Renewing letsencrypt certificate with custom domain

kap · October 23, 2017, 12:27am

I have 5 days left on my Let’s Encrypt certificate. I created it before switching to hass.io. Anyone know how to get the certificate to renew?

In the Let’s Encrypt addon version 1.2 I have:

{
  "challenge": "https",
  "email": "[email protected]",
  "domains": [
    "hass.mycustomdomain.com"
  ],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

And when I start the service I get the following output:

starting version 3.2.2
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /data/letsencrypt/renewal/hass.mycustomdomain.com.conf
-------------------------------------------------------------------------------
expected /data/letsencrypt/live/hass.mycustomdomain.com/cert.pem to be a symlink
Renewal configuration file /data/letsencrypt/renewal/hass.mycustomdomain.com.conf is broken. Skipping.
0 renew failure(s), 1 parse failure(s)
No renewals were attempted.
Additionally, the following renewal configuration files were invalid: 
  /data/letsencrypt/renewal/hass.mycustomdomain.com.conf (parsefail)

There is no /data/letsencrypt folder when I ssh in…

ttaidapos · October 23, 2017, 1:18am

Good reference material here: https://home-assistant.io/docs/ecosystem/certificates/lets_encrypt/

This is how i do it with my ISP blocking port 80… Replace [PORT] with either the default 8123 or whatever you are using.

sudo ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port [PORT] --pre-hook “sudo systemctl stop [email protected]” --post-hook “sudo systemctl start [email protected]”

You can also throw this on the su crontab but with hass.io i think it’s automatic?
30 2 * * 1 ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port [PORT] --pre-hook “sudo systemctl stop [email protected]” --post-hook “sudo systemctl start [email protected]”

kap · October 23, 2017, 1:22am

Thanks, that is similar to what I did before going to hass.io but now in hass.io there is no sudo, no certbot-auto, etc.

GrahamS · October 24, 2017, 5:32pm

I switched to hassio and installed the DuckDns Addon.
According to this:

Renewal is totally automatic. Do not for get to set accept_terms to true. You don’t need the letsencyrpt add-on.
Now my letsencyrpt sensor shows the old expiry date but at 8:00 every day the duckdns log shows a renewal date much later.
I assume that my previous renewal date is obsolete.
Please install the add on and tell me what happens when your old certificate expires

Chariyski · October 26, 2017, 8:57pm

Same error.

A workaround for me was to uninstall the addon and install it again.

kap · October 26, 2017, 9:11pm

Yes, this was what someone in the chat suggested for me and it worked as well.

Would be nice if this starts working more automatically for custom domains. Looks like they have made great strides in integrating duckdns and lets encrypt (though many people continue to ask for help).

GrahamS · October 26, 2017, 10:40pm

Chariyski,
Same error in what, Letsencrypt add-on ? I assume that you un-installed the Letsencrypt add-on then installed the DuckDNS add-on with Letsencrypt included.
My “problem” is that my Letsencrypt sensor

  - platform: cert_expiry
    host: home-assistant.io

indicates day left on my previous certificate using Hassbian. Do I need a different host name?
Now that your old certificate has expired does this sensor agree with the DuckDNS log info at 8:00 AM?

Chariyski · October 27, 2017, 5:48am

Sorry for not specifying. I had the same error as @kap.

It has been only 10h and the sensor is not updated yet, so it is still showing the last certificate.

GrahamS · October 27, 2017, 6:49am

Still not clear. I hope that you did not re-install the Letsencrypt add-on.
They say here not to if you are also using the DuckDNS add-on.
Maybe this post is for people not using DuckDNS?
I hoping that it is just the sensor that is obsolete and I will still have remote access to HA after it says zero days left.

I was hoping that you could verify this since your old expiry date is sooner than mine.

kap · October 27, 2017, 9:12pm

Just to clarify for anyone else coming here to seek help with their custom domain.

I have a domain mydomain.com and use hass.mydomain.com to access my hass.io dashboard. I also use duckdns.org because I do not have a static IP.

So there is a pointer from hass.mydomain.com to zzzz.duckdns.org to my hass instance. I have an SSL cert for hass.mydomain.com.

The current hass.io duckdns addon appears to work well if you only use zzzz.duckdns.org; when configured properly it will take care of the SSL cert and track your IP address like you need it to. It doesn’t seem to do anything for SSL certificates on a custom domain because when you configure it you are putting in your zzzz.duckdns.org and it knows nothing about hass.mydomain.com that needs the cert.

So I continue to use the duckdns addon to manage my dynamic IP (set "accept_terms": false and "domains": ["zzzz.duckdns.org"] in this case) and I use the lets encrypt addon to manage my SSL cert (configure it for "domains": ["hass.mydomain.com"]).

Other than the hiccup where I had to uninstall and reinstall the lets encrypt addon to fix a “parse” error, it has created a new certificate for me, and my certificate sensor is showing the correct number of days. The config I am using for that sensor is:

sensor:
    - platform: cert_expiry
      host: hass.mydomain.com

Hope this helps someone else wrangling with SSL and a custom domain.

GrahamS · October 28, 2017, 5:08pm

Chariyski,
A bug was fixed so that the cert_expiry sensor is run at HA restart. I think after 12 hours it will still show the last certificate.
I don’t know the significance of using home-assistant.io in the sensor.
After reading kap’s explanation (good) I used xxx.duckdns.org in the sensor.
I get a “Host is unreachable” error for xxx.duckdns.org.