Currently, there is no support for GoDaddy with the Let’s Encrypt Add-on even though GoDaddy does have an API that supports certificate creation.
After some preliminary research, certbot has built-in support for GoDaddy via the Lexicon module (see the developer’s confirmation here).
You can also do a DNS challenge with just a few lines of script and CROM job for auto-renewal. This blog post has a nice walk-through.
Would also love to see this. PFSense has this same functionality with acme/letsencrypt for renewing and challenging against your own godaddy account/domain, would be super helpful to have in HA.
Hey, all!
I’m currently using this repo and it seems to work without issues yet
https://github.com/troykelly/hassio-addons-letsencrypt-lexicon
I’m getting Let’s Encrypt valid cert using it, so I don’t think there are any issues with the GoDaddy API, although I’m missing DynamicDNS feature here - it’s not critical for me, because my external IP only changes after some long power outage (I guess when it is longer than the lease time for the providers DHCP)
In spite of it is called lexicon - they have a lot of other providers there
Looks like the DNS challenge worked with Troy’s addon, thanks @shoguevara!
Where can I find instructions for the next steps? I did the DNS challenge for hassio.mydomain.com, but how do I switch from hassio.local to hassio.mydomain.com.
[EDIT]
You need to add to the configuration.yaml something like this:
http:
base_url: https://YOUR_DOMAIN:8123
ssl_certificate: /ssl/KEYS_LOCATOON/fullchain.pem
ssl_key: /ssl/KEYS_LOCATOON/privkey.pem
Also, if you haven’t already done it, you need to create type A record, using your GoDaddy console, using the domain name you chose to point to your external IP
As I previously mentioned, Troy’s addon doesn’t have any Dynamic DNS capabilities, so you have to do it manually, which is not a problem in case your external IP is a static one.
I ended up using nginx to proxy the requests on 443, works great. Now that’s working, I had the lexicon add-on generate 4 other SSL certs for the rest of my internal server, worked like a charm.
The only thing I have to figure out now is how to tell nginx to forward to those other subdomains to the internal IP addresses of the other servers. This is unrelated to this topic and I’ll research elsewhere.
Thanks for the tip!
Yep, I personally (at least yet) don’t use Nginx as ingress controller - I’m configuring all the traffic rules via my router.
I was just about to write my own feature request for this. Why can’t the Troy Kelly code be added to the core addon? I love Home Assistant but it really seems like everything is really fragmented and you have to search for workarounds to do what you want. Seems trivial to update the addon but what do I know, I’m not a dev.
I ended up switching to NGINX Proxy Manager (‘NPM’ here) NPM has a super-easy GUI and is my favorite option for a long time now.
I forward all 443/80 through my gateway (probably a ‘router’ for you) to the NPM reverse proxy’s IP address. Then, then NPM proxy forwards that traffic to the internal endpoint. I cannot understand how freaking amazing this is.
Then from there I can just generate the Lets Encrypt SSL cert (on the SSL Certificates tab), create a new Proxy host and it handles the external SSL comms externally. All internal comms are done with normal http.
Here’s a screenshot of my proxy hosts list.
Did you get wildcard certs working with nginx proxy manager and go daddy?
Honestly, I’ve never tried a wildcard cert because they end up being nothing but headaches (I have one for my LLC’s DigiCert certificates).
Here’s my workflow (takes literally 1 minute)
That being said, I imagine this is not feasible for a business with hundreds of subdomains, or if you have a strict requirement for wildcard.
I created a GoDaddy DNS add-on which registers my public IP with my GoDaddy DNS hosting and also creates an SSL certificate with Let’s Encrypt:
Yes, when using nginxyproxymanager they are supposed to autorenew.
Note that I am running npm on a different device (raspberry pi zero) and not using it as a HomeAssistant add-on. This is because I use my npm for a several different internal servers and need it to be reliable all by itself.
