Acme.sh and hass.io?

DHDSP · October 2, 2018, 1:49pm

Hi there,

I tried setting up acme.sh in hass.io (logged in via ssh, as root, executed the instructions as per How issue a certificate from Let's Encrypt NOT Using HTTPS or HTTP - ACME.SH). Result: all needed .cer and .key files are generated in /root/.acme.sh/mydomain.duckdns.org/. So far so good. Then:

I tried to change the http: part of configuration.yaml like this:

http:
  api_password: mypassword
  base_url: https://mydomain.duckdns.org:8123
  ssl_certificate: /root/.acme.sh/mydomain.duckdns.org/mydomain.duckdns.org.key
fullchain.cer
  ssl_key: /root/.acme.sh/mydomain.duckdns.org/mydomain.duckdns.org.key

But the configuration check says:

Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/root/.acme.sh/mydomain.duckdns.org/fullchain.cer' not a file for dictionary value @ data['http']['ssl_key']. Got '/root/.acme.sh/mydomain.duckdns.org/mydomain.duckdns.org.key'. (See /config/configuration.yaml, line 104). Please check the docs at https://home-assistant.io/components/http/

A chmod 755 to the directory /root/.acme.sh/mydomain.duckdns.org did not help, nor did renaming the .cer and .key to .pem.

What am I missing ?

TIA
Peter

ludeeus · October 2, 2018, 1:52pm

Not sure how you got that far on Hassio, but try this addon instead https://www.home-assistant.io/addons/duckdns/
It uses the same logic for that progress

DHDSP · October 2, 2018, 2:04pm

Thanks for the suggestion. Of course I have seen that addon, but I wanted to use the dns txt challenge to get arround having to open up port 80. Will that addon do the dns txt challenge too ? I did not see it mentioned.

ludeeus · October 2, 2018, 2:06pm

It does, it is based on dehydrated (which are based of acme.sh)

Just enable it in the add-on config

DHDSP · October 2, 2018, 2:15pm

I’ll try that.

Now my router (fritzbox) is already doing the dyndns updating at duckdns (both IPv4 and IPv6). The reason for this is, that I think my router knows best when it changes IPs and I do not rely on hass.io to update the domain.

Can/should I disable the regular duckdns updating in the addon somehow ? If not, I suppose the addon is polling some external service to detect IP changes. How much delay will that introduce ?

ludeeus · October 2, 2018, 2:32pm

AFAIK you can not disable the DuckDNS updater part of it, you can set how frequent it is "seconds": 300 are default.

DHDSP · October 3, 2018, 12:16pm

It did work exactly as you told. Thanks !

wernerhp · October 2, 2021, 10:15am

Addon for Let’s Encrypt with ACME.sh (without DuckDNS)

Example

vazma · April 26, 2022, 8:08am

Amazin work! I am gonna try it today! Please add an example in your README to faciliate the configuration!

vazma · April 26, 2022, 8:38am

ahh ok was in DOCS.md eventually, in any case good job again!

chriskuhl · September 12, 2022, 2:56pm

So how do you install this addon for HAOS?

wernerhp · September 12, 2022, 3:30pm

See https://github.com/wernerhp/ha.addon.acme_sh/blob/b2d358ef28a4cdc9375d28b3df55dfc69d62ab34/DOCS.md

AngellusMortis · September 12, 2022, 3:39pm

There is literally an official add-on to do acme/Let’s Encrypt certs…

chriskuhl · September 12, 2022, 5:41pm

Maybe so but it only supports a limited number of dns providers. I use dynu.com and they are not supported with that addon hence why I am working on this. I did get it installed as an addon finally and the log shows everything works fine. The only problem now is that is shows to be copying the certs to /ssl/ but nothing is actually showing up there.

chriskuhl · September 12, 2022, 5:44pm

I got it installed. The part I was not familiar with is how to add the repository (your git page) and install the addon. It’s not in the DOCS.md file and I guess is assumed that one would know how to do that. I had never done that before and that had me stumped. I do have it now and the log looks good but no files are showing up in the /ssl/ folder.

wernerhp · September 12, 2022, 6:08pm

hard to say what could be wrong with no info.

any errors in the logs? with DEBUG 3?

chriskuhl · September 12, 2022, 8:28pm

I figured it out. In the configuration.yaml file I needed to add the domain name to the path.

