Sensor to show expiry date of SSL certificate

Unfortunately it’s been like that for a few days :frowning:

00:04:59 ERROR (Thread-4) [homeassistant.components.sensor.command_line] Command failed: ssl-cert-check -b -c /etc/letsencrypt/live/BLAHBLAH.duckdns.org/cert.pem | awk { print $NF }

Hey.

i get

Cdture

What i miss here?

run the command via SSH

ssl-cert-check -b -c /etc/letsencrypt/live/yanir.duckdns.org/cert.pem | awk ‘{ print $NF }’

show 90 fine.

now i see the log show

2018-02-17 17:43:32 ERROR (Thread-18) [homeassistant.components.sensor.command_line] Command failed: ssl-cert-check -b -c /etc/letsencrypt/live/yanir.duckdns.org/cert.pem | awk { print $NF }

When on SSH, have you tried to run the command as the same user that’s running Home Assistant? If this fails, there is probably a permissions issue.

Via SSH work fine…

I just upgraded my HASS install on my Mac server and ran into some issues that seem to be prevalent through this thread. As such, I wanted to drop a note for fellow Mac users that might run into the same issues, so that they can save the headaches I ran into. I used this thread and the following doc to make all of this fly, so kudos and thanks to everyone involved.
https://home-assistant.io/docs/ecosystem/certificates/lets_encrypt/

1-) To start, you’ll need the ssl-cert-check script found here: https://github.com/Matty9191/ssl-cert-check

2.) Now you need to give the script the correct permissions to run.

  • To do that on a Mac, best to just do a chmod
  • chmod 755 path to script
  • in my example it looked like this:
    chmod 755 /Users/redacted/ssl-cert-check

3.) Now you can run the script against your certificate.

  • Assuming you are running this against a duckdns and letsencrypt setup, it will look like this:
    ./ssl-cert-check -b -c /etc/letsencrypt/live/redacted.duckdns.org/cert.pem | awk ‘{ print $NF }’
  • That should return a number, which is the number of days left on your cert before it expires.

4.) Now you can setup command line sensors in Home Assistant to run this script to keep an eye on your expiration date.

  • I did it this way and it works well. Thanks to @anon43302295 for this!
    (The formatting won’t work for me here, but I copy and pasted from @anon43302295’s post above.) ** Note the ./ before the script. It will be needed to run the script from the shell command. **

sensor:

  • platform: command_line
    name: SSL cert expiry
    unit_of_measurement: days
    scan_interval: 86400
    command: "./ssl-cert-check -b -c /etc/letsencrypt/live/YOUR-URL.duckdns.org/cert.pem | awk ‘{ print $NF }’ "

5.) Now use the sensor to drive other automations, like renewing your letsencrypt cert.

shell_command: renew_ssl: ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

automation:
  - alias: 'Auto Renew SSL Cert'
    trigger:
      platform: numeric_state
      entity_id: sensor.ssl_cert_expiry
      below: 29
    action:
      service: shell_command.renew_ssl

automation:
  - alias: 'SSL expiry notification'
    trigger:
      platform: numeric_state
      entity_id: sensor.ssl_cert_expiry
      below: 21
    action:
      service: notify.[your_notification_preference]
      data:
        message: 'Warning - SSL certificate expires in 21 days and has not been automatically renewed'

Hopefully that helps someone. It took me a few to connect the dots, but now that it is running, it should be set.

5 Likes

Hmm got this working on the command line, and wondered why it wasn’t working in HASS.

Then remembered I’m running in Docker…

So is there a way to expose that command into my docker container???

1 Like

Although that does sort of go against the point of docker :slight_smile:

I would have to read it again and I will, but will Acme renew the certificate automatically. Just checked crontab -l after Acme installation and it shows:
56 0 * * * “/home/homeassistant/.acme.sh”/acme.sh --cron --home “/home/homeassistant/.acme.sh” > /dev/null

It sure is much easier than using certbot - especially if auto renewal is included.
Thanks!

check the solution one post above yours solution, just put the ssl check script in the homeassistant config folder.

Thank you.

Ive installed the ssl-cert-check in homeassistant home folder, modified its permissions and modified the sensor to let it run in my configuration and give me “-days”

sersors.yaml:

- platform: command_line
  command: /home/homeassistant/ssl-cert-check -b -c /home/homeassistant/.acme.sh/YOURNAME.duckdns.org/YOURNAME.duckdns.org.cer | awk '{print -$6}'
  name: SSL
  scan_interval: 43200
  unit_of_measurement: days

SSL

ps: its build in: https://www.home-assistant.io/components/sensor.cert_expiry/

1 Like

problem is with the builtin one, if you restart HA at any time it says unavailable. I think it only checks every 12 hours.

SSL Certificate Expiry
2 days ago
Unknown
via SSH work fine :frowning:

For anyone looking for a easier method to keep the SSL cert valid, just run:

apt-get install certbot
systemctl enable certbot.timer
systemctl start certbot.timer

This will use the auto-update system defined by Let’s Encrypt itself.

3 Likes

I’m not experiencing that, if I restart it shows it immediately.

Is it possible to use the build in component with the URL: https://xxx.com:789/?src=connect

I have tried

host: xxx.com
port: 789

Since I switched to Caddy it’s working immediately here as well but with the standard LetsEncrypt addin it was a 12 hour wait to see the sensor expiry.

Same problem! Did you solve the problem?
I think is a user permission problem.
LS -la command show me “ssl-cert-check” file have a root:root permission, i think need change with “homeassistant” user.

To fix the delayed update after a system restart, I use an automation that runs 15 seconds after hass startup and calls the homeassistant.update_entity service for the sensor.ssl_certificate_expiry. This way it updates without the 12 wait.

1 Like