Encrypt Home Assistant With Let’s Encrypt
You’ve made it this far, you’re almost there. Time to secure your Smart-Home devices. This is really easy with Let’s Encrypt . This is a free automated service that provides Free SSL/TLS Certificates. This keeps your traffic safe.
- Forward Ports 80 and 443
- Lets Encrypt Add On
- Forward Port 8123 to 443
Notice:
This post has been marked as a legacy post and has been flagged to be updated.
If you would like to receive updates from Smart Home Hobby, please subscribe below.
Forward Ports 80 and 443
First you’ll need to forward some ports. If you made it this far, then you already forwarded a port to use Duck DNS.
- Go back to your router’s forwarding page.
- First, you need to forward port 80 local (or internal) to part 80 external.
- Next, do the same thing for port 443.
- These ports are being forwarded in order to allow Let’s Encrypt verify you’re the one requesting the certificates.
- Port 443 is also the port that will serve up your secure https traffic.
- At this point, you’ll likely have a line up similar to mine with the 3 ports we’ve forwarded up to this point. Now you’re all set up to get your security certificate.
Let’s Encrypt Add-On
- Go to the Add-Ons menu under the Hass.io tab and install the Let’s Encrypt add-on.
- You will be required to provide an email address for the certificate.
- Fill in the email and domains spaces here.
- Remember to use “”.
- Save your settings and press Start.
- Wait a moment and scroll down to the Logs section.
- You can refresh the log to verify your certificate was obtained successfully.
- Now that you have the certificate, you’ll need to add it to your “configuration.yaml” file.
https://gist.github.com/smarthomehobby/8fd7eed657d8557a4c8dd00e1fd9b102
ALRIGHT! You’ve got a private, secure Smart-Home app that you can control all of your devices from. Right now, you can reach your set up at http://YOURSUBDOMAIN.duckdns.org:8123 Just one more step to remove the :8123 from your address.
Forward Port 8123 to 443
- Go back into your forwarding settings.
- Change your current internal port 8123 to external 8123 to internal port 8123 to external port 443.
- There you go! Now you can go to https://YOURSUBDOMAIN.duckdns.org and see all your stuff!
- You can also reach your set-up locally using https://YOURRASPBERRYPI’SIP:8123
- You may get a warning, like I did in Chrome saying it might be unsafe.
- You can click advanced and click again to get in. It’s just saying this because the security certificate matches your URL not the Raspberry Pi’s IP address.
- Now that you’ve updated your address to https:// remember to update your web app!
- Now you have a protected Smart-Home set up that you can control, securely from any device!
Now that you’re your set up is complete, you can start to automate your devices. If these guides have been helpful to you , please share them! If you have any questions, please reach out to me in the comments. Thanks for visiting!
Hi, I’m stuck getting a certificate – getting the following error.
starting version 3.2.2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for .duckdns.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. .duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
IMPORTANT NOTES:
– The following errors were reported by the server:
Domain: .duckdns.org
Type: connection
Detail: Timeout
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
I can currently access my HASS.io via .duckdns.org:8123, but when I try and use this at the domain in the Lets Encrypt options, I get the following error.
starting version 3.2.2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Invalid character in DNS name
I assume this is to do with the colon…. any suggestions?? I have ports 80, 433 and 8123 all pointing to my Pi’s internal IP.
Have you tried removing the :8123 from the Let’s Encrypt add-on options? Try using just the base URL without the port since the add-on uses ports 80 and 443. Also, double check you used 443, not 433.
Just to point out – I am writing my subdomain in the above (mydomain).duckdyn.org – its been removed for some reason.
I assume for privacy reasons. I don’t need to know your specific address.
i got all working so far but im stuck at this one point: i cant reach mysubdomain.duckdns.org if i add the ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
i only can reach mysubdomain.duckdns.org:8123 if i remove the ssl stuff above.
my log shows me this message: Listen IP address not specified, auto-detected address is: 192……
my ports are: TCP/UDP 8123/443
If you have encryption turned on and have your port 8123 forwarded to 443 you should be able to reach it at https://YOURSUBDOMAIN.duckdns.org
Did you switch from using http to https?
base_url: https://mysubdomain.duckdns.org:8123 or with http?
im not sure what the problem is i can reach the website by using https or http:subdomain.duckdns.org:8123 but i cant reach the same site without the :8123 same for my raspi-ip site. In my router i only can use one port at the same time with the same name and there is no internal or external port only: 1. Port and 2.Port:
Computer: (here my Raspi IP)
Port option: (choose between 1 or 2 ports)
1. Port: (I think this could be the internal port)
Protocol:
2. Port: (maybe the external port)
Protocol:
im not sure what the problem is all about, my log is empty only the system crashes if i reboot my hass:io, but only if i use the ssl_ stuff
Try removing the http or https from your base URL, so it’s just subdomain.duckdns.org (keep the :8123) at the end if you’re not forwarding 443 to 8123)
When you say you can only use one port at the same time with the same name, what do you mean by that? If you’ve already got the SSL certificate from LetsEncrypt, you can turn off the port 80 and 443 forwards, then you can route 8123 to 443.
