If you need simple automation for LE SSL with self-hosted cert bot it’s easy to do it in a following way (if you have nginx or other web server you don’t need this):
Add new time trigger
It will be executed every day at 3 AM
alias: Renew LE Certificate
trigger:
platform: time
hours: 3
minutes: 0
seconds: 0
action:
service: shell_command.le_renew
Create sh file
(location in shell_command)
Preretirements:
Originally created certs should be available for user under which HA is running (you can use last 4 commands)
[code]#!/usr/bin/env bash
Check if cert is about to expire (3 days)
if openssl x509 -checkend 259200 -noout -in /home/pi/Documents/ha/util/keys/server.pem
then
echo “Good for now”
else
# Launching certbot from installed location with HTTPS challenge on port 1443 (port your HA usually running on)
# Stopping HA service first and running after update
sudo /home/pi/Documents/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 1443 --pre-hook "systemctl stop hass.service" --post-hook "systemctl start hass.service"
# Copy cert to HA folder
sudo cp /etc/letsencrypt/live/domain/fullchain.pem /home/pi/Documents/ha/util/keys/server.pem
# Change owner to HA user
sudo chown pi:pi /home/pi/Documents/ha/util/keys/server.pem
# Do same for private key
sudo cp /etc/letsencrypt/live/domain/privkey.pem /home/pi/Documents/ha/util/keys/server.key
sudo chown pi:pi /home/pi/Documents/ha/util/keys/server.key
fi[/code]
Please note that this will restart HA once per 3 months so plan execution time according to your own scheduled triggers/activities.
To test without actual renewal add --dry-run command to certbot invocation.
Is there any issues with checking LE daily? Do they have any querying guidelines that might cause an issue? They’re doing a wonderful thing for their users; I’d hate to abuse the service.
It’s not actually checking LE daily, first step is validating certificate locally using default openssl package without performing any LE calls. Physical renewal occurs once every 87 days. To change frequency --checkend param should be modified. In example above it’s 259200 =3 (days) * 24 (hrs) * 3600 (seconds)
Wonder if someone can help dumb it down for a newbie that’s still trying to wrap his head around HA with some very basic programming skills.
I assume that if my installation was not through certbot but letsencrypt, I can then just change the directory when it shows on this script. Also I assume that I replace the word domain, with my own domain. Now I’m a little more puzzled of what to do with port 1443 … can I substitute with port 443? If not, should another port be forwarded on my router? During the install I had to open up port 80 for a while, should I leave it open for this purpose? Lastly, could someone write explicitly the command to be used to do the dry run test?
This seems like it’s going to be a real nice utility … thanks vkorn
Can you please explain a little more for a newbie point of view. My server.pem file location is ./letsencrypt/letsencrypt-auto-source/tests/certs/localhost/server.pem . So do i change it in le_renew.sh and i cannot find the location of server.key in /home/pi/Documents/ha/util/keys/server.pem . I don’t even have ha folder in Documents. I am using HA all in one.
I can try to hack at this and see if I can get it running on my side but I have to be honest, I’m a little afraid to bring my entire system down.
Before I do, is there anyone else on the board that has implemented this solution? I would think that with the number of users that are using LetsEncrypt we would have seen some post of folks having success. Anyone?
I have added a variant of this as part of my daily maintenance cycle. My cert files are located in the
/etc/letsencrypt/live/INSERTNAME/
During it, I tar up my HA config, mosquito config, other config files and my Letsencrypt cert files. This gets picked up by my Windows machine for backup. Then I execute the cert date check and renew like listed above. So far I haven’t had any issue except from my typos.
Here is my shell script for the cert update. This runs in a cron script as the homeassistant user. hope this helps
#!/bin/bash
if openssl x509 -checkend 259200 -noout -in /etc/letsencrypt/live/domain.duckdns.org/cert.pem
then
echo "Sleep for another day"
else
#Stop HA
sudo systemctl stop [email protected]
#update cert, runs on port 80 as nothing else does
sudo /opt/letsencrypt/certbot/certbot-auto renew --quiet --force-renew
#change owner to HA as certbot does not
chown -R homeassistant /etc/letsencrypt/live/domain.duckdns.org/*
#restart HA
sudo systemctl start [email protected]
#Let's get out of here
fi