Certificate Expiration for LetsEncrypt with NGINX reverse proxy

The Certificate Expiry integration doesn’t work particularly well when you’re trying to use it to get the expiry date of your Home Assistant server, when using NGINX reverse proxy, LetsEncrypt and without an external DNS provider. Instead, you can get the date from the fullchain.pem file directly, and then add that to a sensor.

sensor:
  - platform: command_line
    unique_id: ssl-homeassistant
    name: Home Assistant SSL Expiration
    command: '../ssl/openssl x509 -enddate -noout -in ../ssl/fullchain.pem | cut -c10-15'
    scan_interval: 86400

Note that you’ll need to have OpenSSL installed. Each time I installed it though, it would uninstall itself after a reboot. Eventually I gave up and just copied it into the /root/ssl folder. So, from terminal…

apk install openssl
cp /usr/bin/openssl /root/ssl

Seems to work great. Sensor reports “May 30” for example, but you can adjust the cut command above to get something else, like if you wanted the year, for example.

Also, while this involves editing configuration.yaml, it is possible to add other checks and get the same date out, using curl. For example:

  - platform: command_line
    unique_id: ssl-500foods
    name: 500Foods SSL Expiration
    command: 'curl https://www.500foods.com -vI --stderr - | grep "expire date" | cut -d":" -f 2- | cut -c2-7'
    scan_interval: 86400

Related links

1 Like

Hello! Thanks for your contribution, it helped me.
It would be nice to pass that string to timedate to be able to perform an automation that restarts the NGINX but I’m having a hard time doing this step.

Glad it helped you. Let’s Encrypt is supposed to issue the renewal well ahead of time - like 30 days before it is to expire. As I reboot HA daily, I’m hoping this will work fine so long as the Let’s Encrypt renewal goes through. It wasn’t working before which is why I needed this in the first place - I didn’t know that it hadn’t gotten renewed.

I’m no expert in HA, but what were you having trouble with?

The problem is that no matter how many times you restart Home Assistant, the certificate is not renewed, you have to restart the NGINX Add-on.
I had this problem just yesterday and I’m trying to make an automation that will restart the NGINX at that moment. I am also not an expert in HA and less in programming, I was reading other entries to go from String to Timedate but it is not working.

Hmmm… I’ve got HA in a VM and it is the VM that is restarted, so surely NGINX would be restarted in that scenario??? If not, I’ll not be very happy when the next renewal comes along :laughing: but I’d maybe focus on getting NGINX to restart on a schedule.

In any event, getting this data into a timedate format is surely going to be problematic as I don’t think it is anywhere near the right format - just having a month expressed like “May” is going to be hard to deal with. Would it be easier to just have another sensor that is the “current” expiration date, and just restart NGINX if it doesn’t match?

I just saw this thread, so I added certificate expiry integration. I tried on domain and subdomain certs and it display time and date when cert for domain and subdomain will expire.

Or… just add an automation that is triggered when the sensor changes?

I’m not sure I follow… You’ve updated the Certificate Expiry integration to now get this information directly?

I didn’t have this integration. I didn’t know it exist. I saw this thread so I integrated my domain and two subdomains just to check this out. As I saw I have sensor with a time stamp for domain or subdomain saying cert expiration time stamp July 1. at xy. pm.

I still didn’t think about it well how to implement first I want to get the timedate to be able to automate

Do you have NGINX installed as Add-ON or do you have it installed as Supervisor?

I have nginx in docker with letsencrypt. I moved from supervised installation to docker compose and I didn’t regret it.

Ah. I’m sure the Certificate Expiry integration works great for many things. It just didn’t work for what I needed in my particular arrangement.

Correct, I have it as HA OS in a VM with Nginx as Add-On and the integration gives me “timed out” it never connects with the certificate.

As I understood you can’t get time stamp from this integration. In my case it shows day, month, year, and exact time when cert will expire.
I don’t know what the problem is, but it might be to the type of installation. For me standalone ha installation with docker containers solved lot of issues I was struggling using supervised installation.

Yes, they are different installations and in your case the integration works as it should. Thanks for the input

If my solution works for you as far as getting the new date from the certificate into the sensor, then you should be able to have an automation that just watches for that sensor to change? It doesn’t much matter what the sensor value is as you don’t want to restart NGINX at that time (the date/time in the sensor that has just been updated), you want to restart it as soon as a new certificate is available, which is when the sensor value changes.

You’re right, I’m going to try it this way, anyway I would like to change the format since it shows it as follows “Jun 2 00:39:56 2023” but this is only for aesthetics and to make it look better to read.
I’m going to open a new post but to see if I can get someone to help me change the format

The cut command is great for extracting a bit of text, but it can’t reorder anything in that text. Instead, you can use an awk command to reorder however you like. But this is a much less friendly command in general - more powerful but not all that easy to use. What you can do is tell it to split up a block of text into a bunch of values, and then print those values in whatever order you like.

In this case, we’ve got a Month (#1), Day (#2), Hour (#3), Minute (#4), Second (#5) and Year (#6). So if you wanted to see the date as 2023-Jun-2 00:39:56 you could change the command to be like this.

../ssl/openssl x509 -enddate -noout -in ../ssl/fullchain.pem | cut -c10-29 | awk -F[\ :] '{ print $6"-"$1"-"$2" "$3":"$4":"$5 }'

The -F[\ :] part splits up the components of the date and time into separate fields #1-#6, using both a space(escaped space) and a colon as delimiters.

The print command then displays these in whatever order you like, with whatever new delimiters you like.

The fact that it has both single and double quotes might cause some trouble. Maybe the command in the HA configuration.yaml doesn’t need its own quotes? Haven’t tried that out. But it works fine in the HA console.

Well I kept messing around with this and got the Certificate Expiration Integration to work and I did!!
The problem was that I had the redirection of port 80 and 443 to my HA in my Router, I removed the redirection of port 80 and it was working instantly.