Lets encrypt certbot, not duckdns, auto renew

Tags: #<Tag:0x00007f3261da0850>

Hey everyone,

just some notes on setting up SSL (lets encrypt). i had a doozy finding info for non duck dns setups so hope it helps someone.

OS is ubuntu, hassio
Lets encrypt - dns challenge
Dns provider is hurricane electric
certbot + certbot-he-hook

Im a total newb at docker stuff, initially i start using lets encrypt addon but get stuck trying to find out where certbot is, how to add hook files and change the command. i setup lets encypt outside of ha, in os level, and feeding certs to its /ssl/ dir. certbot has a third party hook for my dns provider to auto do the dns txt records. Also has a lot of hooks avail for different dns providers.

install certbot python-pip
pip install beautifulsoup4

the certbot hook for hurricane electric, save the py script somewhere. this example /home/endluser/certbot-he-hook.py
.https://github.com/adammillerio/certbot-he-hook

new cert:

sudo HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \
	certbot certonly \
	--domain ha.myzone.xxx \
	--email [email protected] \
	--preferred-challenges dns \
	--manual \
	--manual-auth-hook "/home/endluser/certbot-he-hook.py"  \
	--manual-cleanup-hook "/home/endluser/certbot-he-hook.py"  \
	--manual-public-ip-logging-ok

renew:

sudo HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \
	certbot renew \
	--preferred-challenges dns \
	--manual-auth-hook "/home/endluser/certbot-he-hook.py"  \
	--manual-cleanup-hook "/home/endluser/certbot-he-hook.py"  \
	--manual-public-ip-logging-ok

creates certs in (the actual file is in archive folder, live files are symlink)
/etc/letsencrypt/live/ha.myzone.xxx/
-fullchain.pem
-privkey.pem

copy the cert (cp -L, or find the symlink and copy from archive doesnt matter)

 cp -L /etc/letsencrypt/live/ha.myzone.xxx/* /usr/share/hassio/ssl/

permission seem ok but in case maybe a ‘chmod a+rx /usr/share/hassio/ssl/*.pem’ helps

Dont forget the configuration.yaml

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

reboot server and login with HTTPS://ha.domainname.xxx:8123
For renewals, a shell script nightly cronjob, deploy hooks.

#!/bin/bash

HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \
	certbot renew \
	--preferred-challenges dns \
	--manual-auth-hook "/home/endluser/certbot-he-hook.py"  \
	--manual-cleanup-hook "/home/endluser/certbot-he-hook.py"  \
	--manual-public-ip-logging-ok \
	--deploy-hook "cp -uL /etc/letsencrypt/live/ha.myzone.xxx/* /usr/share/hassio/ssl/" \
	--deploy-hook "docker restart homeassistant"

notes:
dns is so picky. i have internal dns/split brain.
my local machine had two dns server listed. first internal, and second google.
cmd can ping domain and get right local address, HA would not load until i remove google dns from my workstation. Interestingly enough firefox and edge worked fine. prob is my environment.

hassio dns options --servers dns://192.168.0.200 (internal dns srv)
when i ping mydomain from hass container i got public IP. I did this before i realize my workstation/dns/chrome funk, so i dont know if this is really needed, prior hass dns had 8.8.8.8 and 1.1.1.1

After this, the only thing i had to do was go in mosquito addon and set path for SSL file from “file.pem” to “/ssl/file.pem” for both files, otherwise mosquito wouldnt start, complain about reading SSL files. other addons seem to be fine.

Any reference of old URL must be changed. I have some media_player files in www for nodered to play i had to change path HTTP to https.

I do approx the same, but I use the certbot windows version.
It is a scheduled batch file, which runs daily.
It consists of:

  • running certbot
  • copying the pem files to the HA samba share

Cool! i always thought the /ssl folder is read only. It is from homeassistant docker container but not in sambas container, its writable. That would make the setup easier without getting to crazy in the linux shell. Im still more comfortable with a batch file and task scheduler vs its linux counterpart :crazy_face:

@mattch
Same here…more of a W10 dude myself :wink:

And share is not read-only, at least not here, all folders within samba share are r/w.

1st action: Powershell.exe -NoProfile -WindowStyle Hidden -Command "certbot renew"
2nd action robocopy c:\Certbot\live\hassio.cert \\192.168.1.12\ssl /XF cert.pem chain.pem README >c:\Certbot\copylog.txt
1 Like