Automatic renewal of let's encrypt addon, and restart of nginx

First of all, this blueprint is basically Blueprint for automatic renewal of a lets encrypt certificate but rather that restarting Home assistant, I am only restarting NGINX addon after the renewal.

Open your Home Assistant instance and show the blueprint import dialog with a specific blueprint pre-filled.

blueprint:
  name: Renew Let's Encrypt Certificate
  description: Renew Certificate when due date is below given value
  domain: automation
  input:
    cert_expiry_sensor:
        name: Certificate Expiry Sensor
        description: Sensor from the Certificate Expiry Integration (https://www.home-assistant.io/integrations/cert_expiry)
        selector:
            entity:
                integration: cert_expiry
    renew_date:
        name: Certificate renewal date
        description: Date when the SSL-Certificate will be renewed
        selector:
            number:
                min: 1
                max: 29
                mode: slider
                unit_of_measurement: "days"
        default: 5
    time_to_check_cert:
        name: Certificate check time
        description: Time when the certificate date will be checked.
        selector:
            time:
    restart_after_renewal:
        name: Restart NGINX
        description: Restarts the NGINX when the certificate is renewed. (if enabled)
        selector:
            boolean:
        default: true
    minuts_till_restart:
        name: Minutes untile restart
        description: Minutes until restart of NGINX if restart is enabled
        selector:
            number:
                min: 1
                max: 60
                mode: slider
                unit_of_measurement: "minutes"
        default: 5
    send_notification:
        name: Send notification
        description: Sends a notification to a device if enabled
        selector:
            boolean:
        default: false
    notification_device:
        name: Device to notify
        description: Device which will be notified.
        selector:
            device:
                integration: mobile_app
    notification_title:
        name: Notification title
        description: Notification title for notification that is sent when the certificate has been renewed.
    notification_message:
        name: Notification message
        description: Notification that is sent when the certificate has been renewed.
alias: Renew SSL Cert
description: ''
trigger:
  - platform: time
    at: !input time_to_check_cert
condition:
  - condition: template
    value_template: '{{ expire_days_var < var_check }}'
action:
  - service: hassio.addon_start
    data:
      addon: core_letsencrypt
  - choose:
    - conditions:
        - condition: template
          value_template: '{{ send_notification_var }}'
      sequence:
        - device_id: !input notification_device
          domain: mobile_app
          type: notify
          title: '{{ message_title_var }}'
          message: '{{ message_var }}'
    default: []
  - choose:
    - conditions: 
        - condition: template
          value_template: '{{ restart_after_renewal_var }}'
      sequence:
        - delay:
              hours: 0
              minutes: !input minuts_till_restart
              seconds: 0
              milliseconds: 0
        - service: hassio.addon_restart
          data:
            addon: core_nginx_proxy
    default: []
mode: single
variables:
  certificate_var: !input cert_expiry_sensor
  var_check: !input renew_date
  message_var: !input notification_message
  message_title_var: !input notification_title
  restart_after_renewal_var: !input restart_after_renewal
  send_notification_var: !input send_notification
  expire_days_var: >-
    {{ ((as_timestamp(states(certificate_var)) - as_timestamp(now())) / 60 / 60 / 24 ) | int }}
3 Likes

Thanks for upgrading my original blueprint. Wasn’t sure that the NGIX restart is enough. I will add this as an extra option to my blueprint.

Hi, there is a mini inconvenience.
The blueprint require to input Device to notify, Notification title and Notification message even if the notification is toggled off.
Also i suggest to autopopulate Certificate check time with a stock value like 00:00:00

Thanks a lot for your blueprint

+1 for this.

I was making a few tweaks to the blueprint, mainly to make it run on a specific day of the week as well as time but it does not work.

