Acme.sh and hass.io?

Didn’t even know you can sign up an see a dashboard. You don’t need this if you are only using the integration to renew certs. Might be unrelated to the integration.

You’re right, I don’t need the dashboard. I would just like to stop receiving the daily emails, and I currently see no way of doing that.

If I choose to just send it to spam or block it, my fear is that then I might miss an actually valid alarm. If something actually breaks and my sites are about to go down due to expired certificates, I think a warning email would be very useful…

I also think this might be a bug with ZeroSSL alarms, not with the integration. But I would like to check if I misconfigured something, I imagine that if for some reason the integration is renewing daily, then I would get (90 days later) a daily alarm of a certificate expiring…

@wernerhp do you know of any reason why this integration (or acme.sh) could be generating a new certificate every day?

If I understand correctly, the cron job runs daily to check, but it should only renew the certificate when approaching the date of expiry, not every day… am I correct? What could be causing it to renew every time? I think that is what is happening

It should be working as you describe.
Do you have multiple domains on ZeroSSL? Are the emails only for you HA domain?

Check for any errors in the logs. They are under the Addon, next to the Configuration tab.

I have 3 domains total. All of them are Home Assistant, using the same integration + acme.sh. But I know that the expiry email specifically mentions always the same domain, which is the first one I set up. I actually fear that I start getting the same problem in triplicate, in a few weeks, when my other domains reach 90 days “age” and their certificates start expiring also…

I can’t find errors in the logs… although I can only see today’s logs, I wish I could have a look at the past 90 days ago.

I used DNS challenge.

-----END CERTIFICATE-----
[Fri Sep 22 03:01:30 WEST 2023] Your cert is in: /root/.acme.sh/mydomain.webredirect.org_ecc/mydomain.webredirect.org.cer
[Fri Sep 22 03:01:30 WEST 2023] Your cert key is in: /root/.acme.sh/mydomain.webredirect.org_ecc/mydomain.webredirect.org.key
[Fri Sep 22 03:01:30 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:30 WEST 2023] acme.sh:_setopt:2309                     14:USER_PATH='/command:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'
[Fri Sep 22 03:01:30 WEST 2023] The intermediate CA cert is in: /root/.acme.sh/mydomain.webredirect.org_ecc/ca.cer
[Fri Sep 22 03:01:30 WEST 2023] And the full chain certs is there: /root/.acme.sh/mydomain.webredirect.org_ecc/fullchain.cer
[Fri Sep 22 03:01:30 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:30 WEST 2023] acme.sh:_setopt:2309                     12:Le_CertCreateTime='1695348090'
[Fri Sep 22 03:01:30 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:30 WEST 2023] acme.sh:_setopt:2309                     13:Le_CertCreateTimeStr='2023-09-22T02:01:30Z'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2309                     14:Le_NextRenewTimeStr='2023-11-20T02:01:30Z'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2309                     15:Le_NextRenewTime='1700445690'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_on_issue_success:3610           _on_issue_success
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_hasfield:486                    '' does not contain 'dns'
[Fri Sep 22 03:01:31 WEST 2023] /root/.acme.sh/acme.sh:_exists:534       xargs exists=0
[Fri Sep 22 03:01:31 WEST 2023] /root/.acme.sh/acme.sh:_is_idn:1188      _is_idn_d='mydomain.webredirect.org'
[Fri Sep 22 03:01:31 WEST 2023] /root/.acme.sh/acme.sh:_is_idn:1190      _idn_temp
[Fri Sep 22 03:01:31 WEST 2023] /root/.acme.sh/acme.sh:_exists:534       readlink exists=0
[Fri Sep 22 03:01:31 WEST 2023] /root/.acme.sh/acme.sh:_exists:534       dirname exists=0
[Fri Sep 22 03:01:31 WEST 2023] /root/.acme.sh/acme.sh:__initHome:2626   Lets find script dir.
[Fri Sep 22 03:01:31 WEST 2023] /root/.acme.sh/acme.sh:__initHome:2627   _SCRIPT_='/root/.acme.sh/acme.sh'
[Fri Sep 22 03:01:31 WEST 2023] /root/.acme.sh/acme.sh:__initHome:2629   _script='/root/.acme.sh/acme.sh'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:__initHome:2631                  _script_home='/root/.acme.sh'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:__initHome:2650                  Using default home:/root/.acme.sh
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:__initHome:2658                  Using config home:/root/.acme.sh
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:__initHome:2672                  ACCOUNT_CONF_PATH='/root/.acme.sh/account.conf'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_process:7861                    LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.6
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_process:7869                    Running cmd: installcert
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:__initHome:2658                  Using config home:/root/.acme.sh
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:__initHome:2672                  ACCOUNT_CONF_PATH='/root/.acme.sh/account.conf'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_initpath:2788                   default_acme_server
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_initpath:2797                   ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_initpath:2799                   _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_initpath:2802                   _ACME_SERVER_PATH='v2/DV90'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_initpath:2809                   CA_CONF='/root/.acme.sh/ca/acme.zerossl.com/v2/DV90/ca.conf'
[Fri Sep 22 03:01:31 WEST 2023] The domain 'mydomain.webredirect.org' seems to have a ECC cert already, lets use ecc cert.
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_initpath:2886                   DOMAIN_PATH='/root/.acme.sh/mydomain.webredirect.org_ecc'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2309                     16:Le_RealCertPath=''
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2309                     17:Le_RealCACertPath=''
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2309                     18:Le_RealKeyPath='/ssl/privkey.pem'
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2309                     19:Le_ReloadCmd=''
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2306                     APP
[Fri Sep 22 03:01:31 WEST 2023] acme.sh:_setopt:2309                     20:Le_RealFullChainPath='/ssl/fullchain.pem'
[Fri Sep 22 03:01:31 WEST 2023] Installing key to: /ssl/privkey.pem
[Fri Sep 22 03:01:31 WEST 2023] Installing full chain to: /ssl/fullchain.pem

