Unable to make LetsEncrypt work with homeassistant

Hello, I am trying to make Letsencrypt work with homeassistant. I am trying to expose port 8123 to internet using letsencrypt. I can see that letsencrypt is looking for a file in .well-known folder.
I am not sure how to create it and how to place this in folder as I am unable to find this folder.

Following are my logs, any help will be greatly appreciated,

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] file-structure.sh: executing...
[cont-init.d] file-structure.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[18:51:06] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for 209hla.duckdns.org
Waiting for verification...
Challenge failed for domain 209hla.duckdns.org
http-01 challenge for 209hla.duckdns.org
Cleaning up challenges
Some challenges have failed.

Don't try to encrypt Home Assistant directly. In stead, put a reverse proxy in front of it.

I myself have nginx running as a reverse proxy on the Raspberry Pi, using the how-to on the Home Assistant site. Currently, the URL from the site redirects to the HA Community though: https://www.home-assistant.io/docs/ecosystem/nginx It's not entirely adequate I'm afraid. Let's walk through the steps of the how-to together:

  1. Get a domain name forwarded to your IP: you already have a DuckDNS hostname, so that's good.
  2. Install NGINX on your server: see the how-to for RPi or use whatever is used for your operating system
  3. Obtain an SSL certificate: this step recommends letsencrypt-auto to get a cert from Let's Encrypt. This is highly unrecommended, the certbot-auto (previously called letsencrypt-auto) script (a wrapper around the certbot ACME client for distributions lacking certbot in their repository) is being phased out and is decprecated. You could use any client available. If you do choose to use certbot, which is a great client, please go to https://certbot.eff.org/ for information on how to install it.
    That said, the guide uses the standalone plugin. When using nginx as a reverse proxy, I recommend using the nginx plugin for certbot by using --nginx in stead of --standalone. Not really a good reason not to do this IMO.
  4. Create dhparams file: regular Diffie-Hellman is slow, very slow. Modern cipher suit selections don't use it. Personally, I don't use it. Use elliptic curve Diffie-Hellman cipher suits. If you do want regular DH, don't generate your own. Instead, use predefined DH parameters from RFC 7919. See one of the older versions of the Mozilla Security/Server Side TLS Wiki entries.
  5. to 9: see how-to, no comments here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.