Just sharing a little succes!
I read a lot of problems about the Let’s Encrypt certificates. Al about the port 80/443 forwarding.
Every few months i changed my forwarding from my Synology(website) to the Raspberry to update my Let’s Encrypt certificate. Last time it didn’t update because of an unknown reason.
I hate this returning problem and searched for a reliable solution an I found it!
I ordered a PositiveSSL Certificate from the Comodosslstore site ($24 for four years).
I created a CSR on my Synology NAS and a download containing two files was created:
Used the contents of server.csr to order the certificate.
After the verification a downloaded my certificate zip-file containing:
I uploaded the files obove and my server.key to the hassio installation and created my fullchain.pem and privkey.pem.
cat .crt > fullchain.pem
cat COMODORSAAddTrustCA.crt >> fullchain.pem
cat AddTrustExternalCARoot.crt >> fullchain.pem
cat server.key >> privkey.pem
I placed these files in the /ssl/ directory and restarted homeassistant.
No need tho open port 80 to my hasio again.
$24 for a 4 year cert is good value, but not free
If I hadn’t already got the renewal process automated, that’s a good deal.
Same as me having a $8 a year DNS service; had it for a very long time and too much effort to switch to DuckDNS. I’ve got dynamic mesh VPN going based and one of the devices was a nightmare to configure (Fritzbox’s are great, except for the IPSEC VPN which has no GUI, is configured through a terrible separate app, and has little to no diagnostics). Hopefully my DNS provider never shuts down, or I’ll have to go through that grief again.
Can ou please give me more detail, I am having hard time configuring it. what is in your hass config file http component? and what is configured in apache?
My certificate was provided with a ca-bundle file. Here is what is required in this case:
server.key => privatekey.pem:
cp server.key privatekey.pem
server.crt domain.ca-bundle => fullchain.pem
cat server.crt domain.ca-bundle >fullchain.pem
I saved this thread a few years ago, and this time I made use of it
$39.75 for 5 years. I could have gone with Let’s Encrypt to get my certificates for my domain for free, but for now have decided on this Comodo option.
Here are a few notes for others considering this option:
- What you are paying for is 5 years worth of certificates. However you still have to renew it every year; That’s just part of their policy that they have adopted based on the CA/B forum guidelines.
- Certificate Request - You first have to create a Certificate Signing Request (CSR). They provide an on-line tool for this (which I didn’t use), or give you instructions for how to do this using
openssl (which is what I did) and this also generates your “private key” file which ends with extension
.key. This file you can copy to
privkey.pem. Once Comodo has your CSR on file, they can reuse it when renewing.
- Validation Methods - Comodo as a CA has to validate that you are in control of the domain. They provide a few methods to validate:
- email - Generally you have to register your contact email address with your domain. A
whois query as an example can tell what this email address is. But sometimes domain owners have a privacy setting to block others from seeing this, in which case this option can’t be used.
- http - If you have a general purpose web server (with external world port 80 access), Comodo can provide a file that you are to make available (at a certain location below the root page) using your domain in the url (i.e.
- CNAME - Comodo will provide you with information that you are to populate in your DNS provider’s CNAME record for your domain. Comodo will later read that record and verify its contents.
After the validation is completed successfully, they will issue you your certificates.
They will send you an email with a zip file that contains the pem files you will need, or you can use their “Cert Panel” with your account to get a zip file with several different forms and versions of files you will need.
The minimum files you will need are:
AAACertificateServices.crt - Root CA
USERTrusRSAAAACA.crt - Intermediate CA
SectigoRSADomainValidationSecureServerCA.crt - Intermediate CA
yourdomain.crt - Your PositiveSSL Cert
These files are the ones that come in your email zipfile. You can catenate all these files into one
You can also get these same files plus others from a zip file you can download from your Cert Panel. One of the other files you get in this zip file is a file named
My_CA_Bundle.ca-bundle. This file is a concatenation of the Root-CA/Intermediate-CA pem files above. You simply just catenate this with your yourdomain.crt file to form a
As for HA
ssl_certificate: provide the full path name to get to the fullchain.pem file
ssl_key: provide the full path name to get to the privkey.pem file