Certificate Expiration for LetsEncrypt with NGINX reverse proxy

500Foods · March 10, 2023, 11:57pm

The Certificate Expiry integration doesn’t work particularly well when you’re trying to use it to get the expiry date of your Home Assistant server, when using NGINX reverse proxy, LetsEncrypt and without an external DNS provider. Instead, you can get the date from the fullchain.pem file directly, and then add that to a sensor.

sensor:
  - platform: command_line
    unique_id: ssl-homeassistant
    name: Home Assistant SSL Expiration
    command: '../ssl/openssl x509 -enddate -noout -in ../ssl/fullchain.pem | cut -c10-15'
    scan_interval: 86400

Note that you’ll need to have OpenSSL installed. Each time I installed it though, it would uninstall itself after a reboot. Eventually I gave up and just copied it into the /root/ssl folder. So, from terminal…

apk install openssl
cp /usr/bin/openssl /root/ssl

Seems to work great. Sensor reports “May 30” for example, but you can adjust the cut command above to get something else, like if you wanted the year, for example.

Also, while this involves editing configuration.yaml, it is possible to add other checks and get the same date out, using curl. For example:

  - platform: command_line
    unique_id: ssl-500foods
    name: 500Foods SSL Expiration
    command: 'curl https://www.500foods.com -vI --stderr - | grep "expire date" | cut -d":" -f 2- | cut -c2-7'
    scan_interval: 86400

Related links

github.com/home-assistant/home-assistant.io

Certificate Expiry - Alternative

opened 06:27AM - 01 Mar 23 UTC

closed 08:00AM - 01 Mar 23 UTC

500Foods

integration: cert_expiry

### Feedback The Certificate Expiry integration doesn't work particularly wel…l when you're trying to use it to get the expiry date of your Home Assistant server, when using NGINX reverse proxy, LetsEncrypt and without an external DNS provider. Instead, you can get the date from the fullchain.pem file directly, and then add that to a sensor. ``` sensor: - platform: command_line unique_id: ssl-homeassistant name: Home Assistant SSL Expiration command: '../ssl/openssl x509 -enddate -noout -in ../ssl/fullchain.pem | cut -c10-15' scan_interval: 86400 ``` Note that you'll need to have OpenSSL installed. Each time I installed it though, it would uninstall itself after a reboot. Eventually I gave up and just copied it into the /root/ssl folder. So, from terminal... ``` apk install openssl cp /usr/bin/openssl /root/ssl ``` Seems to work great. Sensor reports "May 30" for example, but you can adjust the cut command above to get something else, like if you wanted the year, for example. Also, while this involves editing configuration.yaml, it is possible to add other checks and get the same date out, using curl. For example: ``` - platform: command_line unique_id: ssl-500foods name: 500Foods SSL Expiration command: 'curl https://www.500foods.com -vI --stderr - | grep "expire date" | cut -d":" -f 2- | cut -c2-7' scan_interval: 86400 ``` ### URL https://www.home-assistant.io/integrations/cert_expiry/ ### Version _No response_ ### Additional information I do realize that this is not really a Certificate Expiry integration item - bypassing it entirely, essentially. But when looking to use this integration and getting stuck, this would have saved me an hour or two - after all one of the things anyone wanting to use this integration is to use it to monitor their own Home Assistant SSL expiration date.