-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LetsEncrypt not auto renewing certificates #1445
Comments
From what I understand, the supervisor has no feature which starts the Let's Encrypt add-on when necessary... By default the startup mode is set as From what I can tell there is no "periodically startup mode" for add-ons (see also |
@agners, no reason why there couldn't be AFAICS. I think if you modify the installed I think the addon installs certbot to the underlying OS (although I may have done that in the past), but the standard config does not find the certificate config by default. |
A simple (user-based) fix for this is to launch the add-on periodically to force it to renew the certificate if needed. I use the following automation to this end # Start Let's Encrypt every night to force renewal of certificate
- alias: system_letsencrypt_renewal
trigger:
- platform: time
at: '03:00:00'
action:
- service: hassio.addon_restart
data:
addon: core_letsencrypt Note that running this every day is probably overkill as certbot will renew it as soon as it is below 30 days left, but it does not really matters. @ludeeus , maybe we can add this small snippet to the addon documentation while we wait for a more integrated solution? |
That will only solve half the issue. |
@ludeeus hm, I guess because the SSL certificate is already loaded at that time? Ideally, HA Core should have a reload function to just reload the SSL certificate. I guess for add-ons there is no common way to handle that, probably just restarting them is fine. |
Yeah, all weservers load the certificate on startup, and that will continue to be loaded (even if the file changes) until the server restarts. |
Under normal circumstances, certbot restarts apache on renewal. I wonder if the addon could create a flag/sensor that other services monitor? With an update cycle for core as it is, and therefore regular restarts, it is less of an issue, but thinking on that, I'd have expected the addon to start and update so now surprised I saw the expiry notice. Odd. |
That would be something that should be handled by a certificate manager in the supervisor and not by this addon. |
Not sure what this was a reply to, but if my comment, it should, but obviously isn't. As I said, under normal circumstances, certbot (certificate manager) does it for you. |
It was in regards to this part
|
So back to my point, under normal circumstances, the tool doing the certificate renewal, i.e. managing the certificates, would do the server restart (as certbot does if the right plugin is used). Because the certificate manager is actually an addon, it cannot directly control the restart, but the addon certainly could tell supervisor/HA it needs to restart. Supervisor does not have a certificate manager AFAICS. |
The addon is not aware of which services that uses the certificates.
Correct, and when someone adds that to the supervisor it will know which service uses which certificate and can handle that. For now, your best option (since only you know where you are using the certificates), an automation as described here #1445 (comment) |
So this should do the trick instead then (using the cert_expiry integration): # Renew certificates and restart homeassistant when cert expires in less than 30 days
- alias: system_letsencrypt_renewal
trigger:
- platform: time
at: '03:00:00'
condition:
- condition: numeric_state
entity_id: sensor.ssl_certificate_expiry
below: 30
action:
- service: hassio.addon_restart
data:
addon: core_letsencrypt
- delay: 00:05:00
- service: homeassistant.restart |
If you only use it for homeassistant, and you can have it "randomly" restart during the night yes 👍 |
@ludeeus @borpin most web servers do also support SSL certificate reloads via signals, this avoids full blown restarts. E.g. nginx supports reload which do not lead to any downtime: https://stackoverflow.com/questions/43088363/how-nginx-reload-work-why-it-is-zero-downtime. And that is also what certbot uses by default (see https://github.com/certbot/certbot/blob/09ab4aea01aaf95a2a830ad48271aa6bd11eef84/certbot-nginx/certbot_nginx/_internal/configurator.py#L1178). |
@lambtho12 please excuse me, I'm new here :-) |
@maidau This is an automation. So it should be in automations.yaml or something like that. You could also recreate it using the automation editor of the UI (under configuration/automation) instead if you prefer. See the automation documentation for more information. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
The solution above will not work anymore because of home-assistant/core#42338 |
@asychev you can use a template to calculate the time until expiry: # Renew certificates and restart homeassistant when cert expires in less than 30 days
- alias: system_letsencrypt_renewal
trigger:
- platform: time
at: '03:00:00'
condition:
condition: template
value_template: {{ as_timestamp(states("sensor.cert_expiry")) - as_timestamp(now()) < 30 * 24 * 60 * 60 }}
action:
- service: hassio.addon_restart
data:
addon: core_letsencrypt
- delay: 00:05:00
- service: homeassistant.restart Update: Fixed syntax |
So what it needs is the following; Restart letsencrypt addon @agners - what is the right config to restart the nginx addon (and where could I look that up for future reference?) |
@agners @asychev FYI, this syntax for the condition worked better for me : # Renew certificates and restart homeassistant when cert expires in less than 30 days
- alias: system_letsencrypt_renewal
trigger:
- platform: time
at: '03:00:00'
condition:
condition: template
value_template: "{{as_timestamp(states('sensor.cert_expiry_timestamp_HOST_PORT')) - as_timestamp(now()) < 30 * 24 * 60 * 60}}"
action:
- service: hassio.addon_restart
data:
addon: core_letsencrypt
- delay: 00:05:00
- service: homeassistant.restart |
@borpin the nginx addon's name appears to be Adding it to the automation's actions seems to restart it: # ...
action:
- service: hassio.addon_restart
data:
addon: core_letsencrypt
- delay: 00:05:00
- service: hassio.addon_restart
data:
addon: core_nginx_proxy
- service: homeassistant.restart (BTW, trying to call hassio.addon_restart on addon: core_nginx_proxy from the Developer Tools Services panel gives the error "Failed to call service hassio/addon_restart. undefined", but does seem to restart nginx.) |
My solution worked overnight - thanks to all for your help https://community.home-assistant.io/t/lets-encrypt-add-on-not-renewing-certificates-correctly/214294 |
Not sure why one needs to restart NGINX core proxy.. and then restart HA. |
Because restarting HA just restarts the core not the Supervisor (I believe). For that you need to do a full host restart (which I was trying to avoid). Try is and see 😄 |
Thanks for this! I was going crazy trying to work out why CertBot hadn't updated my certificates, I assumed it was copying to the wrong place, but actually just needed to restart HA. |
Supervised Install.
I have just had a renewal notice for the certificate for the domain name I use for HA and setup using the LetsEncrypt Plugin. On the basis of getting the email, the renewal should have already happened (certbot does not wait that late).
It appears the auto-renew is not working.
When the addon is manually started, the renewal occurs.
letsencrypt log showing previous auto renewal attempt plus the renewal done when the addon was restarted.
addon log - log was empty before manual start.
syslog excerpts
The text was updated successfully, but these errors were encountered: