Acme.sh and hass.io?

Installation Home Assistant OS
#1

Hi there,

I tried setting up acme.sh in hass.io (logged in via ssh, as root, executed the instructions as per How issue a certificate from Let's Encrypt NOT Using HTTPS or HTTP - ACME.SH). Result: all needed .cer and .key files are generated in /root/.acme.sh/mydomain.duckdns.org/. So far so good. Then:

I tried to change the http: part of configuration.yaml like this:

http:
  api_password: mypassword
  base_url: https://mydomain.duckdns.org:8123
  ssl_certificate: /root/.acme.sh/mydomain.duckdns.org/mydomain.duckdns.org.key
fullchain.cer
  ssl_key: /root/.acme.sh/mydomain.duckdns.org/mydomain.duckdns.org.key

But the configuration check says:

Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/root/.acme.sh/mydomain.duckdns.org/fullchain.cer' not a file for dictionary value @ data['http']['ssl_key']. Got '/root/.acme.sh/mydomain.duckdns.org/mydomain.duckdns.org.key'. (See /config/configuration.yaml, line 104). Please check the docs at https://home-assistant.io/components/http/

A chmod 755 to the directory /root/.acme.sh/mydomain.duckdns.org did not help, nor did renaming the .cer and .key to .pem.

What am I missing ?

TIA
Peter

#2

Not sure how you got that far on Hassio, but try this addon instead https://www.home-assistant.io/addons/duckdns/
It uses the same logic for that progress :slight_smile:

#3

Thanks for the suggestion. Of course I have seen that addon, but I wanted to use the dns txt challenge to get arround having to open up port 80. Will that addon do the dns txt challenge too ? I did not see it mentioned.

#4

It does, it is based on dehydrated (which are based of acme.sh)

Just enable it in the add-on config :wink:

#5

I’ll try that.

Now my router (fritzbox) is already doing the dyndns updating at duckdns (both IPv4 and IPv6). The reason for this is, that I think my router knows best when it changes IPs and I do not rely on hass.io to update the domain.

Can/should I disable the regular duckdns updating in the addon somehow ? If not, I suppose the addon is polling some external service to detect IP changes. How much delay will that introduce ?

#6

AFAIK you can not disable the DuckDNS updater part of it, you can set how frequent it is "seconds": 300 are default.

#7

It did work exactly as you told. Thanks !

1 Like
#8

Addon for Let’s Encrypt with ACME.sh (without DuckDNS)

Example

1 Like
#9

Amazin work! I am gonna try it today! Please add an example in your README to faciliate the configuration!

#10

ahh ok was in DOCS.md eventually, in any case good job again!

#11

So how do you install this addon for HAOS?

#12

See https://github.com/wernerhp/ha.addon.acme_sh/blob/b2d358ef28a4cdc9375d28b3df55dfc69d62ab34/DOCS.md

#13

There is literally an official add-on to do acme/Let’s Encrypt certs…

#14

Maybe so but it only supports a limited number of dns providers. I use dynu.com and they are not supported with that addon hence why I am working on this. I did get it installed as an addon finally and the log shows everything works fine. The only problem now is that is shows to be copying the certs to /ssl/ but nothing is actually showing up there.

#15

I got it installed. The part I was not familiar with is how to add the repository (your git page) and install the addon. It’s not in the DOCS.md file and I guess is assumed that one would know how to do that. I had never done that before and that had me stumped. I do have it now and the log looks good but no files are showing up in the /ssl/ folder.

#16

hard to say what could be wrong with no info.

any errors in the logs? with DEBUG 3?

#17

I figured it out. In the configuration.yaml file I needed to add the domain name to the path.

I had:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

Needed to be:
ssl_certificate: /ssl/mydomain.com/fullchain.pem
ssl_key: /ssl/mydomain/privkey.pem

Nothing in the default log said that I just noticed that that is how it was stored on my linux PC also using acme.sh. I really don’t see how to do the DEBUG 3 setting, where do you set that?

Thanks,

Chris

#18

So the files did show up in the /ssl folder?

Debug stuff is in DOCS.md. See Troubleshooting and Config. You add it to the config under dns > env. Maybe things will make more sense if you edit the config in YAML.

- DEBUG=1

What would be awesome is if you could pay it forward by updating the docs where they were lacking, so the next person has it a bit easier.

#19

@chriskuhl could you please post your full configuration.yaml segment, and the full add-on YAML configuration? Obfuscating whatever needs obfuscating, of course.

I am also trying this with Dynu but I am a bit ignorant of all these things and I am must admit I am probably messing things up. It really helps to see the full picture from a working configuration.

Thanks!

EDIT:

I think I got it working :crossed_fingers:

configuration.yaml segment:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

ACME add-on full settings for Dynu (Settings / Add-ons / ACME / Configuration tab / menu / Edit in YAML):

account: [email protected]
domains:
  - mydomainname.webredirect.org
certfile: fullchain.pem
keyfile: privkey.pem
dns:
  provider: dns_dynu
  env:
    - Dynu_ClientId=aaaaaaaa-bbbb-cccc-dddd-aaaaaaaaaaaa
    - Dynu_Secret=DFGFDSKGDGDFVKDDFXFDVD
    - DEBUG=3

That debug level is just useful to troubleshoot.

After it runs successfully, you can check for the certificate files in /ssl