Letsencrypt update requires SUDO password?

DDK · October 29, 2017, 2:40am

I’m using the All in One installation,so i have a homeassistant user setup that is not enabled for SUDO (I think that is the whole idea…), and run HA in a virtual environment.
I used these instructions to setup letsencrypt https://home-assistant.io/docs/ecosystem/certificates/lets_encrypt/ and it works well.
It’s now been 60+ days though so it is time to renew the certificate, and that’s where i run into issues.

The automatic update didn’t work, so i’m following step 8 in the above instructions to do it manually.
after I enter this command:

./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

i get the message below. I don’t have a SUDO password for the HA user, so I’m not sure how to get around this?
in the instructions it did say to add the HA user to the SUDO list which I’ve done, but that didn’t fix it etiher.

homeassistant@raspberrypi:~/certbot$ ./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for homeassistant:

What should I do to get around this?
I tried adding SUDO to the line but that didn’t work.

What am I missing here?

Tinkerer · October 29, 2017, 9:34am

You can run the certbot command as any user, it doesn’t have to be Home Assistant.

You could run it as the Pi user, and that would allow you to restart HA too.

DDK · October 29, 2017, 10:15am

Thanks - i tried that before but had the problem that the certbot app was in the home directory of the home assistant user.
After your comment I tried it again, and found that I can reach that directory from the PI user. (I’m a total linux noob so didn’t think about that before…).
Once I did that it worked without a problem.

For anyone in future having this same issue:
on your pi user first do:

cd /home/homeassistant/certbot

then you can use the renewal command:

pi@raspberrypi:/home/homeassistant/certbot $ ./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

and then use this to check if it worked:

ssl-cert-check -b -c /etc/letsencrypt/live/ddkthecompound.duckdns.org/cert.pem | awk '{ print $NF }'

it should return the number 90.

jodur · October 29, 2017, 12:49pm

You have to add the user homeassistant to the etc/sudoers file, so it can run the certbot with nopassword.

Adding the following line to the etc/sudoers at the bottum with $sudo visudo

homeassistant ALL=(ALL) NOPASSWD:SETENV: /home/homeassistant/certbot/certbot-auto

In this way you, only allow the user/systemuser that is running the homeassistant process (hass) only to run the cerbot for generating and renewing the certificate. This should be more secure in case of a security breach within the process hass.