The Letsencrypt addon needs a way to force immediate renewal.
Some of us use HTTP verification of domain name ownership, and don’t leave HTTP open all the time. So I have to adjust my firewall settings to proxy inbound port 80 to HomeAssistant when I want to renew.
Simply clicking “start” on the addon will attempt renewal but will fail to renew unless VERY close to certificate expiry.
I’m about to go on vacation for a month and my cert expires in just over two weeks. However I cannot renew now because the addon says that the certificate is not ready for renewal. I use letsencrypt certificates on other hosts on my home network and was able to renew those certs just fine with the certbot tool from LetsEncrypt, and they have similar expiry dates.
So, It’s likely that I’m not going to be able to renew my certificate before I leave, and will return to a broken admin UI due to an expired certificate.
I’d be happy if there were even a simple way to invoke certbot from the command line, but I’m afraid to install it for fears of conflicts with the addon.
Letsencrypt itself let you renew if the certificate is deemed to expire in less than 30 days.
I don’t see anything in the addon that would override that behaviour
Here an automation that will restart the add-on 3 weeks before expiring
alias: "@Let's encrypt certificate check"
description: Will expire in 3 weeks
trigger:
- platform: time
at: "04:00:00"
condition:
- condition: template
value_template: >-
{{ (states('sensor.cert_expiry_timestamp_ha_domain_my') | as_datetime
or now()) - timedelta(days=21) < now()}}
action:
- service: notify.mobile_app_myiphone
data:
title: Let's Encrypt
message: Certificate will expire in 3 weeks, trying to renew, please verify
- service: hassio.addon_start
data:
addon: core_letsencrypt
mode: single
Ofc, HA will still need a restart (but also that can be automated easilly)
But I figure I’d restart within 3 weeks anyway (just don’t like to have a automated unscheduled reboot )
)