Help with making secure SSL without duckDNS

Hutje · June 2, 2017, 6:22pm

Hi,

I am working on a setup to get HA working outside my house. Now there is a tutorial which gives an explanation for duckDNS but my router already has this function which is asuscomm.com. So this link: xxxxxx.asuscomm.com can redirect my external ip.
Now I need to setup an save ssl, but I am not familiar with ssl. I also don’t like to manually get a new ssl certificate every 90 days. (let’s encrypt)

The only thing I want to do, is to use HA as userinterface. Most of the programming will be done with Node-Red so I can make everything changeable. Communication is with MQTT.

Is there an easy way to get this done?

anon43302295 · June 2, 2017, 6:26pm

Follow the guide and just skip the section for duckDNS, then replace all the duckDNS url’s with your asuscomm url’s for the rest of the tutorial?

Off the top of my head I can’t think why it wouldn’t work just the same,

chrio · June 2, 2017, 6:38pm

Are you using raspberry with linux? if so you can make a shellscript that renews the certificate, and call it using cron every two months or so. You might want to restart some services in the script aswell, once you got the new certificates.

The line in /etc/crontab should be something like:
0 1 1 1,3,5,7,9,11 * /root/myrefreshscript.sh

treno · June 2, 2017, 6:49pm

You also have the option of purchasing a certificate from a vendor like hover.com. But I think when you see the price for these you will decide that the 90 day update isn’t such a big problem.

Tinkerer · June 2, 2017, 7:04pm

Then use certbot, from the LetsEncrypt folks. It has a function that’ll allow you to automate the renewal, and restart the service using it. There’s no need for any manual effort.

Hutje · June 2, 2017, 7:25pm

How do I activate this? Finally got the ssl working!

Tinkerer · June 2, 2017, 7:28pm

A quick Google for certbot renew found this, which is a good starting point. For something more detailed, we’d need to know whether you’re using HA directly with the certificate, you’re using nginx, or something else…

Hutje · June 2, 2017, 7:30pm

I use Hassbian and did the tutorial from this topic.

Hutje · June 2, 2017, 8:30pm

For checking the certificate I want to make a sensor like in the guide but this causes HA not to open after restart…

sensor:
  - platform: command_line
    name: SSL cert expiry
    unit_of_measurement: days
    scan_interval: 10800
    command: "ssl-cert-check -b -c /etc/letsencrypt/live/xxxxxxx.asuscomm.com/cert.pem | awk '{ print $NF }'"

and also this:

shell_command: 
  renew_ssl: ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
  
automation:
  - alias: 'Auto Renew SSL Cert'
    trigger:
      platform: numeric_state
      entity_id: sensor.ssl_cert_expiry
      below: 29
    action:
      service: shell_command.renew_ssl

anon43302295 · June 2, 2017, 11:00pm

Do you already have automations, sensors and shell commands elsewhere in your configuration? If so, these go with them. The code definitely still works, I have it all running here. My guess would be formatting issue somewhere.

What errors do you get?

Tinkerer · June 3, 2017, 8:26am

There’s no need to do that. You used certbot to get the certificate, so use it to check if the certificate is expired, renew the certificate if needed, and then restart HA:

/usr/local/bin/certbot-auto renew --post-hook "systemctl restart home-assistant"

Run that from cron daily, and you’re done. Don’t over complicate things