I have been one of those people who used the DDNS service on my Asus router, and have the SSL Certificate renew automatically by the router(A setup like this: SSL cert with ASUS router - #6 by clydde). However, I would always have to manually get the new SSL key and cert file every few month so I can still connect back to my HA.
But not any more!
I have built a simple add-on that allows users like use to transfer the key and cert files into SSL folder, with either one click or integrating with HA automation.
Hope this can reduce the amount of manual work to actually get a new SSL Cert from your router from now on, and feel free to let questions. Iāll try to answer them as much as I can.
Good call @koying , but let me explain why I have to go through the hassle of creating an addon for thisā¦
So most definitely the first thing I tried is using a good plain old shell_command. The script running on shell worked. However, I am not sure if there are access restrictions on automations, when shell_command is executed via automation, the ssl/ folder will always become Read-Only and prevents me from updating the key and cert file.
With the reasoning above, I figured that writing a addon will be my easiest way out.
To your second advantage, it is not actually an advantage by using shell_command. I am still able to control/automate a addon. This is my current setup:
My SSL is handled by Home Assistant Add-on: NGINX Home Assistant SSL proxy, and in the documentation stated the follow:
The certificate to your registered domain should already be created via the Duck DNS add-on or another method. Make sure that the certificate files exist in the /ssl directory.
so unfortunately, no way around the folder part, and no, I would not want to change my current HTTPs solution. Hence the wierd workaround here LOL
Ok. Iām still confused on how you would be supposed to push your custom certificates by another method if the /ssl sub-directory is read-only, but hey, if thatās needed for your use-case, so it is
So actually, according to the Homeassistant addon build guild, there is a option called map that can further grant permission to specific folders. You may check out this page for more specific details:
I have been trying to do exactly this for over a year now, and have never been able to get around the permissions issue with the ssl folder. So, I have to manually move it every three months when the old one expires. I was very excited to get this set up, however, Iām really not sure how to install this addon, can you please help? Iām currently running the Home Assistant Blue on the odroid N2, and Iāve only installed custom addons through HACS.
You may directly clone the repo onto your addons/ directory. Once you cloned the repo, refresh your add-ons page and you should be able to see the addon popping up.
Hey @s92025592025 this is an awesome idea. Iāve been trying to figure this out for the longest time. I had to remember to force the update before going on trips which is not very convenient! I ran into a problem during the installation. I cloned the repo and put it in my /addon folder. I can see it in the addon store under local but when I hit install, it gives me the following error:
Canāt install s92025592025/refresher-ssl-cert-from-asus-ddns-router-aarch64:0.0.1: 404 Client Error for http+docker://localhost/v1.41/images/create?tag=0.0.1&fromImage=s92025592025%2Frefresher-ssl-cert-from-asus-ddns-router-aarch64&platform=linux%2Farm64: Not Found (āpull access denied for s92025592025/refresher-ssl-cert-from-asus-ddns-router-aarch64, repository does not exist or may require ādocker loginā: denied: requested access to the resource is deniedā)
Not sure what to do since itās the first time Iāve encountered this. I mustāve messed up something but I donāt know what :S
Thx
Thank you for all your hard work and your support. But, Iām getting the same exact error as shado above. I cloned the whole repo into /addons/asus-ssl/ and it does show up in the add-ons section like you said. However, there is an install button that throws this error:
Failed to install add-on
Canāt install s92025592025/refresher-ssl-cert-from-asus-ddns-router-aarch64:0.0.1: 404 Client Error for http+docker://localhost/v1.41/images/create?tag=0.0.1&fromImage=s92025592025%2Frefresher-ssl-cert-from-asus-ddns-router-aarch64&platform=linux%2Farm64: Not Found (āpull access denied for s92025592025/refresher-ssl-cert-from-asus-ddns-router-aarch64, repository does not exist or may require ādocker loginā: denied: requested access to the resource is deniedā)
Iām sorry if this is a dumb question, but, could it have something to do with me using the Odroid N2? Iām not sure if itās aarch64, armV7, etc
@blugemni@shado214 I have rolled out a new version 0.0.2. Please do ācheck for updatesā in your addon store or do a git pull in the repo directory and check if you can see the newer version. LMK if you are seeing other issues.
Iāve updated to the new version, and was able to get it installed. Was having a bit of trouble with it connecting to the router initially, but then I realized that you are required to set the SSH port on the router to port 22. Could we possibly get a port option in the config as well?
Once I changed the port to 22 on the router, it looks like most of the script seems to be working, as it creates the directories and sets file permissions. However, once it gets to the āscpingā it looks like scp isnāt installed?
Here is the end of the debug log:
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
Authenticated to 10.0.0.1 ([10.0.0.1]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: Sending command: scp -v -f /etc/key.pem
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
sh: scp: not found
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2680, received 1504 bytes, in 0.1 seconds
Bytes per second: sent 50508.0, received 28344.8
debug1: Exit status 127
[cmd] /run.sh exited 1
[cont-finish.d] executing container finish scripts...
[cont-finish.d] 99-message.sh: executing...
-----------------------------------------------------------
Oops! Something went wrong.
I canāt thank you enough for your time and support. Let me know if you would like me to provide any more information.
EDIT: Nvm, works like a champ now that Iāve installed Merlin on the router. Thanks again!
Hey, sorry for the late reply. Thanks again for your amazing work! I finally got it to work as expected! as you pointed out, it doesnāt seem to find the files. I installed Merlin as blugemni suggested and it works perfectly now! I noticed you added the option to change the port but for some reason when I change the port to 1025, the code fails at getting the public key. Not a dealbreaker though!
Also I should mention that there seems to be a bug in the port forwarding in merlin. I can enter the port info but there is no apply button so I canāt save it. As soon as I refresh the page, everything disappears. Fortunately, I had previously configured it and it seems to have kept the config as I can see the port is open in Open Port Check Tool - Test Port Forwarding on Your Router. In any case, thanks again for taking the time to make our experience better!! Cheers!
EDIT: Nvm what I said. I just needed to do a factory reset since my NVRAM was saturated. Everything works perfectly now.
Not sure if it is just the filepath. I am running an Asus RT-AX88U on Firmware Version: 3.0.0.4.386_49674 and get similar error when running the scp command manually from another machine. When trying to use scp from while sshād to the router the command is not found. My suspicion Asus original firmware does not include scp command.
P.S: I couldnāt get the add-on running after cloning your git to the add-on folder. From Supervisor log: 22-08-25 20:45:13 WARNING (SyncWorker_3) [supervisor.store.data] No repository information exists at /data/addons/git/home-assistant-ssl-from-asus-router
Not sure if this is your repo or I cloned it wrongā¦
I have one suggestion, if I may: some people, like me, might want to keep their original Asus firmware for one reason or another. From what I understand, you get the certificates via SCP, which is not present in the asus fw. There seem to be ways to install scp by adding a usb storage device and a package manager on it, but this seems a bit of an overkill.