Lets encrypt installation need help!

I have a running home assistant on a raspberry pi 3 and installed it using this guide : https://home-assistant.io/docs/installation/virtualenv/

I want to have secure remote acces so i wanted to use: lets encrypt following this guide :https://home-assistant.io/docs/ecosystem/certificates/lets_encrypt/

The problem i have is that after running : ./certbot-auto certonly --standalone --preferred-challenges http-01 --email [email protected] -d examplehome.duckdns.org

i got a prompt: Requesting to rerun ./certbot-auto with root privileges…
and i am asked for a password of the user

I added the user to the sudo group as mentioned in the note.

The command: $ groups homeassistant shows it is a member of the sudo group.

The user is a system account without a password and i am aware the for sudo a password is needed.

I dont want to screw up my installation, but is it safe to define a password for the user ?

Umm, off the top of my head, umm, no idea :confused:

Sounds like something has gone wonky with the sudo permission on the homeassistant account. Try rebooting the device and then run the sudo adduser command again from the pi account, then switch to the homeassistant account and carry on from the certbot command you’re stuck at.

If that doesn’t work come back to me and I’ll see if anything else springs to mind.

Meanwhile i made som other trails and was able to create the needed certificatie with the normal ‘pi’ account.
The account is able to read the certificates and the web interface is now running secure with https.

The only problem now is that i am not able to renew the certificate with an automation script from homeassistant, because the password prompt appears again.

I would try your suggestion, but after some toughts about is, i think it is maybe not wise, to add the user account who is running hass (homeassistant) to the sudo group. In case of a security breach in homeassistant, bad code could be running using the newly given rights.

I think it is wiser to add a seperate rule in /etc/sudoers using $ sudo visudo, and add a seperate rule for the user <homeassistant.>

the rule would be:

homeassistant ALL=(ALL) NOPASSWD: /home/homeassistant/certbot/./

In this case you now only allow to run the certbot with root permissions instead of all code?

adding the following line to the etc/sudoers worked :grinning:

homeassistant ALL=(ALL) NOPASSWD : ALL

The certbot-auto script, is now running without password prompt for the user homeassistant and i am now able to renew the certificate with an automation script.

The previous suggested line homeassistant ALL=(ALL) NOPASSWD: /home/homeassistant/certbot/./ was without succes.

Somehow it must be possible to only allow the certbot-auto script to run for security reasons, but not succes until now.
Maybe some other suggestions?

Adding the following line to the etc/sudoers with $sudo visudo is working now :grinning:

homeassistant ALL=(ALL) NOPASSWD:SETENV: /home/homeassistant/certbot/certbot-auto

In this way you, only allow the user/systemuser that is running the homeassistant process (hass) only to run the cerbot for generating and renewing the certificate. This should be more secure in case of a security breach within the process hass.

4 Likes

Hi,

I am facing similar problem.

After I added homeassistant ALL=(ALL) NOPASSWD:SETENV: /home/homeassistant/certbot/certbot-auto into sudo visudo, it just stuck at Requesting to rerun ./certbot-auto with root privileges... when I execute the renew command.

Wondering what went wrong.

Don’t run certbot as your homeassistant user just run it as your main login I don’t launch the venv or login as homeassistant user. I just use sudo at default login… don’t know if that’s right but that’s how it worked for me… the cert is not a specific ha thing just related to your ip and dns record…

1 Like

Hi,

I’m also at the point on this page where it says to run the following:

./certbot-auto certonly --standalone --preferred-challenges http-01 --email [email protected] -d examplehome.duckdns.org

I’ve changed the part where it says [email protected] and examplehome.duckdns.org to put my email address and domain, and yet my SSH window is showing a timeout during connection (likely firewall problem) message.

The command line I am running it at is:

pi@hassbian:~/certbot $

I log into the SSH session using pi as the login and have run the following command:

sudo -u pi -H -s

If I restart the service using:

sudo systemctl start [email protected]

I can then go to my web browser and type:

http://mydomainname.duckdns.org:8123/states

where mydomainname is obviously what mine is :slight_smile:

What do I need to do?

Thanks in advance.

EDIT: I just realised I might need to try port 443. I’ll give that a go.

Do you have external port 80 forwarded to internal port 80 in your router?

Yes. I just edited my post above as I re-read the instructions and even though I have port 80 forwarded in my router, perhaps it’s blocked.

I’ll try port 443 but it will have to be later as I’m about to head off to work.

you should also have 443-8123 but 80-80 is needed for letsencrypt

Ok, so I went into my router and changed my “letsencrypt” port forwarding entry so the 80’s were changed to 443 as shown here.

I did this as the instructions say

In cases where your ISP blocks port 80 you will need to change the port forward options to forward port 443 from outside to port 443 on your Home Assistant device.

So I read it as being that the 443 replaces the 80 port forwarding, not as an addition.

I got the same timeout error.

I then added back in another entry (called “letsencrypt80”) for port 80 which looks like this, but once again I get the timeout error.

I thought perhaps it did need both 443 and 80.

Does my 443 entry need changing?? If so, which values need changing? If 443 needs changing, do I then delete the “letsencrypt80” entry?

Thanks for your help.

LetsEncrypt needs port 80 forwarded to port 80. It used to work with https validation on port 443 but they changed that and it needs http validation on port 80.

I also see you are using a Fritzbox…

If you have 443-443, 80-80 then you are also going to need 8123-8123 as otherwise you won’t have external access to home assistant. Alternatively, you could just forward 443 external to 8123 internal but you will still need 80-80. Your ISP might also be blocking some of these ports - who is your ISP?

I already had this - screenshot

My SSH window is showing this message in case that helps to troubleshoot. I’ve blurred out what I think is sensitive.

My Fritzbox currently shows this.

My internet provider is Internode, based in South Australia.

For some reason, my original reply would sit there just spinning a “Saving” icon. I’ve had to experiment one sentence at a time to add my reply.

You don’t want independent port sharing on but looks ok otherwise. Firmware version 7.01? Do Internode block port 80? I can’t remember. From the ssh error it looks like it’s blocked. (I used to use Internode)

Yes

I’ve sent them an email asking the question

Call them maybe? Email is usually very low priority.

Yes they do block them by default but I can turn the blocking off (but only for all ports, not just 80).

The list is down the bottom of this page so now I have to wait an hour or so for it to take effect.

ah! well that should fix the problem… you can always go in and block after you have cert but need to unblock every 90 days

Nope.

I waited until my Internode Login page showed the security had been turned off (ie ports not blocked) and tried again in my SSH Terminal. Same result.

Rebooted the Fritzbox and tried again, and still get the error.

Not sure what the problem is now.