Let's Encrypt Add-on - How to get automatic renewal

I am running a hassio instance on a Pi4 and access the system by using a subdomain which I created via CNAME entry in the DNS settings of my domain.

To enable https I am using the Let’s Encrypt add-on using the dns-01 challenge. Fortunately my provider is supported by the add-on and after some fumbling I was able to successfully retrieve the certificate files.

So far so good. What I not yet understand is how to use the add-on for the necessary renewal every 3 months. After the successful run the add-on has been stopped.

Do I need to rerun the add-on in time to renew the certifcates? Is there a way to automate this? I didn’t find anything in the manual.

just for clarification: I am not referring to the duckdns add-on with integrated letsencrypt support. I am talking about the Let’s Encrypt Add-on.
regards
Chris

I’m not sure how the add-on works, but the Lets Encrypt certbot is normally run by a cronjob on a regular basis (e.g. every day), and it decides when to renew the cert based on the existing cert’s expiry; nothing more is required.

One would presume if you let the add-on run continuously, it would likely do the same…?

No because it stops running after it checks the certs.

I’d use an automation to start the addon say at midnight every night or on a specific day each week…

Hi David,

thanks for pointing me in this direction.
So the information missing in the manual of the add-on is as follows.

• The Let’s Encrypt add-on will stop after checking the certs

• If your certs are still valid the add-on will stop and do nothing

• Therefore you can add a automation with time trigger to start the service regularly

Action type
     Call service
Service
     hassio.addon_start
Service data 
     addon: core_letsencrypt

So add that information to the docs. Every user can edit the docs and submit a pull request.

+1 on what @chris_ka and @DavidFW1960 said.

FWIW, here’s how I have it run daily via an automation.

Cheers !

Thanks very much for this.

Question: Is there a way I can tell if the process actually updated the certs? reason is I have a wildcard cert and I need to copy the certs to a few machines and perform other operations.

Cheers

You’re welcome

AFAIK, there is no way to know from a HA perspective. I guess what you could do is write a script (bash or something) that would pull the file and distribute it to your other machines, based on the modification date of the file using sonthing like rsync ?

Well there is a certificate expiry integration that will tell you how many days left to expiry and expiry date of the certificate.

Thanks for the suggestion. I find the way the add-on starts and stops a bit counter intuitive. Would expect the add-on to behave as a cron job itself, starting the process once per day or so. But knowing this creating an automation that fires once per day works as well.

Would it be possible for the add-on to reload the web interface after successful renewal of a certificate?

I have now managed to succesfully renew my wildcard certificates by dns method. The certificate expiry plugin now correctly shows 88-days remaining, however homeassistant keeps using the old certificate. Restarting the server from within the interface makes no difference. Do I really need to reboot for this?

Hi Rob,

It is not necessary to reboot to get the expiry date updated after the certificates have been renewed. But it takes some time. Think of it from an economic view. How often should a state variable which changes once per day be polled. Right - so it can take some hours before it reflects the changes.

The expiry sensor updates just fine. The thing is that the homeassistant web interface keeps using the old certificate.

Sorry, I got you wrong. The only thing I can say is that I didn’t experienced this in my setup

hello
just for help with hassio on rpi 4 2021.
my domain was: XXXXXXXX.freeboxos.fr

sensor.yaml

#############################
########  cerboot  ##########
#############################
- platform: cert_expiry
  host: XXXXXXXX.freeboxos.fr
  
- platform: template
  sensors:
    days_before_out:
      friendly_name: days before out
      value_template: >-
       {{((as_timestamp(states('sensor.cert_expiry_timestamp_XXXXXXX_freeboxos_fr'),0) - as_timestamp(states.sensor.date.last_updated)) / 86400)  | int(0)  }}

et une automation

alias: auto cerboot (Dupliquer)
description: ''
trigger:
  - platform: state
    entity_id: sensor.jours_avant_expiration
    to: '20'
condition: []
action:
  - service: notify.stef
    data:
      message: il faut renouveller certificat HASSIO
  - service: hassio.addon_start
    data:
      addon: core_letsencrypt
  - delay:
      hours: 0
      minutes: 2
      seconds: 0
      milliseconds: 0
  - service: homeassistant.restart
mode: single

modified 23/02/22

Thanks for sharing, but wouldn’t HA need to be restarted for the new certs to be effective?

sorry man
this one work better.

alias: auto cerboot (Dupliquer)
description: ''
trigger:
  - platform: state
    entity_id: sensor.jours_avant_expiration
    to: '20'
condition: []
action:
  - service: notify.XXX
    data:
      message: il faut renouveller certificat HASSIO
  - service: hassio.addon_start
    data:
      addon: core_letsencrypt
  - delay:
      hours: 0
      minutes: 2
      seconds: 0
      milliseconds: 0
  - service: homeassistant.restart
mode: single

There is also the “certificate expiry integration” that can be installed. You would give it the URL of the Home Assistant server it is running on. Then you can import this blueprint:

When you create the automation you tell it how many days in advance you want it to run. I think the default is 5. So the automation is set to run everyday, the cert expiry integration tracks the expiration of the certificate. When the threshold is met it will run the renewal.