Recently I needed to update my Let’s Encrypt certificates for my Home Assistant version supervisor as they had expired. Because of the expired date I could no longer login using HTTPS.
Updating Let’s Encrypt certificates not working Home Assistant with DuckDns. Here’s how I fixed it. This of course can or maybe be different for you depending on how your Home Assistant is set-up on your PC. But hopefully it will be of use to you.
For info I run a standard Debian Linux setup with HA installed using the below installation method. I use Duck DNS for my domain address. It’s free and works correctly.
https://community.home-assistant.io/t/installing-home-assistant-supervised-using-debian-12/200253
So this version of HA runs in a simple docker setup as per the installation instructions above in the link.
As this is a HA Supervisor setup and I use the add-on Duck DNS to make dealing with Let’s Encryt certificates easier. (or so it seems …..) In it’s settings you just add the Domain, and the Token from Duck DNS and change accept_terms: false to true.
New certificates. OK says me. No real problem. I know how to get those.
Firstly in terminal (I did a dry run first to check)
sudo certbot renew –dry-run
I had a message saying success : The following simulated renewals succeeded
/etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem (success)
Lets go…
Secondly in terminal
sudo certbot renew
All went well. Or so I thought … (Congratulations, all renewals succeeded:
/etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem (success))
And so I restarted Home Assistant. But only to get the same message again no HTTPS. WTF that should have worked.
After many hours of playing around, double checking my settings etc. I finally guessed that the new certificates were not in their right place. And therefore were not detected by Home Assistant. Doh…
Also when checking the logs from the add-on Duck DNS I noticed that they were showing the following error
ERROR: deploy_challenge hook returned with non-zero exit code
Google here I come, but buggered if I could find anything useful about this online.
To cut a long story short
I finally realised that the HA (running inside the Supervisor-managed environment) expects certificates to be at the path : /ssl/
But mine were downloaded to the path /etc/letsencrypt/live/ so not /ssl/
And in my system they are stored/used at
/usr/share/hassio/ssl/
So I ran these two following commands that would copy the two certificates to where they needed to be.
sudo cp /etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem /usr/share/hassio/ssl/fullchain.pem
sudo cp /etc/letsencrypt/live/mydomain.duckdns.org/privkey.pem /usr/share/hassio/ssl/privkey.pem
This copying them from where they were originally downloaded to. To where they needed to be.
/etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem TO /usr/share/hassio/ssl/fullchain.pem
Basically the path /usr/share/hassio/ssl/ is a symlink to /ssl/ or is it the other way around ? that I am unsure ๐
Then if need be just restart the add-on Duck DNS. The new certificates are automatically copied to
/ssl/ There Home Assistant picked them up after you restarted it
Check the Let’s Encrypt dates :
Running this in terminal, gets the data, showing the start and end dates for the certificate. Obviously you change mydomain.duckdns.org for your address.
openssl s_client -connect mydomain.duckdns.org:8123 -servername mydomain.duckdns.org | openssl x509 -noout -dates
It should return the following :
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = E6
verify return:1
depth=0 CN = mydomain.duckdns.org
verify return:1
notBefore=Jul 15 15:30:30 2025 GMT
notAfter=Oct 13 15:30:29 2025 GMT
Explication :
notBefore=Jul 15 15:30:30 2025 GMT
This is the date and time when the certificate became valid (July 15, 2025, at 15:30:30 UTC).
notAfter=Oct 13 15:30:29 2025 GMT
This is the date and time when the certificate expired (October 13, 2025, at 15:30:29 UTC). so as I wrote this in July, it clearly show me that my certificate is valid for three months.
Finally the error message in the add-on Duck DNS logs had disappeared. Maybe it just meant “I can’t see the certificates” Shame it wasn’t more explicit. I might have sussed out the problem quicker.
Updating Let’s Encrypt certificates not working Home Assistant with DuckDns is no more.. Yeah ….
A dopy error, all because updating Let’s Encrypt certificates arenโt downloaded where Home Assistant needs them and that wasted loads of my time