Lectere
January 23, 2024, 9:40am
1
Out of nowhere my HA setup stopped accepting HTTPS request. Didn’t change anything, only updated to latest.
Let’s Encrypt showed the following in the log;
Are you trying to change the key type of the certificate named mydomain.com from RSA to ECDSA?
After one hour of research it appeard that it was the Let’s Encrypt settings changed without me doing so;
Setting it back to RSA, and renewing the certificate fixed the problem.
But as others in this post mention;
opened 09:53AM - 02 Jan 24 UTC
add-on: letsencrypt
### Describe the issue you are experiencing
While trying to renew the certifi… cate, I've got this message in logs:
```
[10:45:47] INFO: Selected DNS Provider: dns-ovh
[10:45:48] INFO: Use propagation seconds: 60
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Are you trying to change the key type of the certificate named home.clouderial.fr from RSA to ECDSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
```
EDIT: the new certificates are not generated. This will cause an major issue because the site will not be visible (in one week for my case).
### What type of installation are you running?
Home Assistant OS
### Which operating system are you running on?
Home Assistant Operating System
### Which add-on are you reporting an issue with?
Almond
### What is the version of the add-on?
5.0.9
### Steps to reproduce the issue
1. just start the addon to generate a new certificate
2. look at the journal logs
### System Health information
## System Information
version | core-2023.12.4
-- | --
installation_type | Home Assistant OS
dev | false
hassio | true
docker | true
user | root
virtualenv | false
python_version | 3.11.6
os_name | Linux
os_version | 6.1.58-haos-raspi
arch | aarch64
timezone | Europe/Paris
config_dir | /config
<details><summary>Home Assistant Community Store</summary>
GitHub API | ok
-- | --
GitHub Content | ok
GitHub Web | ok
GitHub API Calls Remaining | 5000
Installed Version | 1.33.0
Stage | running
Available Repositories | 1373
Downloaded Repositories | 43
</details>
<details><summary>Home Assistant Cloud</summary>
logged_in | false
-- | --
can_reach_cert_server | ok
can_reach_cloud_auth | ok
can_reach_cloud | ok
</details>
<details><summary>Home Assistant Supervisor</summary>
host_os | Home Assistant OS 11.2
-- | --
update_channel | stable
supervisor_version | supervisor-2023.12.0
agent_version | 1.6.0
docker_version | 24.0.7
disk_total | 457.7 GB
disk_used | 18.3 GB
healthy | true
supported | true
board | rpi4-64
supervisor_api | ok
version_api | ok
installed_addons | Home Assistant Google Drive Backup (0.112.1), Samba share (12.2.0), InfluxDB (4.8.0), Glances (0.20.0), Let's Encrypt (5.0.9), NGINX Home Assistant SSL proxy (3.6.0), SQLite Web (4.0.0), AppDaemon (0.16.0), Piper (1.4.0), Whisper (1.0.0), Mosquitto broker (6.4.0), Zigbee2MQTT (1.33.0-1), Studio Code Server (5.14.2)
</details>
<details><summary>Dashboards</summary>
dashboards | 7
-- | --
resources | 24
views | 43
mode | storage
</details>
<details><summary>Recorder</summary>
oldest_recorder_run | 27 décembre 2023 à 21:17
-- | --
current_recorder_run | 2 janvier 2024 à 10:08
estimated_db_size | 570.98 MiB
database_engine | sqlite
database_version | 3.41.2
</details>
<details><summary>Sonoff</summary>
version | 3.5.3 (a8c6d45)
-- | --
cloud_online | 9 / 9
local_online | 9 / 9
debug | failed to load:
</details>
### Anything in the Supervisor logs that might be useful for us?
```txt
-
```
### Anything in the add-on logs that might be useful for us?
```txt
[10:45:47] INFO: Selected DNS Provider: dns-ovh
[10:45:48] INFO: Use propagation seconds: 60
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Are you trying to change the key type of the certificate named home.clouderial.fr from RSA to ECDSA? Please provide both --cert-name and --key-type on the command line to confirm the change you are trying to make.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
```
### Additional information
_No response_
A lot of people will be effected by this, as mentioned in the topic on Github is this a breaking change…
Been saying for years now that the guy’s at Home Assistant should incorporate proper certificate management from the GUI of Home Assistant itself. You cannot expect people to setup reverse proxies and as it seems you cannot rely on third party tools like LetsEncrypt. Home Assistant is getting to important to be wrecked by stupid issues like this…
I’m reporting this issue for others to see and hopefully it will get them back online quick again. I’m not asking advice for other products / solutions.
