How to configure Let's Encrypt SSL Certificates for Home Assistant completely 100% free (Updated for 2022/2023)

I, too, “do” cyber security for a fortune 500 company. Security/convenience is going to be in the eye of the beholder. I’ve stated elsewhere in this forum why I am not a fan of Cloudflare’s app tunnel solution. (tl;dr: they are a man-in-the-middle and doesn’t provide end-to-end encryption)

I agree port-forwarding external 443 to 8123 is not ideal. It’s slightly better to do a non-standard random port, say 49731 to 8123. This will get around most script kiddies. Since I’ve set it up, I haven’t detected any intrusions or even scans of HA. Of course, your mileage will vary and it’s up to you to decide if it’s worth it to you.

If you are going to expose HA externally, set up multi-factor authentication.

Just wondering about this. It’s not mentioned anywhere that the add-on has this functionality and I stumbled on this thread while searching for this info

It does, yes.

1 Like

I’ve been running LE for almost 6 months now. I’ve had to trigger the rotation manually twice now by restarting the app. I’m not sure why I had to do that but I waited until 10 days before expiration. LE recommends rotating within 30 days of expiration.

I’ve never had to do anything, and I’ve been using it for coming up on 2 years. Perhaps you have a configuration issue?

hello,
i followed the instruction, i am able to access my HA remotely using cloudflare tunnel, When I start lets encrypt, it generated SSL certificate but then stops. Is it normal? I s Lets encrypt required to rum all times? i have set it to run at boot.

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[00:34:29] INFO: Selected DNS Provider: dns-cloudflare
[00:34:29] INFO: Use propagation seconds: 60
[00:34:30] INFO: Use CloudFlare token
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal


Certificate not yet due for renewal; no action taken.


s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

If you’re using Cloudflare tunnel, you shouldn’t need Let’s Encrypt since Cloudflare is encrypting the connection from your device, to CF, then to your Home Assistant.

The recommendation from LE is to run certbot daily.

1 Like

21 days later I see this, LOL. Sorry, I’m not in the forums very much, and i dont get emails or if my spam is catching, i gotta check my settings.

anyways, love the i “do” cyber security too, LOL! but true, never thought of using another random port. Yeah, Cloudflare is a man in the middle solution. I like that they dont hae a shady history or anything and their tunnel solution is basically sending the site over their own connection via the agent and not a true port fwd, atleast thats how I understand it. This type of proxying or reverse proxying, and not in the true type of proxying is a bit confusing and doing more research on it. But I host my DNS items through Cloudflare for my Domains. I dont like using any port fwd unless I need to because a port scanner would find any open port. But if you secure it propper ;). And yes, USE MFA is a massive true statement.

For my services that I MUST port fwd, i.e. plex, I setup a type of DMZ VLAN / Subnet that those hosts live in and are in a very strict walled garden. So my personal devices (computers, laptops, tablets, phones, etc…) are secured and my “default” vlan on any port in my house/ switch is my “guest” VLAN and my personal secure VLAN/Subnet is on its own so a port/SSID has to be configured to let a device talk to my personal devices. and then my IoT subnet/VLAN where I have some port to port open from my other network for DNS Multicast and things like that for ChromeCast and other features to work with my TV’s and equipment. And I run an active directory domain and rack of servers with ESXi/vCenter running to host all my virtual servers (about 25 and VM desktops for throw away systems) and my home automation, HA, is on the ESXi cluster using USB passthru to connect to ZWave/Zigbee/Matter/etc… Then I have a VLAN/Subnet that does nothing but direct internet access out, no talk to eachother, no ports, no nothing just OUT. this is for my Cell phone repeaters (3800 Sqft house build in 2019 and has stucco/chicken wire in the walls grounded and the roof is lined with a foil radiant berrior and other thermal optimizations, make the second you go in my house, all cell signal is GONE! LOL… and my work Access Point that gives my work laptop my work SSID and secure tunnel back.