That’s a great question! It’s blacked out in the guide. If you can, try both ways. I can check my own configuration at home when I get home later today.
so you mean i set up port 80 and 443 then i remove both and make one 8123 and one 443?
Correct. The 80 to 80 and 443 to 443 port forwards are only used to set up the certificates. They don’t need to be kept active afterwards. Let’s encrypt uses port 443 to your system and Home Assistant uses port 8123. By forwarding 8123 to 443, you should be able to remove the :8123 from your address.
hey, i can reach my raspi vis https://raspyip:8123 but i cant reach my home assistant via https://mysubdomain.duckdns.org
this are my current ports:
https://i.imgur.com/r3XVG3x.png
both set for my raspi ip and also both had the the both protocol before.
my log shows me this error: (MainThread) [aiohttp.access] Error in logging
could it be that i used the wrong ip adress? so that i should use my raspi ip once and otherwise my ip where i get here: http://www.whatsmyip.org/
if i use https://www.yougetsignal.com with my ip for 443 it shows closed….
If you can reach it at https://raspyip:8123 while on your network, you should be able to reach it at https://mysubdomain.duckdns.org:8123 from outside your network. Does that work?
If if does, you’re almost there. Just need to figure out how to forward 8123 to 443
The forwarding should be to your Pi, not your public IP address. What Make and Model is your router? Your forwarding is different than mine. It doesn’t look like you’re forwarding one port to another since it only allows you to connect one port. Consider calling your internet provider for help forwarding one port number to another.
https://mysubdomain.duckdns.org:8123 yes i can reach it. My router: O2 Box 6431
https://i.imgur.com/N7495O9.png
well how could this work?
Great! So that means your encryption is working! You don’t need to forward 8123 to 443 for encryption to work. All the forwarding does is tells the browser to look at port 8123 so you don’t have to add it to your URL.
I found this video, but I’m up against a language barrier here. Is this similar to your router? It may be helpful https://www.youtube.com/watch?v=Pvf-tlu7VgE
Btw can i use https://mysubdomain.duckdns.org:8123 for the custom amazon skill?
I think it should work just fine. If you end up figuring out the forwarding on your router, you’ll just need to go in and remove the :8123 from your skill. Otherwise, it should all work fine.
Hello Alex, wonderful guides, and your response to others are very helpful too. I have similar issue to Johnny, I got my certificate successfully, in fact my Let’s Encrypt log looks exactly the same as your guide, but when I add it to my config yaml file, home assistant would not restart… the only way i can get it to restart is to hash tag the SSL certificate and SSL key (or remove them entirely). Any suggestions?
“non-standard path(s), might not work with crontab installed by your operating system package manager” <– is this line a concern?
Thanks heaps in advance.
Hmm, I’m not having much luck figuring that one out… It looks like the warning is tied to something like the certs not being in the right place. Are you able to pull up the Error log when restarting? Perhaps consider using the new DuckDNS addon’s (fairly) new built in LetsEncrypt abilities. That way you’re just using a single addon. I haven’t used it yet, but some clarification can be found here: https://home-assistant.io/blog/2017/09/27/effortless-encryption-with-lets-encrypt-and-duckdns/
Thanks so much for your quick help. I did a google search for that “non-standard path” message, and apparently this is the fix https://community.home-assistant.io/t/problem-with-letsencrypt-installation-via-addon/27220/3, I need python3-openssl installed. It continues to say, To do this go to a command prompt on your pi and type
sudo apt-get install python3-openssl.
So I went to PuTTY, log in as root, type that line in and press enter, I get -ash: sudo: not found. Should I be typing that elsewhere?
Might be a stupid question but how do I access my log file?
Also, read somewhere we need to turn off all addons before running the Let’s Encrypt addon, I didn’t know I had to turn off my addons but it still generated the certificate no issues, but can’t restart home assistant, then I found out I had to turn off all other addons except Let’s Encrypt, so I did that and got what I think is a second certificate, still can’t restart home assistant.
My last resort is to format my SD card and start completely over again.