Home Assistant Add-on: home-assistant-ssl-from-asus-router

Home Assistant OS
#1

Hi fellows,

I have been one of those people who used the DDNS service on my Asus router, and have the SSL Certificate renew automatically by the router(A setup like this: SSL cert with ASUS router - #6 by clydde). However, I would always have to manually get the new SSL key and cert file every few month so I can still connect back to my HA.

But not any more!

I have built a simple add-on that allows users like use to transfer the key and cert files into SSL folder, with either one click or integrating with HA automation.

Github Url
Addon Containers

Hope this can reduce the amount of manual work to actually get a new SSL Cert from your router from now on, and feel free to let questions. Iā€™ll try to answer them as much as I can.

1 Like
#2

Nice, but an addon seems overkill for this.
Did you try a plain bash script through a plain shell_command? Content is basically your ā€œrun.shā€ā€¦

Advantages being:

  1. Less overhead
  2. Can be automatized
#3

Good call @koying , but let me explain why I have to go through the hassle of creating an addon for thisā€¦

So most definitely the first thing I tried is using a good plain old shell_command. The script running on shell worked. However, I am not sure if there are access restrictions on automations, when shell_command is executed via automation, the ssl/ folder will always become Read-Only and prevents me from updating the key and cert file.

With the reasoning above, I figured that writing a addon will be my easiest way out.

To your second advantage, it is not actually an advantage by using shell_command. I am still able to control/automate a addon. This is my current setup:

alias: SSL Cert Auto Renew
description: ''
trigger:
  - platform: time
    at: '00:00:00'
condition:
  - condition: template
    value_template: '{{ now().day == 1 }}'
action:
  - service: hassio.addon_start
    data:
      addon: local_refresher_ssl_cert_from_asus_ddns_router
  - service: hassio.addon_restart
    data:
      addon: core_nginx_proxy
mode: single

So the shorter response to your suggestion:

  1. Yes, shell_command has less overhead, but it canā€™t get the job done.
  2. No, shell_command canā€™t actually be automated in this use-case
#4

Ok, that might be a peculiarity of supervised/HAOS.
Something preventing you to use another subfolder (or none) as well?

#5

My SSL is handled by Home Assistant Add-on: NGINX Home Assistant SSL proxy, and in the documentation stated the follow:

The certificate to your registered domain should already be created via the Duck DNS add-on or another method. Make sure that the certificate files exist in the /ssl directory.

so unfortunately, no way around the folder part, and no, I would not want to change my current HTTPs solution. Hence the wierd workaround here LOL

#6

Ok. Iā€™m still confused on how you would be supposed to push your custom certificates by another method if the /ssl sub-directory is read-only, but hey, if thatā€™s needed for your use-case, so it is :wink:

#7

So actually, according to the Homeassistant addon build guild, there is a option called map that can further grant permission to specific folders. You may check out this page for more specific details:

#8

I have been trying to do exactly this for over a year now, and have never been able to get around the permissions issue with the ssl folder. So, I have to manually move it every three months when the old one expires. I was very excited to get this set up, however, Iā€™m really not sure how to install this addon, can you please help? Iā€™m currently running the Home Assistant Blue on the odroid N2, and Iā€™ve only installed custom addons through HACS.

#9

You may directly clone the repo onto your addons/ directory. Once you cloned the repo, refresh your add-ons page and you should be able to see the addon popping up.

#10

Hey @s92025592025 this is an awesome idea. Iā€™ve been trying to figure this out for the longest time. I had to remember to force the update before going on trips which is not very convenient! I ran into a problem during the installation. I cloned the repo and put it in my /addon folder. I can see it in the addon store under local but when I hit install, it gives me the following error:

Canā€™t install s92025592025/refresher-ssl-cert-from-asus-ddns-router-aarch64:0.0.1: 404 Client Error for http+docker://localhost/v1.41/images/create?tag=0.0.1&fromImage=s92025592025%2Frefresher-ssl-cert-from-asus-ddns-router-aarch64&platform=linux%2Farm64: Not Found (ā€œpull access denied for s92025592025/refresher-ssl-cert-from-asus-ddns-router-aarch64, repository does not exist or may require ā€˜docker loginā€™: denied: requested access to the resource is deniedā€)

