I recently renewed my lets encrypt certificate for my home assistant website, and i really cant be bothered by renewing it manually. Ive seen people use certbot renew but im not sure if that renews it automatically. ive also seen people alter their crontabs files. Id appreciate help.
If you’re using the let’s encrypt or duckdns add-on, it checks the certificate expiry a few times daily and automatically updates it by itself.
I’ve never had to update the cert manually in 5 years. Most I’ve had to do is reboot the entire host because it was still caching the expired cert.
but the thing is that, our certificate had already expired once, we had to delete lets encrypt and download it again to renew it. and renewing it manually is very complicated and tiring.
Are you sure the certificate actually expired and it wasn’t just the quirk I mentioned earlier? LE Certificates are usually only valid for a couple of months, and they renew 30 days before expiry. So, if you had no issues for more than 2 months, it’s a cache issue.
Look at your LE logs - you should see something like this:
Processing xxx.duckdns.org
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jul 14 00:54:54 2025 GMT (Longer than 30 days). Skipping renew!
[19:57:41] INFO: Renew certificate for domains: xxx.duckdns.org and aliases:
# INFO: Using main config file /data/workdir/config
Processing xxx.duckdns.org
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jul 14 00:54:54 2025 GMT (Longer than 30 days). Skipping renew!
[09:17:47] INFO: Renew certificate for domains: xxx.duckdns.org and aliases:
# INFO: Using main config file /data/workdir/config
Processing xxx.duckdns.org
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jul 14 00:54:54 2025 GMT (Longer than 30 days). Skipping renew!
[22:37:54] INFO: Renew certificate for domains: xxx.duckdns.org and aliases:
# INFO: Using main config file /data/workdir/config
Processing xxx.duckdns.org
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jul 14 00:54:54 2025 GMT (Longer than 30 days). Skipping renew!
Your issue happened to me twice in 5 years - the first time I was going to take the nuclear option like you did, and redo the whole certificate setup because clearing cache wasn’t working.
Then I simply did a whole reboot of the entire host machine and the correct certificates were picked up.
im pretty sure the certificate had expired because we got the mail about it expiring
Hmm, I was wrong earlier. Only the DuckDns addon renews the certificates automatically. The Let’s Encrypt addon doesn’t.
From the addon Docs:
Create & renew certificates
The letsencrypt add-on creates the certificates once it is started: navigate to Settings → Add-ons, pick the Let’s Encrypt add-on, click the START button on the bottom. The add-on stops once the certificates are created.
Certificates are not renewed automatically by the plugin. The add-on has to be started again to renew certificates. If the add-on is started again, it checks if the certificates are due for renewal. This is usually the case 30 days before the certificates’ due date. If the certificates are not due for renewal, the add-on terminates without changes. If the certificates are due for renewal, new certificates will be created.
There are multiple ways how the add-on can be started to check/renew the certificates. One way to automate the certificate renewal it to configure a renewal via Home Assistant automation, and then restarting this automation every night via the Supervisor Addon restart action.
In this example, the automation will run every day at the chosen time, checking if a renewal is due, and will request it if needed.
1 Like
BTW, it is entirely unnecessary to restart the addon every night as suggested above. Restarting every 30 days (or every week if you’re worried) should be enough.
The Let’s encrypt addon only runs once during HA startup, so in worst case you’ll need to restart twice; the first to start the addon, the second start using the new certificate.
Ofc you can also just start the addon manually…
I myself use an automation to start the addon when the certificate is about to expire (in 21 days).
I don’t bother to restart HA (as most likely it will be restarted during the next 21 days)
alias: "@Let's encrypt certificate check."
description: Will expire in 3 weeks
triggers:
- at: "07:00:00"
trigger: time
conditions:
- condition: template
value_template: >-
{{ (states('sensor.cert_expiry_timestamp_ha_<my-certificate-entity>') | as_datetime -
timedelta(days=21)) < now() }}
actions:
- data:
title: Let's Encrypt
message: The Certificate will expire in 3 weeks, trying to renew, please verify
action: notify.mobile_app_<my phone entity>
- data:
addon: core_letsencrypt
action: hassio.addon_start
mode: single
3 Likes
im sorry for the late reply but from what i understand, to renew the certificate you just have to restart the addon? and im gonna assume the code above just checks when the certificates are about to expire.
Correct, however, in order to activate them, HA still needs to be restarted after the certificates have been renewed 
Yes, and when they less then 21 days valid, the addon will be restarted, hence the certificates will be renewed. It will also send out a notification to my phone, so I am aware of it 
1 Like
is there a way to automate the restart of HA? Since this is a school project im working on and by the end of this month im done with school. It’ll just be annoying to manually restart the addon.
Thank you for discussing this
The automation will take care of the addon restart…
And you could just add this to the automation:
actions:
- action: homeassistant.restart
metadata: {}
data: {}
I don’t use this myself, as I’d like to manually do any restart (on top of that, since this certificate renewal is done 21 days before it actually expires, I would probably do a restart within those 21 days anyways )
welcome
Caddy reverse proxy renews (and sets it up) automatically, never have to worry about restarting because it sits in front of home assistant. There is a caddy add-on, just takes a little time to google how to get the caddyfile working. Then you can also run other services on your home assistant and get to them directly. Home Assistant Add-on: Caddy 2
Basically, have caddy run on 80/443 then have it point to port 8123 (the unencrypted home assistant port). Basic caddy file below with some extra security stuff on headers. replace domain with your domain name. Replace XX with your internal home assistant IP address.
I tried to strip out all my extra stuff in my caddy file. Hopefully I did not mess anything up. It can handle dynamic dns and a bunch of other stuff for you if you want. Because I run emulated hue, I need caddy to run on port 81. So I forward port 80 on my router to port 81 on home assistant box. Also forward 443 to home assistant box. Do not forward 8123!
{
email [email protected]
http_port 81
}
(common) {
header {
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
Referrer-Policy "same-origin"
Content-Security-Policy "frame-ancestors domain.com *.domain.com"
-Server
Permissions-Policy "geolocation=(self domain.com *.domain.com), microphone=()"
}
}
homeassistant.domain.com {
import common
encode gzip
reverse_proxy 192.168.1.XX:8123 {
}
}
There is a integration called Certifcate Expiry you can install:
Then run an automation that will update the cert when it is within 30 days for expiration:
alias: Renew Let's Encrypt if Cert Expiry less than 30 Days
description: ""
triggers:
- trigger: time
at: "01:00:00"
conditions:
- condition: template
value_template: >-
{{
(as_timestamp(states('sensor.YOURINTEGRATIONHERE_expiry'))
- now().timestamp()) / 86400 < 30}}
actions:
- action: hassio.addon_start
data:
addon: core_letsencrypt
mode: single
There could be a problem on system reboot that this runs before your webserver is up, so restart the Certificate Expiry after two minutes from reboot:
alias: Reload Certificate Expiry After NGINX Start
description: ""
triggers:
- trigger: homeassistant
event: start
conditions: []
actions:
- delay:
hours: 0
minutes: 2
seconds: 0
milliseconds: 0
- action: homeassistant.reload_config_entry
metadata: {}
data:
entry_id: 01J__YOURENTRYIDHERE_FD
mode: single