Lets Encrypt Renewal while self-hosting

Hi all,

If you need simple automation for LE SSL with self-hosted cert bot it’s easy to do it in a following way (if you have nginx or other web server you don’t need this):

Add new Shell command

Add new time trigger
It will be executed every day at 3 AM

alias: Renew LE Certificate trigger: platform: time hours: 3 minutes: 0 seconds: 0 action: service: shell_command.le_renew

Create sh file
(location in shell_command)
Originally created certs should be available for user under which HA is running (you can use last 4 commands)

[code]#!/usr/bin/env bash

Check if cert is about to expire (3 days)

if openssl x509 -checkend 259200 -noout -in /home/pi/Documents/ha/util/keys/server.pem
echo "Good for now"
# Launching certbot from installed location with HTTPS challenge on port 1443 (port your HA usually running on)
# Stopping HA service first and running after update

sudo /home/pi/Documents/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 1443 --pre-hook "systemctl stop hass.service" --post-hook "systemctl start hass.service"

    # Copy cert to HA folder
sudo cp /etc/letsencrypt/live/domain/fullchain.pem /home/pi/Documents/ha/util/keys/server.pem
    # Change owner to HA user 
sudo chown pi:pi /home/pi/Documents/ha/util/keys/server.pem
    # Do same for private key
sudo cp /etc/letsencrypt/live/domain/privkey.pem /home/pi/Documents/ha/util/keys/server.key
sudo chown pi:pi /home/pi/Documents/ha/util/keys/server.key


Please note that this will restart HA once per 3 months so plan execution time according to your own scheduled triggers/activities.

To test without actual renewal add --dry-run command to certbot invocation.


This is nice - renew as a service!

Is there any issues with checking LE daily? Do they have any querying guidelines that might cause an issue? They’re doing a wonderful thing for their users; I’d hate to abuse the service.

It’s not actually checking LE daily, first step is validating certificate locally using default openssl package without performing any LE calls. Physical renewal occurs once every 87 days. To change frequency --checkend param should be modified. In example above it’s 259200 =3 (days) * 24 (hrs) * 3600 (seconds)

1 Like

Thanks for explaining that. I just wanted to be sure we didn’t all start DDOSing LE unintentionally! :laughing:

Thanks for sharing! I’m gonna use this.

Make sure you like his post then - guy deserves it. :wink:

First thing i did when i saw his post!:thumbsup:

1 Like

LOL, I saw the one like there and thought it was mine - then I realized I was the one who forgot! Duh!! :blush:

1 Like

Wonder if someone can help dumb it down for a newbie that’s still trying to wrap his head around HA with some very basic programming skills.

I assume that if my installation was not through certbot but letsencrypt, I can then just change the directory when it shows on this script. Also I assume that I replace the word domain, with my own domain. Now I’m a little more puzzled of what to do with port 1443 … can I substitute with port 443? If not, should another port be forwarded on my router? During the install I had to open up port 80 for a while, should I leave it open for this purpose? Lastly, could someone write explicitly the command to be used to do the dry run test?

This seems like it’s going to be a real nice utility … thanks vkorn

Can you please explain a little more for a newbie point of view. My server.pem file location is ./letsencrypt/letsencrypt-auto-source/tests/certs/localhost/server.pem . So do i change it in le_renew.sh and i cannot find the location of server.key in /home/pi/Documents/ha/util/keys/server.pem . I don’t even have ha folder in Documents. I am using HA all in one.

I have the same doubt of @berniebl and @vageesh79.

I can try to hack at this and see if I can get it running on my side but I have to be honest, I’m a little afraid to bring my entire system down.

Before I do, is there anyone else on the board that has implemented this solution? I would think that with the number of users that are using LetsEncrypt we would have seen some post of folks having success. Anyone?

I have added a variant of this as part of my daily maintenance cycle. My cert files are located in the

During it, I tar up my HA config, mosquito config, other config files and my Letsencrypt cert files. This gets picked up by my Windows machine for backup. Then I execute the cert date check and renew like listed above. So far I haven’t had any issue except from my typos.

Nice idea. Would be even nicer if you shared it… :wink:

Here is my shell script for the cert update. This runs in a cron script as the homeassistant user. hope this helps

if openssl x509 -checkend 259200 -noout -in /etc/letsencrypt/live/domain.duckdns.org/cert.pem
        echo "Sleep for another day"
#Stop HA
sudo systemctl stop  [email protected]

#update cert, runs on port 80 as nothing else does
sudo /opt/letsencrypt/certbot/certbot-auto renew --quiet --force-renew

#change owner to HA as certbot does not
chown -R homeassistant /etc/letsencrypt/live/domain.duckdns.org/*

#restart HA
sudo systemctl start [email protected] 
#Let's get out of here

Has anyone set this up? And if so, does it work properly?

Do you keep port 80 forwarded on your router at all times for this to work? Is it secure to have port 80 always forwarded?

Did you have to have a password for homeassistant users to do this. I can’t seem to stop the service if I am homeassistant users

I keep the router pointing at port 80 but there is nothing to respond unless it is doing the renewal.

Hi @cy1701, are you running this as a shell command from home assistant?