I had:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

Needed to be:
ssl_certificate: /ssl/mydomain.com/fullchain.pem
ssl_key: /ssl/mydomain/privkey.pem

Nothing in the default log said that I just noticed that that is how it was stored on my linux PC also using acme.sh. I really don’t see how to do the DEBUG 3 setting, where do you set that?

Thanks,

Chris

wernerhp · September 13, 2022, 6:59am

So the files did show up in the /ssl folder?

Debug stuff is in DOCS.md. See Troubleshooting and Config. You add it to the config under dns > env. Maybe things will make more sense if you edit the config in YAML.

- DEBUG=1

github.com

wernerhp/ha.addon.acme_sh/blob/b2d358ef28a4cdc9375d28b3df55dfc69d62ab34/DOCS.md#config

# Home Assistant Add-on: ACME.sh Certs

A Home Assistant add-on that uses ACME.sh to generate certificates.

ACME.sh uses ZeroSSL.com CA by default.  Set `account` to your email address to register a ZeroSSL.com account.
Specify the `dns.provider` from the supported list at https://github.com/acmesh-official/acme.sh/wiki/dnsapi
Add environment variables to the `dns.env` list.  No need to add `export`.  NB: Do not use quotes in environment variables.

## Troubleshooting
- Add `DEBUG=1` (or `2` or `3`) to `env` for debug output.
Certificates will be installed to `/ssl/`

## Config
```
account: [email protected]
domains:
  - my.domain.tld
  - '*.my.domain.tld'
certfile: fullchain.pem
keyfile: privkey.pem

This file has been truncated. show original

What would be awesome is if you could pay it forward by updating the docs where they were lacking, so the next person has it a bit easier.

pgr · May 25, 2023, 12:08pm

@chriskuhl could you please post your full configuration.yaml segment, and the full add-on YAML configuration? Obfuscating whatever needs obfuscating, of course.

I am also trying this with Dynu but I am a bit ignorant of all these things and I am must admit I am probably messing things up. It really helps to see the full picture from a working configuration.

Thanks!

EDIT:

I think I got it working

configuration.yaml segment:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

ACME add-on full settings for Dynu (Settings / Add-ons / ACME / Configuration tab / menu / Edit in YAML):

account: [email protected]
domains:
  - mydomainname.webredirect.org
certfile: fullchain.pem
keyfile: privkey.pem
dns:
  provider: dns_dynu
  env:
    - Dynu_ClientId=aaaaaaaa-bbbb-cccc-dddd-aaaaaaaaaaaa
    - Dynu_Secret=DFGFDSKGDGDFVKDDFXFDVD
    - DEBUG=3

That debug level is just useful to troubleshoot.

After it runs successfully, you can check for the certificate files in /ssl

pgr · September 18, 2023, 11:07am

Hi everyone! Does anybody know where the debug logs go? From the UI I can see the logs of the latest run, but I am looking for older stuff. Is there a bit log somewhere with everything appended?

Context: ZeroSSL is spamming me with daily warnings of my certificate expiring. But the certificates are being renewed and are far from expired. I try logging in to ZeroSSL Dashboard to see what is going on and I see this:

Those numbers don’t make much sense to me, I only have 3 sites, started a couple of months ago. But then the UI is totally useless, whatever I click I only get this message:

Note: Your account is holding more than 100 ACME certificates. For using the Dashboard or API with this amount of ACME certificates you have to upgrade at least to the ZeroSSL basic plan.

Thanks, ZeroSSL. But that’s not helpful. I sent multiple emails to their support, I got no reply

So I am trying to figure out if I can find the certificate hex code somewhere in a acme.sh log two months ago and figure out why it is creating different certificates daily (if it is, in fact…).