The problem i have is that after running : ./certbot-auto certonly --standalone --preferred-challenges http-01 --email [email protected] -d examplehome.duckdns.org
i got a prompt: Requesting to rerun ./certbot-auto with root privileges…
and i am asked for a password of the user
I added the user to the sudo group as mentioned in the note.
The command: $ groups homeassistant shows it is a member of the sudo group.
The user is a system account without a password and i am aware the for sudo a password is needed.
I dont want to screw up my installation, but is it safe to define a password for the user ?
Sounds like something has gone wonky with the sudo permission on the homeassistant account. Try rebooting the device and then run the sudo adduser command again from the pi account, then switch to the homeassistant account and carry on from the certbot command you’re stuck at.
If that doesn’t work come back to me and I’ll see if anything else springs to mind.
Meanwhile i made som other trails and was able to create the needed certificatie with the normal ‘pi’ account.
The account is able to read the certificates and the web interface is now running secure with https.
The only problem now is that i am not able to renew the certificate with an automation script from homeassistant, because the password prompt appears again.
I would try your suggestion, but after some toughts about is, i think it is maybe not wise, to add the user account who is running hass (homeassistant) to the sudo group. In case of a security breach in homeassistant, bad code could be running using the newly given rights.
I think it is wiser to add a seperate rule in /etc/sudoers using $ sudo visudo, and add a seperate rule for the user <homeassistant.>
adding the following line to the etc/sudoers worked
homeassistant ALL=(ALL) NOPASSWD : ALL
The certbot-auto script, is now running without password prompt for the user homeassistant and i am now able to renew the certificate with an automation script.
The previous suggested line homeassistant ALL=(ALL) NOPASSWD: /home/homeassistant/certbot/./ was without succes.
Somehow it must be possible to only allow the certbot-auto script to run for security reasons, but not succes until now.
Maybe some other suggestions?
In this way you, only allow the user/systemuser that is running the homeassistant process (hass) only to run the cerbot for generating and renewing the certificate. This should be more secure in case of a security breach within the process hass.
After I added homeassistant ALL=(ALL) NOPASSWD:SETENV: /home/homeassistant/certbot/certbot-auto into sudo visudo, it just stuck at Requesting to rerun ./certbot-auto with root privileges... when I execute the renew command.
Don’t run certbot as your homeassistant user just run it as your main login I don’t launch the venv or login as homeassistant user. I just use sudo at default login… don’t know if that’s right but that’s how it worked for me… the cert is not a specific ha thing just related to your ip and dns record…
I’ve changed the part where it says [email protected] and examplehome.duckdns.org to put my email address and domain, and yet my SSH window is showing a timeout during connection (likely firewall problem) message.
The command line I am running it at is:
pi@hassbian:~/certbot $
I log into the SSH session using pi as the login and have run the following command:
Ok, so I went into my router and changed my “letsencrypt” port forwarding entry so the 80’s were changed to 443 as shown here.
I did this as the instructions say
In cases where your ISP blocks port 80 you will need to change the port forward options to forward port 443 from outside to port 443 on your Home Assistant device.
So I read it as being that the 443 replaces the 80 port forwarding, not as an addition.
I got the same timeout error.
I then added back in another entry (called “letsencrypt80”) for port 80 which looks like this, but once again I get the timeout error.
I thought perhaps it did need both 443 and 80.
Does my 443 entry need changing?? If so, which values need changing? If 443 needs changing, do I then delete the “letsencrypt80” entry?
LetsEncrypt needs port 80 forwarded to port 80. It used to work with https validation on port 443 but they changed that and it needs http validation on port 80.
I also see you are using a Fritzbox…
If you have 443-443, 80-80 then you are also going to need 8123-8123 as otherwise you won’t have external access to home assistant. Alternatively, you could just forward 443 external to 8123 internal but you will still need 80-80. Your ISP might also be blocking some of these ports - who is your ISP?
You don’t want independent port sharing on but looks ok otherwise. Firmware version 7.01? Do Internode block port 80? I can’t remember. From the ssh error it looks like it’s blocked. (I used to use Internode)