1 Like
indeeed
January 23, 2024, 10:09am
2
Lectere:
Been saying for years
that you can have a nabu casa subscription so you don’t need to spend time with reverse proxies and certificates. Beside you support the HA devolpment!
Lectere
January 23, 2024, 10:21am
3
I would not mind spending money on HA.
But I’m allergic to cloud. The sole reason I picked Home Assistant is not to depend on the cloud.
MZorzy
January 23, 2024, 10:23am
4
duckdns addon + app on phone work with not issue
indeeed
January 23, 2024, 10:24am
5
Lectere:
picked Home Assistant
Making it available via proxy/https is connecting it to the cloud/www!
Not enough!
Cyberbeni
January 23, 2024, 10:45am
6
I think using a VPN creates a smaller security hole than using reverse proxy+https. I use Tailscale which is free for up to 3 users.
2 Likes
indeeed
January 23, 2024, 12:48pm
7
Indeeed! Essentially allowing access to your LAN when abroad without (totally) exposing your server to the cloud/www!
WallyR
January 23, 2024, 3:29pm
8
I use certificates, but no reverse proxy.
tyjtyj
January 23, 2024, 3:47pm
9
Every automated tool, there is another tools to monitor the automated tools.
That why there is healthcheck addons or uptime addons…
I actively monitor my cert from HA/healthcheck/UptimeKuma and alert me when it drop below 30 days.
Regardless, the author already made PR to fix the problem @thanks that. Appreciate it.
Just careful for next few update to make sure it stable. i going to test it from backup HA before going for update for now.
if you need a code to monitor your cert from HA
I got annoy by cert error on start as some of the service is still down during home assistant startup… thus, here my template checking for validity, otherwise unknown
hass_cert:
unit_of_measurement: 'days'
value_template: >-
{% if is_state_attr('sensor.cert_expiry_timestamp_xxx', 'is_valid',1) %}
{{ ((as_timestamp(states("sensor.cert_expiry_timestamp_xxx"),states("sensor.hass_cert")) - as_timestamp(now()) ) / 86400 ) | round(0, "floor") }}
{% els…
Sir_Goodenough
January 23, 2024, 6:08pm
10
Back to the original point, using RSA isn’t much better than no key at all.speedbump key.
Cracking 256-bit RSA Keys - Surprisingly Simple! .
1 Like
WallyR
January 24, 2024, 9:05am
11
RSA and ECDSA have the same security issues. ECDSA can use a smaller key compared to RSA, which RSA just even put by using keys of 4096 bits instead of the EDCSA keysize of 384.
You might be able to crack the 256bit RSA in 1 minute, but each extra bit will double that, so it will still take you years to crack a 4096bit RSA encryption.
1 Like
tyjtyj
January 26, 2024, 1:20am
12
Kinda unfair to use 256 bit to claim RSA is easily crackable… most modern SSL cert is on 2048 or even higher which still not easily crack…
you cant compare 4 character password with 12 character password and claim 12 character passwords as easy to crack as 4 character password.
odwide
January 26, 2024, 1:35am
13
Anyone placing a certificate with a 256 RSA key on a server deserves to be pwned by an APT.
Sir_Goodenough
January 26, 2024, 5:07am
14
OK, I guess I’m completely wrong. It happens.
RSA Encryption: Definition, Architecture, Benefits & Use | Okta .Seriously, stop using RSA | Trail of Bits Blog .What is RSA encryption, and is it safe to use? | NordVPN .https://www.thesslstore.com/blog/how-secure-is-rsa-in-an-increasingly-connected-world/ .RSA Is Dead — We Just Haven’t Accepted It Yet .
Would you mind contacting these and many more to explain it to them?
Personally I was just trying to guess why RSA was removed as a default, which I’m guessing what happened by your description. I’m not a crypto programming expert at all. I wasn’t looking to get attacked.
