In my scenario - it seems that my certificate was not renewed in time. I’ve followed @HoneypotLeopard 's post and configured LE with Cloudflare.
Despite LE success in fetching those certificates, my SSL access is still broken and LE addon stops.
Port forwarding works properly.
I reach HA when I’m visiting my domain but I get an Unable to connect to Home Assistant. error. There is no certificate error. (see image)
I can reach and login if I use my local network IP (using https://192.168.10.10). In this case I (obviously) get a certification error in my browser.
My LE config:
domains:
- hass.mydomain.com
- hass-local.mydomain.com
email: <an email I use for Letsencrypt>
keyfile: privkey.pem
certfile: fullchain.pem
challenge: dns
dns:
provider: dns-cloudflare
cloudflare_email: <my cloudflare account email>
cloudflare_api_token: <my cloudflare token>
My configuration.yaml:
http:
# server_port: 443 (commented since it feels redundant)
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
My gut feeling tells me this is not a configuration error but some stubborn cache of some sort, but I can’t put my finger on it.
Any insights?
Just read your post again.
It sounds like you had a certificate up and running, but the renewal failed.
When using the certificate directly on HA, there will be two issues with the LE addon.
First the addon, per default, only runs at host boot it seems.
I have an automation to handle that part.
Secondly the certificate is only read on HA core boot, so when your script have updated the certificate, then you need to reboot the HA core.
I have set up a notification for this part, because I do not trust an automatic boot of HA core.
Here is the certificate renewal script.
alias: Renew certificate
description: >-
Restart the Let's Encrypt Addon, when a certificates have less than 29 days
left.
triggers:
- trigger: time_pattern
hours: "1"
conditions:
- alias: cert lifetime below 30
condition: template
value_template: >-
{{
(((states('sensor.cert_expiry')|as_timestamp(0))-(now()|as_timestamp))/(24*60*60))|int(0)
< 30 }}
actions:
- action: hassio.addon_start
data:
addon: core_letsencrypt
mode: single
Thanks @WallyR
I’ve tried several reboots but maybe not in the right order…
Do you think a host-reboot should work (as it normally reboots HA as well)?
I restarted HA as proposed (see image)
Now my local access (using the local IP) is not working, but behold - HA is now accessible at its configured domain behind SSL.
So - goal achieved (I also have my companion app working again).
However one thing remains a mistery - the LetsEncrypt add-on is… off. Is that possible?
(I’m almost afraid to turn it on again )
The LE addon is made so it starts up, checks if the certificate is in need of being renewed and if it is then it renews the certificate and then shutdown.
That is the reason why I made the automation.
It will check the certificate and if it has less than 30 days of validity, then it will start the LE addon up again to make it renew the certificate.
I have not made it part of the renewal automation, because it will try to update the certificate each hour when it is below 30 days validity.
If the Let’s Encrypt servers or my internet connection is down, then it might be delayed to some random time where I might need the HA to work.
I could set a boolean helper and then make it in another automation that restart HA on a specific time, but I have found that issues with HA is generally occurring when restarting, so I prefer to be present and have time to correct the issues, if they do occur. It might just be some annoying thing, like the Matter integration not connecting correctly to the Matter server or similar. A reload of the integration usually fix it.
Once my HA is running then it is generally incredible stable.
)