I just hit my first LetsEncrypt cert renewal and I dont restart my HA server often, and the Lets Encrypt service starts at startup and if cert not needed, it doesnt pull it new and stops.

So if your cert expires before next restart, it will not. But you can go in and start the LE add on and it WILL go out and renew it if within time. Setup a script or CRON to turn on that add on every day might get around that.

True, dont need to use a cert for using LE… for my internal network, I like to ensure HTTPS runs on all my apps and services when I connect too… I have my internal PKI servers with my root trusted in my GPO’s. So I install my own PKI on all my other servers/machines/RDP/apps/etc… just incase… but I’m finding there is slowness to HA when using HTTPS… so I’m thinking that will be one service i’ll have to bite the bullet and drop my HTTPS love for…

I’m doing good until I hit this bit. I am not a webby, so don’t deal with SSL. But I do have my own paid for domain names and full DNS access on shared server hosting.

What do I need to add to my own DNS records to get this to work? I don’t want cloudfare\duck-dns\etc as I’d rather handle my own DNS stuff. I already have blah.doodah.com pointing to my home (and used with Wireguard VPN). What next?

“Handle my own DNS stuff” is a bit vague.

If you run your own authoritative DNS servers, this solution is not for you.

If you use somebody to host your DNS, and they have an API for updating records, check the documentation for the add-on, or the underlying CertBot software, to see if your provider is supported. If so, supply the appropriate values for them as opposed to Cloudflare.

Since the entire point of ACME (the protocol used for requesting certs) DNS validation is creating a record with a pseudo random value as specified by the ACME server (Let’s Encrypt for the sake of this discussion) within N seconds of requesting a cert, there’s nothing you can add to DNS manually.

Other ACME clients which are more flexible are out of scope….

Sorry, bit vague as I don’t know the technical language needed. Simply put - I have email and simple CPanel website on shared hosting and can add anything I need to the DNS. Just seemed a bit strange to me to have to have a Cloudfare account when I already have working DNS services. And I really don’t want to move from a reliable company to Cloudfare just to get SSL working.

So this version of LetsEncrypt only works with that small limited number of hosting companies?

Thank you for helping clear this up. :slight_smile: You’ve saved me from hours of wasted time reading up on something I can’t do.

No, let’s encrypt can be used by anyone - dynamic dns or not.

Partially true. Let’s Encrypt has to be able to confirm that you control the domain in question. You either need to automate putting a specific record in DNS for the domain to prove that you control the zone, or you need to place a specific file on your web server at a “well known” URI, to prove that you control the server.

This discussion was about using DNS when obtaining a certificate for a server not reachable across the Internet.

To be horribly pedantic, CertBot only works with that short list of DNS providers. LetsEncrypt’s ACME server doesn’t care at all how you create the required DNS record so long as you do it quickly enough. In the rest of my life I use an ACME client that is more flexible in this regard than CertBot, but don’t feel a need to integrate it with HA.

HA referring to the ACME client add-on with the name of a single provider of such services is a bit confusing.

No, not partially true. The fact that there are requirements to use it is not the same as there being limitations on it’s use. There is a very distinct difference between those two words.

LOL. Out here in the real world, those who can’t or don’t wish to meet the requirements to use the service are not able to use it. That would be the limitation.

I think this is what I need to focus on? Does this mean I can generate something to add manually to the DNS once every few months?

I am more confused that ever as to if I can use this SSL option or not :rofl: :upside_down_face:

I thought ACME was where Wile E. Coyote got his gadgets from… :wolf:

For me the biggest barrier is the language… all I wanted to do was talk to a doorbell via an internal network and I ended up down this mad rabbit hole.

Ah… maybe I now have something to focus on with acme.sh. Thanks for giving me the clues of where to look. Maybe I’ll order some TNT at the same time.

I see. Now you’ve resorted to calling people dumb or lazy. That’s a fantastic way to bolster your argument. Welcome to my block list, troll…