403 error in Home Assistant add-on

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ko0y.org

I ran this command: Let's encrypt add-on to Home Assistant

It produced this output: error 403

My web server is (include version): hass.io

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have a static ip and domain registered in Google domains. I have a port forwarded in my router and can access HA externally with HTTP. I installed the Let’s Encrypt add-on with this configuration:

ssl1057×844 29.8 KB

then I used google to create the credentials file. I renamed that file google.json and copied it to the share folder in HA. then I started the add-on, and got this error in the log:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[17:14:06] INFO: Selected DNS Provider: dns-google
[17:14:06] INFO: Use propagation seconds: 60
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.ko0y.org
Encountered 403 Forbidden with reason "forbidden"
Encountered 403 Forbidden with reason "forbidden"
Error finding zone. Skipping cleanup.
Encountered error finding managed zone: <HttpError 403 when requesting https://dns.googleapis.com/dns/v1/projects/verdant-petal-381321/managedZones?dnsName=ko0y.org.&alt=json returned "Forbidden". Details: "[{'message': 'Forbidden', 'domain': 'global', 'reason': 'forbidden'}]">
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

I've missed something here but have little idea what it is. Any help is appreciated.

Hi @modernhistorian, and welcome to the LE community forum

I don't think that add-on was written by LE, nor is supported by this forum.

Home Assistant also has its own community forum here https://community.home-assistant.io/

Maybe I am pointing out the obvious but the Home Assistant client is trying to update your google cloud DNS records and failing.

A DNS Challenge is required when trying to get a wildcard cert.

This DNS failure isn't really a Let's Encrypt issue. It's with the Home Assistant client interacting with google DNS. You might try, well, googling that error or as Bruce suggested a Home Assistant forum. Or, maybe searching this forum as there are some threads dealing with Home Assistant. Maybe a prior thread also ran into this google DNS problem.

Q#1: Do you need a wildcard cert?
Q#2: Why are you including the domain "home-assistant.io" in the cert?

Let’s Encrypt offers Domain Validation (DV) certificates.

Thus you need to own and have control over the Domain Name (or have a subdomain under an existing domain name, for example pointed to your server by your employer or school) you wish to obtain a certificate for, from an ICANN Accredited Registrar.

For Let’s Encrypt to issue a Domain Validation (DV) certificate Domain Validation must happen
and it is a CA/Browser Forum Baseline Requirement.

As an aside you can install Tailscale in home assistant then use that for remote access (on phones etc). That way there's no direct public access to your instance.

Thanks for the many replies. I followed all the suggested links, some of which led first to the HA community then back to this one! I tried out several approaches on the google cloud DNS site, to no avail. Finally, I went to the site referenced in the error, https://dns.googleapis.com/dns/v1/projects/verdant-petal-381321/managedZones?dnsName=ko0y.org.&alt=json and got a 401 error. I went to the page that error referenced, Integrating Google Sign-In into your web app  |  Authentication  |  Google Developers and learned that JavaScript is being deprecated as a sign-in method. That may explain why the add-on doesn't work. I have reported this as a bug to the HA developers. Thanks again .

The addon is just certbot with a GUI to invoke it

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.