Hey everyone,
just some notes on setting up SSL (lets encrypt). i had a doozy finding info for non duck dns setups so hope it helps someone.
OS is ubuntu, hassio
Lets encrypt - dns challenge
Dns provider is hurricane electric
certbot + certbot-he-hook
Im a total newb at docker stuff, initially i start using lets encrypt addon but get stuck trying to find out where certbot is, how to add hook files and change the command. i setup lets encypt outside of ha, in os level, and feeding certs to its /ssl/ dir. certbot has a third party hook for my dns provider to auto do the dns txt records. Also has a lot of hooks avail for different dns providers.
install certbot python-pip
pip install beautifulsoup4
the certbot hook for hurricane electric, save the py script somewhere. this example /home/endluser/certbot-he-hook.py
.https://github.com/adammillerio/certbot-he-hook
new cert:
sudo HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \
certbot certonly \
--domain ha.myzone.xxx \
--email [email protected] \
--preferred-challenges dns \
--manual \
--manual-auth-hook "/home/endluser/certbot-he-hook.py" \
--manual-cleanup-hook "/home/endluser/certbot-he-hook.py" \
--manual-public-ip-logging-ok
renew:
sudo HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \
certbot renew \
--preferred-challenges dns \
--manual-auth-hook "/home/endluser/certbot-he-hook.py" \
--manual-cleanup-hook "/home/endluser/certbot-he-hook.py" \
--manual-public-ip-logging-ok
creates certs in (the actual file is in archive folder, live files are symlink)
/etc/letsencrypt/live/ha.myzone.xxx/
-fullchain.pem
-privkey.pem
copy the cert (cp -L, or find the symlink and copy from archive doesnt matter)
cp -L /etc/letsencrypt/live/ha.myzone.xxx/* /usr/share/hassio/ssl/
permission seem ok but in case maybe a ‘chmod a+rx /usr/share/hassio/ssl/*.pem’ helps
Dont forget the configuration.yaml
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
reboot server and login with HTTPS://ha.domainname.xxx:8123
For renewals, a shell script nightly cronjob, deploy hooks.
#!/bin/bash
HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \
certbot renew \
--preferred-challenges dns \
--manual-auth-hook "/home/endluser/certbot-he-hook.py" \
--manual-cleanup-hook "/home/endluser/certbot-he-hook.py" \
--manual-public-ip-logging-ok \
--deploy-hook "cp -uL /etc/letsencrypt/live/ha.myzone.xxx/* /usr/share/hassio/ssl/" \
--deploy-hook "docker restart homeassistant"
notes:
dns is so picky. i have internal dns/split brain.
my local machine had two dns server listed. first internal, and second google.
cmd can ping domain and get right local address, HA would not load until i remove google dns from my workstation. Interestingly enough firefox and edge worked fine. prob is my environment.
hassio dns options --servers dns://192.168.0.200 (internal dns srv)
when i ping mydomain from hass container i got public IP. I did this before i realize my workstation/dns/chrome funk, so i dont know if this is really needed, prior hass dns had 8.8.8.8 and 1.1.1.1
After this, the only thing i had to do was go in mosquito addon and set path for SSL file from “file.pem” to “/ssl/file.pem” for both files, otherwise mosquito wouldnt start, complain about reading SSL files. other addons seem to be fine.
Any reference of old URL must be changed. I have some media_player files in www for nodered to play i had to change path HTTP to https.
