A new community Let's Encrypt Addon with (much) better support for DNS-challenge

via-justa · December 19, 2021, 9:37pm

Hey friends,

One of my big Covid-19 projects was to migrate the services that were installed over several machines into home-assistant. Not long after I started, I got to a roadblock with the need to have SSL for some of the services.

I got a Firewall at home. For me, opening ports is something I prefer not to do, especially to the system that controls my entire house

I went to install the built-in Let’s-Encrypt addon and figured it’s using the old-school certbot command-line tool.
Certbot Has limited support when it comes to the DNS challenge. (HTTP challenge requires port opening, and as already said, that’s a big no-no for me).

I’m using a tool called Lego for a few years now and decided, as an open-source-oriented engineer, that it would be nice to have the ability to use this tool with Home Assistant.

So here is the new addon I wrote: via-justa/via-justa-home-assistant-addons: Repository for Home Assistant addons (github.com).

At the moment, you can use one of the 98(!) supported DNS providers for the DNS challenge or use it for the HTTP challenge as well.

In addition, the addon is running as a service and monitoring the certificates (and renewing them when needed).

It’s the first version. I’m more than open to receiving comments, requests, and issue reporting.

Have fun

alwaysn00b · February 22, 2022, 4:30am

Do you support Google Cloud DNS for dynamic DDNS and Let’s-Encrypt w/ DNS option? That’d be great.

Also, some concerns:

Do you commit to keeping this up to date over time? It takes time to learn something new, and then have to migrate off of it due to compatibility/security issues 6 months down the line.

Also, would love to have more detailed documentation/examples.

m0nji · April 7, 2022, 6:53pm

Are there any instruction for using this addon? The config file in the addon looks a bit less informative.
Trying Cloudflares DNS Challange

Wes93 · September 6, 2022, 12:54pm

Hello @via-justa,

I want to ask you if is possible to add an optiot that, after the first line of SAN certificate has generated, copy and rename the certificate here:
/ssl/fullchain.pem
/ssl/privkey.pem

So we can use this addon instead of duckdns addon, this is some line of code that i have created but i don’t know how to test this:

int h = 0
for domain in $(bashio::config 'domains'); do
    sans=(${domain//,/ })
    bashio::log.debug "Checking for certificate ${CERT_PATH}/certificates/${sans[0]//[*]/_}.crt existence"
    if [[ ! -f "${CERT_PATH}/certificates/${sans[0]//[*]/_}.crt" ]]; then
        bashio::log.info "Certificate for domain ${sans[0]} not found, issuing"
        domainargs=$args
        for san in ${sans[@]}; do
            domainargs="${domainargs} -d ${san}"
        done
        bashio::log.debug "running command: lego ${domainargs} run"
        lego ${domainargs} run
        
        for (i=1 ; i<100 ; i++) ;
        
        if [ h == 0 ]; 
		then
            cp -rp ${CERT_PATH}/certificates/${sans[0]//[*]/_}.crt /ssl/fullchain.pem
			cp -rp ${CERT_PATH}/certificates/${sans[0]//[*]/_}.key /ssl/privkey.pem
        fi
    else
        bashio::log.info "Certificate for domain ${sans[0]} found"
    fi
    h++
done

I hope in this implementation
Best regards
Stefano

pietdevries · April 14, 2023, 1:07pm

Hello @Wes93

I don’t know if you still need it but I just installed this addon since LEGO supports my DNS provider,
and found out you can simply use the generated certificates directly, so for example in the NGINX config you just put:

fullchain.pem = /lego/certificates/.example.com.crt
privkey.pem = /lego/certificates/.example.com.key

And if you use it in the configuration.yaml the same, except you have to add the /ssl directory as well.