Not sure what to do since itā€™s the first time Iā€™ve encountered this. I mustā€™ve messed up something but I donā€™t know what :S
Thx

#11

I am not hosting the images on Docker Hub, only on github:

#12

Got it. Not a coder though so can you tell me how I should go about installing it? I donā€™t have experience with that kind of operation. thx

#13

Thank you for all your hard work and your support. But, Iā€™m getting the same exact error as shado above. I cloned the whole repo into /addons/asus-ssl/ and it does show up in the add-ons section like you said. However, there is an install button that throws this error:

Failed to install add-on
Canā€™t install s92025592025/refresher-ssl-cert-from-asus-ddns-router-aarch64:0.0.1: 404 Client Error for http+docker://localhost/v1.41/images/create?tag=0.0.1&fromImage=s92025592025%2Frefresher-ssl-cert-from-asus-ddns-router-aarch64&platform=linux%2Farm64: Not Found (ā€œpull access denied for s92025592025/refresher-ssl-cert-from-asus-ddns-router-aarch64, repository does not exist or may require ā€˜docker loginā€™: denied: requested access to the resource is deniedā€)

Iā€™m sorry if this is a dumb question, but, could it have something to do with me using the Odroid N2? Iā€™m not sure if itā€™s aarch64, armV7, etc

#14

@blugemni @shado214 I have rolled out a new version 0.0.2. Please do ā€œcheck for updatesā€ in your addon store or do a git pull in the repo directory and check if you can see the newer version. LMK if you are seeing other issues.

#15

Iā€™ve updated to the new version, and was able to get it installed. Was having a bit of trouble with it connecting to the router initially, but then I realized that you are required to set the SSH port on the router to port 22. Could we possibly get a port option in the config as well?

Once I changed the port to 22 on the router, it looks like most of the script seems to be working, as it creates the directories and sets file permissions. However, once it gets to the ā€œscpingā€ it looks like scp isnā€™t installed?

Here is the end of the debug log:

debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,rsa-sha2-256,ssh-rsa,ssh-dss>
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa
Authenticated to 10.0.0.1 ([10.0.0.1]:22) using "publickey".
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: pledge: filesystem full
debug1: Sending command: scp -v -f /etc/key.pem
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
sh: scp: not found
debug1: channel 0: free: client-session, nchannels 1
Transferred: sent 2680, received 1504 bytes, in 0.1 seconds
Bytes per second: sent 50508.0, received 28344.8
debug1: Exit status 127
[cmd] /run.sh exited 1
[cont-finish.d] executing container finish scripts...
[cont-finish.d] 99-message.sh: executing... 
-----------------------------------------------------------
                Oops! Something went wrong.

I canā€™t thank you enough for your time and support. Let me know if you would like me to provide any more information. :slight_smile:

EDIT: Nvm, works like a champ now that Iā€™ve installed Merlin on the router. Thanks again!

#16

Nice to know if it working for you. I think the error meant that scp canā€™t find the file that is in defined in the keyFilePathOnRouter option.

The option to change ports seemed to be a good idea, Iā€™ll put that in the next release.

#17

Hey, sorry for the late reply. Thanks again for your amazing work! I finally got it to work as expected! as you pointed out, it doesnā€™t seem to find the files. I installed Merlin as blugemni suggested and it works perfectly now! I noticed you added the option to change the port but for some reason when I change the port to 1025, the code fails at getting the public key. Not a dealbreaker though!

Also I should mention that there seems to be a bug in the port forwarding in merlin. I can enter the port info but there is no apply button so I canā€™t save it. As soon as I refresh the page, everything disappears. Fortunately, I had previously configured it and it seems to have kept the config as I can see the port is open in Open Port Check Tool - Test Port Forwarding on Your Router. In any case, thanks again for taking the time to make our experience better!! Cheers!

EDIT: Nvm what I said. I just needed to do a factory reset since my NVRAM was saturated. Everything works perfectly now.