The offending condition is:

  - condition: time
    weekday: 
      - '{{ day_to_check_cert }}'

with the error:

Logger: homeassistant.components.automation
Source: components/automation/__init__.py:638
Integration: Automation (documentation, issues)
First occurred: 12:26:55 (14 occurrences)
Last logged: 13:04:00

Blueprint Renew SSL Certificate generated invalid automation with inputs OrderedDict([('cert_expiry_sensor', 'sensor.ssl_expiry'), ('renew_date', 89), ('day_to_check_cert', 'wed'), ('time_to_check_cert', '12:27:23'), ('minuts_till_restart', 1), ('notification_device', '79a8488d5113cf925ac2a2ce32961141'), ('notification_title', 'Title'), ('notification_message', 'Message')]): value must be one of ['fri', 'mon', 'sat', 'sun', 'thu', 'tue', 'wed'] @ data['condition'][0]['conditions'][1]['weekday'][0]. Got None
Blueprint Renew SSL Certificate generated invalid automation with inputs OrderedDict([('cert_expiry_sensor', 'sensor.ssl_expiry'), ('renew_date', 89), ('day_to_check_cert', 'wed'), ('time_to_check_cert', '12:27:23'), ('minuts_till_restart', 1), ('notification_device', '79a8488d5113cf925ac2a2ce32961141'), ('notification_title', 'wed'), ('notification_message', 'Message')]): value must be one of ['fri', 'mon', 'sat', 'sun', 'thu', 'tue', 'wed'] @ data['condition'][0]['conditions'][1]['weekday'][0]. Got None

but

  - condition: time
    weekday: 
      - wed

works fine with the following automation

- id: '1641472005392'
  alias: Renew SSL Certificate
  description: ''
  use_blueprint:
    path: LEA/renew_ssl_cert.yaml
    input:
      cert_expiry_sensor: sensor.ssl_expiry
      renew_date: 89
      day_to_check_cert: wed
      time_to_check_cert: '12:27:23'
      minuts_till_restart: 1
      notification_device: 79a8488d5113cf925ac2a2ce32961141
      notification_title: Title
      notification_message: Message

Any ideas, the full blueprint is below

blueprint:
  name: Renew SSL Certificate
  description: Renew Certificate when due date is below given value
  domain: automation
  input:
    cert_expiry_sensor:
      name: Certificate Expiry Sensor
      description: Sensor from the Certificate Expiry Integration (https://www.home-assistant.io/integrations/cert_expiry)
      selector:
        entity:
          integration: cert_expiry
    renew_date:
      name: Certificate renewal date
      description: Date when the SSL-Certificate will be renewed
      selector:
        number:
          min: 8.0
          max: 89.0
          mode: slider
          unit_of_measurement: days
          step: 1.0
      default: 15
    day_to_check_cert:
      name: Certificate check day
      description: Day when the certificate date will be checked.
      selector:
        select:
          options:
            - mon
            - tue
            - wed
            - thu
            - fri
            - sat
            - sun
    time_to_check_cert:
      name: Certificate check time
      description: Time when the certificate date will be checked.
      selector:
        time: {}
    restart_after_renewal:
      name: Restart Home Assistant
      description: Restarts the Home Assistant when the certificate is renewed. (if enabled)
      selector:
        boolean: {}
      default: true
    minuts_till_restart:
      name: Minutes until restart
      description: Minutes until restart of Home Assistant if restart is enabled
      selector:
        number:
          min: 1.0
          max: 60.0
          mode: slider
          unit_of_measurement: minutes
          step: 1.0
      default: 5
    send_notification:
      name: Send notification
      description: Sends a notification to a device if enabled
      selector:
        boolean: {}
      default: false
    notification_device:
      name: Device to notify
      description: Device which will be notified.
      selector:
        device:
          integration: mobile_app
    notification_title:
      name: Notification title
      description: Notification title for notification that is sent when the certificate
        has been renewed.
      default: Notification Title
    notification_message:
      name: Notification message
      description: Notification that is sent when the certificate has been renewed.
      default: Notification message
alias: Renew SSL Cert
description: ''
trigger:
- platform: time
  at: !input 'time_to_check_cert'
condition:
  condition: and
  conditions:
  - condition: template
    value_template: '{{ expire_days_var < var_check }}'
  - condition: time
    weekday: 
      - '{{ day_to_check_cert }}'
action:
- service: hassio.addon_restart
  data:
    addon: core_duckdns
- choose:
  - conditions:
    - condition: template
      value_template: '{{ send_notification_var }}'
    sequence:
    - device_id: !input 'notification_device'
      domain: mobile_app
      type: notify
      title: '{{ message_title_var }}'
      message: '{{ message_var }}'
  default: []
- choose:
  - conditions:
    - condition: template
      value_template: '{{ restart_after_renewal_var }}'
    sequence:
    - delay:
        hours: 0
        minutes: !input 'minuts_till_restart'
        seconds: 0
        milliseconds: 0
    - service: homeassistant.restart
  default: []
mode: single
variables:
  certificate_var: !input 'cert_expiry_sensor'
  var_check: !input 'renew_date'
  message_var: !input 'notification_message'
  message_title_var: !input 'notification_title'
  restart_after_renewal_var: !input 'restart_after_renewal'
  send_notification_var: !input 'send_notification'
  expire_days_var: '{{ ((as_timestamp(states(certificate_var)) - as_timestamp(now()))
    / 60 / 60 / 24 ) | int }}'
  expire_dow_var: !input 'day_to_check_cert'



