Sensor to show expiry date of SSL certificate

Yep, You are right.
Unfortunately I am at the very beginning of this HA road to learn how to use and configure it… Any help very much appreciated.

So I didn’t configure too much, I just used the built in Certificate Expiry integrations and added ‘home-assistant.io’ as the host.

It looks like this now:
image

Or with another sensor:
image

I even don’t know how to copy the code properly. Sorry for bothering, all beginning is difficult. :slight_smile:

Thanks in advance!

Homeassistant.io as the host? That is not your duckdns domain. Good to know the ssl for the homeassistant site expires in 6 months though

OK, but when I added xxxxxx.duckdns.org as the host I got the following message
Is valid: false
Error: self signed certificate in certificate chain

Where can be the self signed cert? I’ve followed the recommended way to implement remote access…

You didn’t add the correct domain/port to the sensor config

Host: xxxxxxx.duckdns.org
Port:443

That’s not correct? :thinking:

Same result with port:80

BTW: Let’s Encrypt was used for certificate.

That should be ok. Are you sure you have a Le cert? What install on what o/s do you have? I have seen a self signed cert in a chain on a windows pc running a downloaded that inserts itself so it can d/l from ssl sites…

Thanks for trying to help me David!

My setup is running on
Pi 4,
core-2021.2.3,
Home Assistant OS 5.11
supervisor-2021.02.11
Regarding cert:
Your certificate and chain have been saved at:
/data/letsencrypt/live/xxxxxx.duckdns.org/fullchain.pem
Your key file has been saved at:
/data/letsencrypt/live/xxxxxxx.duckdns.org/privkey.pem
Your cert will expire on 2021-05-16.

So I just went and added my sub-domains (they have seperate certificates)
The correct format to enter is domain.com and then 443 as the port (if you use 443)
Mine look like this if I show them in Lovelace:

Are you using the LetsEncrypt addon for HA or the Duckdns one?

EDIT***** also do you use Pihole of some firewall that might block this?

I have both DuckDNS and LetsEncrypt addons and don’t know any firewall rule.

I’ve might done something wrong during the remote access setup, actually thinking to setup the whole remote access again from scratch having in mind to avoid any possible threat for self signed cert. :slight_smile: Can be time consuming, but I consider as a part of the learning path… :slight_smile:

I’ve re-installed the whole HA from scratch, setting remote access via duckdns using instruction of Effortless encryption with Let’s Encrypt and DuckDNS - Home Assistant (home-assistant.io)

The first (previous) attempt was based on this tutorial:
Installing TLS/SSL using Let’s Encrypt - Community Guides - Home Assistant Community (home-assistant.io)

Same result :frowning:
Error message: “self signed certificate in certificate chain”

Any idea what can be the problem?

Other question: Is it problematic from security point of view to use a self signed cert?

Thanks!

Yo obtengo el mismo resultado rn dos hosts diferentes,un nuc con hass io y una pi 4 con debian 10 y homeassistant supervised en docker

I have this sensor defined but the expiry value is not being returned (i.e. it is blank). I’m running HA in a Docker container, with a LetsEncrypy cert, and have mapped the LE folder to my Docker /ssl container. So my config looks like this:

http:
  ssl_certificate: ssl/fullchain.pem
  ssl_key: ssl/privkey.pem
sensor:
  - platform: command_line
    name: SSL cert expiry
    unit_of_measurement: days
    scan_interval: 10800
    command: "ssl-cert-check -b -c ssl/cert.pem | awk '{ print $NF }'"

The http config is fine - the SSL cert works - but the cert-check is not populating the expiry sensor with a value. The ssl-cert-check script is in my HA config folder.
Any ideas??

Does that command work in a ha console? The command probably isn’t available in the container. I use the cert integration.

Good question. I get an error - return code 127 - when I run the command from the HA console.
I guess that Docker is causing complications? As an alternative, could I simply run this as a monthly cron job from outside Docker?

certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo docker stop home-assistant" --post-hook "sudo docker start home-assistant"

It’s not docker causing complications. It you are running HAOS or a Supervised install the container just doesn’t have those commands in the shell. Probably also the container install doesn’t have them available either. Is there any reason you don;t want to use the inbuilt integration for this? It works perfectly.

Do you mean this one?

If so, yes I have installed it but it doesn’t seem to offer a method of auto-renewing a LE-generated SSL certificate.

That is the one yes… all it does is show the date it won’t renew the certificate. (I thought that was what you wanted by the thread title)

Sorry yes I was confusing two threads that I’d recently posted in!
I’m looking for a solution for SSL cert auto-renewal, but was struggling to get the sensor to work to monitor for certificate expiry, to ended up on this thread trying to resolve that part of the problem.
I’m still hunting for a complete solution for SSL automatic renewal, as the methods that I’ve found so far assume that (a) you’re not using Docker, and (b) you are permanently forwarding port 80 to your HA host (which I am unable to do).

Doesn’t the LetsEncrypt addon do the renewals? I used to use an automation to start that addon at midnight every night and it stops running itself. Of you could use the expiry date via cert to trigger it.
I personally use Caddy2 addon which supports DNS domain validation so no port forwarding needed.

LetsEncrypt does have a facility for renewals, but I haven’t managed to get it to work. I have been following these instructions:

I think I have 2 complicating factors:

  1. I am running HA in a Docker container, and have been unable to run the renewal script (certbot) from within the HA environment
  2. I am unable to permanently forward port 80 to my HA host (I run a separate web server on my network) - I believe that the LetsEncrypt certbot requires access via port 80.