SSL Renewal Issue

Hi

I have this automation set up to renew my SSL cert when its below 29 days remaining to renew. However the automation does not work until I renew manually with the command:

~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop [email protected]" --post-hook "sudo systemctl start [email protected]"

Here is my automation:

- alias: 'Auto Renew SSL Cert'
  initial_state: 'on'
  trigger:
    - platform: numeric_state
      entity_id: sensor.ssl_cert_expiry
      below: 29
  action:
    - service: shell_command.renew_ssl

And my shell command:

shell_command:
  renew_ssl: ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop [email protected]" --post-hook "sudo systemctl start [email protected]"

Can anyone please help me with what I am doing wrong?

Thanks.

That automation looks like it’s trying to use the same port as Home Assistant, which would require Home Assistant to be shut down first - at which point how’s the automation going to run?

Try forwarding a different port just for certificate renewal, and not shutting HA down, but restart it instead.

Let me have a go at changing the port and restarting HA instead of shutting it down.

Do you think crontab command would be better? i.e. running the renew ssl command every minute everyday?

I suggest using cron here, so yes - but not ever minute, that’s massively overkill. Run it once a day.

when you say overkill what do you mean?

Running it once a minute, for a certificate that will be automatically renewed weeks in advance, that’s just a pointless load on the system. It’s like having kids in the back of your car on a long journey with them continually asking Are we nearly there yet?

LOL cheers mate!!

Hi @Tinkerer

So I have the following renewal command setup in crontab:

0 3 * * * ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop [email protected]" --post-hook "sudo systemctl start [email protected]"

And I was due for an upgrade i.e. 29 days. However, I am not sure if the crontab executed as the renewal did not happen.

Do you have any idea what could be wrong?

I was thinking of running the renewal command in a script and then running the script in crontab.

Try a full path to certbot, rather than ~ - that’s almost certain to be the issue

Do you mean /home/certbot…

More likely /home/homeassistant/certbot/certbot-auto, wherever you installed it.

Guess mine would be /home/pi/certbot… as my certbot is installed in the home directory.

Try ls /home/pi/certbot/ (the first character is a lower case L)

If your certbot-auto script is there, that’s your path

Yeah got certbot-auto script there. Thanks

I’m having issues trying to run certbot-auto from shell-command. I keep getting errors like:

Log Details (ERROR)
Sat Jul 07 2018 17:41:21 GMT+0200 (Central European Summer Time)

Error running command: /home/pi/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01, return code: 1
NoneType: None

but if i enter the command manually it works! running hassbian by the way.

configuration.yaml:
shell_command:
  renew_ssl: /home/pi/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01

I dont know the solution to this so maybe someone could help me out here?

When you run it from an automation it runs as homeassistant. When you run it manually it runs as the user you’re logged in as (probably pi).

You can simply run it as pi and schedule it with crontab -e. Alternatively, you’ll have to change the ownership of all the relevant files to homeassistant. That probably means the files in /etc/letsencrypt:

sudo find /etc/letsencrypt -user pi -exec chown homeassistant:homeassistant {} \;

That will change the owner of all files currently owned by pi under /etc/letsencrypt. At that point you’ll no longer be able to run the certbot-auto command as pi.

Thanks for the info and advice, learning everyday!

I will go for crontab!

Hi!
in case someone else stumbles upon this problem: I experienced it as well and the reason is that letsencrypt/certbot-auto really wants to have sudo permissions and requires to have an input device present (tty). You can figure this out when changing the logger level for the shell_command:

2019-12-31 11:25:29 INFO (MainThread) [homeassistant.helpers.script] Script Auto Renew SSL Cert: Executing step call service
2019-12-31 11:25:30 DEBUG (MainThread) [homeassistant.components.shell_command] Stdout of command: '/home/homeassistant/certbot/certbot-auto -h', return code: 1:
b'Requesting to rerun /home/homeassistant/certbot/certbot-auto with root privileges...\n'
2019-12-31 11:25:30 DEBUG (MainThread) [homeassistant.components.shell_command] Stderr of command: '/home/homeassistant/certbot/certbot-auto -h', return code: 1:
b'**sudo: no tty present and no askpass program specified**\n'
2019-12-31 11:25:30 ERROR (MainThread) [homeassistant.components.shell_command] Error running command: '/home/homeassistant/certbot/certbot-auto -h', return code: 1
NoneType: None

The input device is not present when running from home assistant automation - hence the shell_script returns with code 1.

You could now allow the home assistant user to run “sudo” without password input which I did not try because I really don’t like the idea that the home assistant user has root permissions - a bit of a security concern. Hence, I chose to go for the cronjob solution as well.