Sensor to show expiry date of SSL certificate

This is an OLD post and should only really be used these days for non-standard installations. Instead you should use an addon that automatically keeps your certs up to date, or use the ssl sensor that is integrated into homeassistant

If, like me, you’ve followed the guides and installed a Letsencrypt SSL certificate, it is only valid for 90 days.

This code will allow you to represent the number of days remaining on the certificate as a sensor reading, so when you have only a week or so left you can renew it. You could use the sensor to trigger an alarm, or maybe even an auto-renew command, I haven’t got that far yet myself, but thought I’d share anyway…

Prerequisite - You will need to install ssl-cert-check if it is not already present on your system:

$ apt-get install ssl-cert-check

Configuration.yaml

sensor:
  - platform: command_line
    name: SSL cert expiry
    unit_of_measurement: days
    scan_interval: 86400
    command: "ssl-cert-check -b -c /etc/letsencrypt/live/YOUR-URL.duckdns.org/cert.pem | awk '{ print $NF }' "

(Scan interval, 86400 seconds, is 24 hours)

Represented as a badge…

or in a card…

… and available to use in your scripts/automations as sensor.ssl_cert_expiry (or something very similar).

Hope this helps.

Nice! I’m going add this into my setup!

Thanks!

Cool idea but isn’t it easier to just setup auto renewals ?

Yes. very nice adding it to my setup now.
Thanks

Perhaps you could update the instructions in the documentation to include a ‘how to’ for auto renewals?

At the moment this page …

Only has a link to this blog post from 2015 that currently most people are using…

and a google search of “home assistant auto-renew ssl certificate” does not yeild any meaningful results. Hence, my idea to try and help

This is a pretty neat idea, but for some reason my returns the following “7 20”
That’s the numeral seven followed by a blank space, then twenty.
Running another command, I get this result on the date: notAfter=Mar 29 03:13:00 2017 GMT
So I am about 20 days away, so the second part of the results would be right, just don’t know where the 7 and blank space comes from and if there is a way to exclude it from the results of this command

Have a play with the number at the end of tail, I guess yours should be “… | tail -c 38”

When ssl-cert-check returns the result in a terminal it draws a pretty (but pointless!) table, so to get the number you want you have to cut off x amount of characters of faff that it produced. For whatever reason yours is one character longer (or shorter? I’m too tired to work it out now ) than mine, but yes, for anybody else who is not getting the correct number in the output, change the cut value in tail.

Hop this helps.

@berniebl - in fact, can you tell me how many characters are in your first bit of your duckdns url please?

I think that’s what’s afecting the tail number. Mine is 13 characters (dot) duckdns.org . If your is 12 or 14, then I can work out a table for what people’s tail -c number should be. Please let me know

I didn’t realise that it put the url in the same line when I came up with the idea.

Seems like 38 is working, I returns “20” and I have 7 characters before the .duckdns.org
Thanks

Glad you got it working

The 7 in the previous result was the end of the date for your expiry 03/09/201 7 (or similar), which is the column before in the table.

I guess there must be a way of working out what the number at the end of the command should be to get just the outstanding days, but I’m at a loss at the minute, if more people post their experiences I will try and work it out tomorrow and amend my instructions accordingly

On the Set up encryption using Let’s Encrypt page, there is a instruction on how to renew the certificate…

./certbot-auto renew --quiet --no-self-upgrade --standalone \
                     --standalone-supported-challenges http-01

Maybe we can setup an automation to execute this command when the sensor value is less than certain days? Example…

shell_command: 
  renew_ssl: ./certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

Automation…

- alias: 'Auto Renew SSL Cert'
  trigger:
    platform: numeric_state
    entity_id: sensor.ssl_cert_expiry
    below: 7
  action:
    service: shell_command.renew_ssl

That’s exactly what I’m aiming for eventually

two notes:

First -

–standalone-suported challenges are no longer the preferred method, script should be:

./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

Second -

Does the script need to be run from within the certbot folder, or could it run from anywhere with full file path?

I haven’t got that far yet as I’m playing with a million and one other things, but it’s definitely the route I’m heading down. By all means if somebody wants to test these out and post the solutions…

yes. i have updated the command after I done the testing. the certbot-auto path is depend on your system. On mine, it is located in ./certbot/certbot-auto.

anyway, thanks for sharing this. It is the missing link of SSL auto renewal automation I have been planning to do.

You’re welcome - glad it has helped a few people out

Just drop the renew script in a cron.

30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log

It will check and if it needs renewal it will perform it, no manual intervention needed!

I like the idea of an alert though if it fails for some reason so I’ll probably use mf_socials command tied to an alert.

Hi, The sensor is awesome thanks for the the post.

I tried the code you mentioned:

./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

but it didn’t appear to do anything. my certificate is only a week old so maybe it won’t renew because of that? Do we need to temporarily port forward like in the initial SSL setup?

Hi @bilalY ,

That command has to be run from within your certbot folder, so you may have to call it like:

path/to/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

I think it doesn’t update unless there’s less than 30 days left on the certificate or something anyway, but this is the bit I haven’t started playing with yet to get a definitive way of doing it.

Basic steps would be:

• SSH in to your pi
• find (and navigate in to) your certbot folder, wherever you put it depending on which instructions you followed.
• run the command “./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01” and make sure it’s working, see what the output is, etc
• type “pwd” and make a note of the full file path (for example /home/hass/certbot)
• make sure the hass user has permission to access the folder and contents (if it is in /home/hass/… , it will)
• replace the dot at the start of your command with the output you got from pwd

so

./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

becomes

/home/hass/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

And run that command from HA.

Of course if the path actually was /home/hass/certbot… , and your user is hass, the /home/hass/ bit is redundant, but hopefully you get the idea. This would seem to concur with @masterkenobi 's findings that his command was

./certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

…so I guess if we all followed the same instructions to set up HA and set up SSL, that is where it would be.

Hope this helps.

Oh, and re port forwarding - I think that is mentioned in Ben’s video tutorial, but I don’t think he has it quite right.

Presuming you’re not running a webserver at home, your port forwards should be:

Outside 443 -> your.pi.ip 8123
Outside 80 -> your.pi.ip 80

And nothing should need to be temporarily changed/edited to get any of this to work I don’t think.

Well, in my case I have to temporarily change the port forwarding 443 ext -> 443 int to renew the certificate as my ISP is blocking port 80. So the auto-renew is not useful but the SSL expiration sensor is.

Ah, yeah, didn’t think of that scenario - Doesn’t affect me here, fortunately. Thanks for the comment, it will help others in your situation