Checking the /ssl directory, I see that the certificate files have today’s date. This also happens in one of my other domains.

A couple of months later, I started also getting a certificate expiry email from a second HASS installation I made a couple of months after the other one.

So I can confirm that for some reason the add-on is creating a new certificate every day.

Can you please help me troubleshoot this? What could be wrong to make the script think it needs to renew every day?

@wernerhp any tips for me to troubleshoot this?

Thanks in advance

Are you running the automation to restart the aaddon every day?

Yes, it runs every night at 3:00 AM.

Just a question, the logic to check if the certificate is in need of renewal, where is it?

Is it part of your script, or is it in Acme.sh? Where?

I’m afraid the logs I see in HASS aren’t big enough for me to see that part happening - the log shows only a few hundred lines, and since it is quite verbose, I can’t scroll up to that part…

Thanks

It’s part of ACME.sh. The addon only creates a docker container that runs ACME.sh. Try disabling the automation or set it to run once a month and see if it reduces the number of notifications you receive.

Hi, thanks for the info. I tried to use the addon but it didn’t work. this is my configuration

account: [email protected]
server: zerossl
domains:

• chickenkiller.com
• “*.chickenkiller.com”
  certfile: fullchain.pem
  keyfile: privkey.pem
  dns:
  provider: dns_freedns
  env:
  • FREEDNS_User=xxxx
  • FREEDNS_Password=xxxx
  • DEBUG=1

But I’m getting this error in the log

[Tue Jan 9 20:15:27 CET 2024] FreeDNS failed to add TXT record for _acme-challenge as FreeDNS requested security code
[Tue Jan 9 20:15:27 CET 2024] Note that you cannot use automatic DNS validation for FreeDNS public domains
[Tue Jan 9 20:15:27 CET 2024] Error add txt for domain:_acme-challenge.chickenkiller.com
[Tue Jan 9 20:15:27 CET 2024] _on_issue_err
[Tue Jan 9 20:15:27 CET 2024] Please add ‘–debug’ or ‘–log’ to check more details.
[Tue Jan 9 20:15:27 CET 2024] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

Any idea ?

Thanks!

Check your indentation

keyfile: privkey.pem
dns:
  provider: dns_freedns
  env:
    - FREEDNS_User=
    - FREEDNS_Password=

Hi, it’s ok but I couldn’t put it fine in the editor. In fact, if i change my password, the error is related with the login. Anyway, here is a screenshot. Thanks.

Is your domain on FreeDNS set to public?