NPM SSL cert files won't work with HA

Configuration
1

Hi All;

I’ve been using certbot to manually create my SSL certificates for a few years now, and copy them into a folder called “ssl”. in HA docker they are mounted as /ssl and my config.yaml always uses;

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

All of the above works fine.

How I have Nginx Proxy Manager, not for HA, but for other things, but I intend to use the automatic certificate renew feature with HA, by simply re-directing my Docker Volume mount from the ssl folder to the folder NPM Docker saves them in;

Docker compose HA;
Previously;
/home/myname/ssl:/ssl
New location;
/data/compose/63/letsencrypt/live/npm-14:/npmssl

Then I simple change config.yaml to;

http:
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem
  ssl_certificate: /npmssl/fullchain.pem
  ssl_key: /npmssl/privkey.pem

However, it doesn’t work. I get the following error on the configuration check button in developer;

Configuration errors
Invalid config for 'http' at configuration.yaml, line 28: not a file for dictionary value 'http->ssl_certificate', got '/npmssl/fullchain.pem'
Invalid config for 'http' at configuration.yaml, line 29: not a file for dictionary value 'http->ssl_key', got '/npmssl/privkey.pem'

I can not work out why this doesn’t work.

If I console into the HA docker container, I can see all files and they are at least 774 readable. However they look slightly different; does this mean anything?

Previous working ones;

root@skynet:/home/myname/ssl/tmp# ls -l
total 8
-rwxrwxr-- 1 root root 2888 Jan  2 09:02 fullchain.pem
-rwxrwxr-- 1 root root  306 Jan  2 09:02 privkey.pem

Current NPM ones that work for NPM. but won’t for HA via docker volume mount;

root@skynet:/data/compose/63/letsencrypt/live/npm-14# ls -l
total 4
lrwxrwxrwx 1 root root  30 Jan  2 08:41 cert.pem -> ../../archive/npm-14/cert2.pem
lrwxrwxrwx 1 root root  31 Jan  2 08:41 chain.pem -> ../../archive/npm-14/chain2.pem
lrwxrwxrwx 1 root root  35 Jan  2 08:41 fullchain.pem -> ../../archive/npm-14/fullchain2.pem
lrwxrwxrwx 1 root root  33 Jan  2 08:41 privkey.pem -> ../../archive/npm-14/privkey2.pem
-rw-r--r-- 1 root root 692 Jan  1 20:50 README

What’s that end bit with the arrow and everything? for the Tmp folder below, I just copied these files.

For a test. I copied those exact files into another tmp directory, and they worked fine;

http:
#  ssl_certificate: /ssl/fullchain.pem
#  ssl_key: /ssl/privkey.pem
#  ssl_certificate: /npmssl/fullchain.pem
#  ssl_key: /npmssl/privkey.pem
  ssl_certificate: /ssl/tmp/fullchain.pem
  ssl_key: /ssl/tmp/privkey.pem

Why doesn’t it work?

Any ideas?

ta

2

In your config.yaml, Instead of pointing to the symlinked files, use the actual file paths where the certificates are stored, e.g., /data/compose/63/letsencrypt/archive/npm-14/fullchain2.pem and /data/compose/63/letsencrypt/archive/npm-14/privkey2.pem.

Also, make sure that the files in /data/compose/63/letsencrypt/archive/npm-14/ are readable by the Home Assistant container. You can check and update permissions by using:

sudo chmod -R 755 /data/compose/63/letsencrypt/archive/npm-14

If you prefer to use the symlinks as you do with Nginx Proxy Manager, ensure that Home Assistant has the correct access and configuration to resolve them. Alternatively, copying the actual files (instead of symlinks) into

/ssl

and referencing them directly in the

config.yaml

can bypass this issue.

Updated config.yaml Example

If you’re using the actual paths, it would look like this:

http:
  ssl_certificate: /data/compose/63/letsencrypt/archive/npm-14/fullchain2.pem
  ssl_key: /data/compose/63/letsencrypt/archive/npm-14/privkey2.pem

Copy the files directly from /archive/npm-14/ into a directory that Home Assistant can access and use them as non-symlinked files.

1 Like
3

Hi Nova;

I can copy as you said, but I would prefer not to. My goal is to ensure NPM conducts the automatic certificate renewal, then HA simply references that folder via Docker Volume mount.

I’ve checked the files are readable, they are 774 via the HA docker console.

Any other ideas as to why HA can’t read them if it’s console says it can?

Why does the command ls -l have extra data on the end? I’ve never seen that before.

Edit1; I’ve just noticed, at the start of the list, the lowercase L for simulink. The source folder NPM is putting the certificates in, is somewhere else…!

I’m a muppet. Live and learn I guess, thanks for the help, will try and find the original files location.

Edit2; I just learnt about symlinks. I understand now what you mean about referencing the full location, as symlinks are absolute.

I tried the mount;

 - $(readlink -f /data/compose/63/letsencrypt/live/npm-14/fullchain.pem):/ssl/fullchain.pem
 - $(readlink -f /data/compose/63/letsencrypt/live/npm-14/privkey.pem):/ssl/privkey.pem

However it doesn’t allow the container to start (using Portainer).

I used your method, and changed my compose to this;

      - /data/compose/63/letsencrypt/live/npm-14/fullchain.pem:/data/compose/63/letsencrypt/live/npm-14/fullchain.pem
      - /data/compose/63/letsencrypt/live/npm-14/privkey.pem:/data/compose/63/letsencrypt/live/npm-14/privkey.pem

And it Works!! :laughing:

Now this allows NPM to update my certificates without me having to do a single thing, or even run a crontab to copy them monthly etc.

Thanks a heap Nova!