Try:

weekday: '{{ day_to_check_cert }}'

I don’t think you can add templates to individual list items.

Thanks that was the issue. I have actually gone in a different direction and am going to use the workday binary sensor instead https://www.home-assistant.io/integrations/workday/ rather than limit to a specific day of the week.

Hello. Thanks for the blueprint. I’ve installed and executed today but I get this error:

Stopped because of unknown reason "null" at March 6, 2024 at 06:48:40 (runtime: 0.00 seconds)

This is my blueprin config.

id: '1709718492008'
alias: Renew Let's Encrypt Certificate
description: ''
use_blueprint:
path: mcnovy/renew_ssl_cert_homeassistant.yaml
   input:
     cert_expiry_sensor: sensor.casacolegiales_duckdns_org_cert_expiry
     time_to_check_cert: '07:00:00'
     minuts_till_restart: 5
     send_notification: true
     notification_device: c8bf364b54fe1e003cfbfa78074f3177
     notification_title: Certificado Renovado - CasaColegiales
     notification_message: Certificado Renovado - CasaColegiales

and this is Lets Encrypt log when I executed manually.

 s6-rc: info: service s6rc-oneshot-runner: starting
 s6-rc: info: service s6rc-oneshot-runner successfully started
 s6-rc: info: service fix-attrs: starting
 s6-rc: info: service fix-attrs successfully started
 s6-rc: info: service legacy-cont-init: starting
 cont-init: info: running /etc/cont-init.d/file-structure.sh
 cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
 s6-rc: info: service legacy-cont-init successfully started
 s6-rc: info: service legacy-services: starting
 services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
 s6-rc: info: service legacy-services successfully started
 [06:23:17] INFO: Selected DNS Provider: dns-duckdns
 [06:23:18] INFO: Use propagation seconds: 60
 [06:23:18] INFO: Detecting existing certificate type for casacolegiales.duckdns.org
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 [06:23:25] INFO: Existing certificate using 'ecdsa' key type.
 Saving debug log to /var/log/letsencrypt/letsencrypt.log
 Certificate not yet due for renewal
 
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Certificate not yet due for renewal; no action taken.
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 s6-rc: info: service legacy-services: stopping
 s6-rc: info: service legacy-services successfully stopped
 s6-rc: info: service legacy-cont-init: stopping
 s6-rc: info: service legacy-cont-init successfully stopped
 s6-rc: info: service fix-attrs: stopping
 s6-rc: info: service fix-attrs successfully stopped
 s6-rc: info: service s6rc-oneshot-runner: stopping
 s6-rc: info: service s6rc-oneshot-runner successfully stopped

Any help will be appreciated
Thanks