LetsEncrypt with Home Assistant
Many people want to have remote access to their Home Assistant system, whether for an API (eg Google Assistant), or simply to be able to check on their home while away.
At the simplest you need a hostname that resolves to your external (WAN) IP address, and for those with a dynamic IP (which is most) then the DuckDNS component solves that. But that doesn’t enable encryption (aka HTTPS). If you’re on Hass.io then it already has an add-on to handle it all, but for everybody else you need to solve that bit manually.
Setting up the certificate
Fortunately LetsEncrypt makes that easy through their certbot tool. Unfortunately there are few guides on using it with Home Assistant, and people get stuck. With that in mind, let’s begin, using the
pi account for all the commands, not the
- Forward port 80 on your router to port 80 on your Home Assistant system - you’ll need to also forward another port for HTTPS access, this one is for certbot
- Install certbot
- Request a certificate with
$ sudo certbot-auto certonly --standalone --preferred-challenges http -d example.duckdns.org
example.duckdns.orgwith your actual domain)
- Configure Home Assistant’s http component with the certificate locations
- Forward the port for HTTPS access (you can use 8123, or 443, or anything above 1024 that you’re not already using)
- Test it out from outside your network
Now, you might run into problems. Sometimes the permissions on some of the letsencrypt folders don’t get set correctly - the give away is an error that includes
Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. If that happens try the following command:
$ sudo chmod a+x /etc/letsencrypt/live /etc/letsencrypt/keys /etc/letsencrypt/archive
Then try again.
Renewing the certificate
To renew your certificate, create a file called
/etc/cron.daily/certbot and put the following in it:
#!/bin/sh /usr/local/bin/certbot-auto renew
Home Assistant will detect the updated certificate automatically and start using it, you don’t need to restart. Once you’ve done that, you’ll need to run:
$ sudo chmod a+rx /etc/cron.daily/certbot
It’s possible that
certbot-auto won’t be installed in
/usr/local/bin - you can check that by running:
$ which certbot-auto
If that’s the case use that path in the script above.