just some notes on setting up SSL (lets encrypt). i had a doozy finding info for non duck dns setups so hope it helps someone.
OS is ubuntu, hassio
Lets encrypt - dns challenge
Dns provider is hurricane electric
certbot + certbot-he-hook
Im a total newb at docker stuff, initially i start using lets encrypt addon but get stuck trying to find out where certbot is, how to add hook files and change the command. i setup lets encypt outside of ha, in os level, and feeding certs to its /ssl/ dir. certbot has a third party hook for my dns provider to auto do the dns txt records. Also has a lot of hooks avail for different dns providers.
install certbot python-pip pip install beautifulsoup4
the certbot hook for hurricane electric, save the py script somewhere. this example /home/endluser/certbot-he-hook.py
sudo HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \ certbot certonly \ --domain ha.myzone.xxx \ --email [email protected] \ --preferred-challenges dns \ --manual \ --manual-auth-hook "/home/endluser/certbot-he-hook.py" \ --manual-cleanup-hook "/home/endluser/certbot-he-hook.py" \ --manual-public-ip-logging-ok
sudo HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \ certbot renew \ --preferred-challenges dns \ --manual-auth-hook "/home/endluser/certbot-he-hook.py" \ --manual-cleanup-hook "/home/endluser/certbot-he-hook.py" \ --manual-public-ip-logging-ok
creates certs in (the actual file is in archive folder, live files are symlink)
copy the cert (cp -L, or find the symlink and copy from archive doesnt matter)
cp -L /etc/letsencrypt/live/ha.myzone.xxx/* /usr/share/hassio/ssl/
permission seem ok but in case maybe a ‘chmod a+rx /usr/share/hassio/ssl/*.pem’ helps
Dont forget the configuration.yaml
http: ssl_certificate: /ssl/fullchain.pem ssl_key: /ssl/privkey.pem
reboot server and login with HTTPS://ha.domainname.xxx:8123
For renewals, a shell script nightly cronjob, deploy hooks.
#!/bin/bash HE_USERNAME=user HE_PASSWORD=pass HE_ZONE=myzone.xxx HE_PROPAGATION_SECONDS=60 \ certbot renew \ --preferred-challenges dns \ --manual-auth-hook "/home/endluser/certbot-he-hook.py" \ --manual-cleanup-hook "/home/endluser/certbot-he-hook.py" \ --manual-public-ip-logging-ok \ --deploy-hook "cp -uL /etc/letsencrypt/live/ha.myzone.xxx/* /usr/share/hassio/ssl/" \ --deploy-hook "docker restart homeassistant"
dns is so picky. i have internal dns/split brain.
my local machine had two dns server listed. first internal, and second google.
cmd can ping domain and get right local address, HA would not load until i remove google dns from my workstation. Interestingly enough firefox and edge worked fine. prob is my environment.
hassio dns options --servers dns://192.168.0.200 (internal dns srv)
when i ping mydomain from hass container i got public IP. I did this before i realize my workstation/dns/chrome funk, so i dont know if this is really needed, prior hass dns had 18.104.22.168 and 22.214.171.124
After this, the only thing i had to do was go in mosquito addon and set path for SSL file from “file.pem” to “/ssl/file.pem” for both files, otherwise mosquito wouldnt start, complain about reading SSL files. other addons seem to be fine.
Any reference of old URL must be changed. I have some media_player files in www for nodered to play i had to change path HTTP to https.