Certificate Expiration for LetsEncrypt with NGINX reverse proxy

The Certificate Expiry integration doesn’t work particularly well when you’re trying to use it to get the expiry date of your Home Assistant server, when using NGINX reverse proxy, LetsEncrypt and without an external DNS provider. Instead, you can get the date from the fullchain.pem file directly, and then add that to a sensor.

sensor:
  - platform: command_line
    unique_id: ssl-homeassistant
    name: Home Assistant SSL Expiration
    command: '../ssl/openssl x509 -enddate -noout -in ../ssl/fullchain.pem | cut -c10-15'
    scan_interval: 86400

Note that you’ll need to have OpenSSL installed. Each time I installed it though, it would uninstall itself after a reboot. Eventually I gave up and just copied it into the /root/ssl folder. So, from terminal…

apk install openssl
cp /usr/bin/openssl /root/ssl

Seems to work great. Sensor reports “May 30” for example, but you can adjust the cut command above to get something else, like if you wanted the year, for example.

Also, while this involves editing configuration.yaml, it is possible to add other checks and get the same date out, using curl. For example:

  - platform: command_line
    unique_id: ssl-500foods
    name: 500Foods SSL Expiration
    command: 'curl https://www.500foods.com -vI --stderr - | grep "expire date" | cut -d":" -f 2- | cut -c2-7'
    scan_interval: 86400

Related links