Sonos and Let's Encrypt certificates

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: - use to run homeassistant securely.

I ran this command:
I ran a service to run a tts test which produces an mp3 file stored in a folder inside my homeassistant and while in other media devices the service runs fine (for example on any chromecast device) it never runs on my Sonos. Produciing:
It produced this output: "the file ‘xxxxx.mp3’ couldn’t be played - the connection to was lost.

My web server is (include version):Inside my synology DS216+, I use docker for HA

The operating system my web server runs on is (include version):DS6.xx (latest)

My hosting provider, if applicable, is: not applicable (synology)

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):synology and home assistant 0.60 with latest version of docker.

My certificate works fine to access my home assistant site. But my issue is with Sonos as it seems Sonos does not validate Let’s Encrypt certificates as it is not in their CA validated list. And the thing is when I call a TTS service, to test this functionality, the mp3 file is correctly created and stored and if I send it to other media players like Chromecast, it plays fine. However, if I send it to a Sonos I get the message: “file xxxxx.mp3 couldn´t be played - connection with was lost” and from github it seems that is due to the let’s encrypt certificate. Could you please help me making it work as it should??. Thanks in advance.

To me, this sounds like something only Sonos can fix. Is weird though, because the DST root X3 is widely accepted as a valid CA root certificate.

Hmm, seems the DST root CA X3 is included: Signin
So that shouldn't be the issue.

Thank you very much for your answer. I looked for it here:
I didn’t know Let’sEncrypt certificates were ‘DST root X3 type’ and hence I thought it was not listed.
So, that probes I was wrong, my apologies for my ignorance in the subject. Now, I still have the problem and no idea how to solve it. I indeed have asked sonos support why was this happenning but I still have no answer.
Anyway, thanks again and if someone could have any idea of what could be happening in my setup, please, let me know.

OK, now I would like to ask you because I am not sure of how to do this: I’ve been told that even if Let’s Encrypt is DST root X3 type, Sonos needs to verify the full chain or route of the certificates.
My site for Home assistant is a DDNS site from synology: and I got from my Synology the Let’s Encrypt certificate.
So from Let’s Encrypt I’ve got these files:

  • cert.pem
  • chain.pem
  • privkey.pem
    So I was thinking that joining in one alone certificate the cert.pem and chain.pem content I would be able to accomplish what Sonos validation needs. So I did it this way:
    Content of file cert.pem from Lets Encrypt
    -----END CERTIFICATE-----
    Content of file chain.pem form Lets Encrypt
    -----END CERTIFICATE-----
    If I save it as a .cer file and open it, it is a valid certificate and shows this certification route:
    DST Root CA X3–>LetsEncrypt Authority X3 --> (seems what I wanted to get for the Sonos problem)
    However, my problem now is that if I use this new certificate for my Home Assistant site, it doesn’t run, it does not load to start. Maybe the changes I made need a new private key. I really don’t know because I’m really noob at all these. Please help me and tell me if there’s an easy way to accomplish these. Now I seem close to get it but not yet. Thanks in advance, and happy Christmas!!

You can double-check whether your certificate matches your private key by running:

openssl pkey -in privkey.pem -pubout -outform pem | sha256sum 
openssl x509 -in cert.pem -pubkey -noout -outform pem | sha256sum 

If both those SHA256 hashes are identical then you have the right private key/certificate combo.

Most Let’s Encrypt clients rotate the private key on renewal, so you will need to copy it along with the new certificate every time it is renewed.

Otherwise, you do seem to be doing the right thing according to Home Assistant’s documentation. Are there any errors in home-assistant.log pertaining to openSSL, TLS, or certificates?

Thanks for your answer. I checked that both hashes were the same and then it was something to be with the file. It seems that the paths in HA when installed in docker for the privkey and for the certificate are different and it was not finding my new cert where it should be (the old one was in 2 different folders and thus was working. Now everything solved! Thank you very much!!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.