How to properly setup a Let’s Encrypt SSL certificate in Home Assistant

How to properly setup a Let’s Encrypt SSL certificate in Home Assistant

I’m back after years on this blog to write a mini how-to, mainly a note for myself.

I’m an enthusiast Home Assistant user, the most used open platform for home automation.
I aimed to use my own custom subdomain for Home Assistant. I wanted an SSL certificate issued by Let’s Encrypt in cPanel.

My recipe

  • cPanel Dynamic DNS to setup a dedicated subdomain for my Home Assistant installation (the dynamic IP is automatically updated by HA when IP change)
  • SSL certificate auto-generated by cPanel. The certificated is issued by Let’s Encrypt and expire every 3 months
  • SSL cert (and private key) configured in HA with addon “NGINX Home Assistant SSL proxy

The problem

On my first try, I just copied the SSL cert from cPanel to HA folder /ssl/fullchain.pem file and private key to /ssl/privkey.pem (the are just text files with .pem extension) and restarted NGINX plugin.
This exposed the SSL cert to the https domain. However, I had problems with the Samsung SmartThings Integration. The SmartThings cloud could not connect to my Home Assistant webhook URL.

SmartThings could not validate the webhook URL. Please ensure the webhook URL is reachable from the internet and try again

After some attempts and searches I figured out that the SSL cert, even if valid, was not completely trusted. SSL Checker website (like this) reported me a yellow warn icon under the certificate chains of trust.

This pointed me to the right direction…

The solution

This Let’s Encrypt page had the solution I needed. Basically, I needed to add both intermediate and root certificates inside the “/ssl/fullchain.pem” file in home assistant.

First figured out which kind of certs did I need: in my case the where Intermediate R10 and Root X1. I downloaded both “pem” certificates from Let’s Encrypt page.

Then I composed my fullchain.pem like this:

-----BEGIN CERTIFICATE-----
MAIN SSL Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Let's Encrypt Intermediate Certificate (R10)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Let's Encrypt Root X1 Certificate
-----END CERTIFICATE-----

I saved the file and rebooted NGNIX.
After another SSL check, my domain looked like this:

This solved all my issues with SmartThings integration.