) new built in LetsEncrypt abilities. That way you’re just using a single addon. I haven’t used it yet, but some clarification can be found here: https://home-assistant.io/blog/2017/09/27/effortless-encryption-with-lets-encrypt-and-duckdns/

      Reply
      • January 25, 2018 at 4:39 am
        Permalink

        Thanks so much for your quick help. I did a google search for that “non-standard path” message, and apparently this is the fix https://community.home-assistant.io/t/problem-with-letsencrypt-installation-via-addon/27220/3, I need python3-openssl installed. It continues to say, To do this go to a command prompt on your pi and type
        sudo apt-get install python3-openssl.
        So I went to PuTTY, log in as root, type that line in and press enter, I get -ash: sudo: not found. Should I be typing that elsewhere?
        Might be a stupid question but how do I access my log file?
        Also, read somewhere we need to turn off all addons before running the Let’s Encrypt addon, I didn’t know I had to turn off my addons but it still generated the certificate no issues, but can’t restart home assistant, then I found out I had to turn off all other addons except Let’s Encrypt, so I did that and got what I think is a second certificate, still can’t restart home assistant.
        My last resort is to format my SD card and start completely over again.

        Reply

Leave a Reply