Configuration variables:
configuration.yaml will be used to display weather conditions.configuration.yaml will be used to display weather conditions.configuration.yaml.configuration.yaml.If you have any more for Home Assistant you should delete them now. If you only have ha_ssl this is probably because during step 4 you had to use port 443 instead of port 80, so we deleted the rule during step 5.
You are now part of one of two groups:
Please remember whether you are a ONE-RULE person or a BOTH-RULE person for step 8!
Let’s Encrypt certificates only last for 90 days. When they have less than 30 days left they can be renewed. Renewal is a simple process.
@@ -361,52 +361,9 @@ In cases where, for whatever reason, apt-get installing is not appropriate for yGot your sensor up and running and where you want it? Top drawer! Nearly there, now move on to the final steps to ensure that you’re never without a secure connection in the future.
The certbot program we downloaded in step 4 contains a script that will renew your certificate. The script will only obtain a new certificate if the current one has less than 30 days left on it, so running the script more often than is actually needed will not cause any harm.
-If you are a ONE-RULE person (from step 6) you cannot ‘automatically’ renew your certificates because you will need to change your port forwarding rules before the renewal takes place, and change it back again afterwards.
-When you are within 30 days of your certificate’s expiry date (you can use the sensor reading from step 7 to tell you this) you will need to complete the following steps:
-Service name - ha_ssl
-Port Range - 443
-Local IP - YOUR-HA-IP
-Local Port - 443
-Protocol - Both
-$ su - s /bin/bash hass
-$ cd ~/certbot/
-$ ./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
-Service name - ha_ssl
-Port Range - 443
-Local IP - YOUR-HA-IP
-Local Port - 8123
-Protocol - Both
-If you are a BOTH-RULE person, you have a number of options at this point.
+If you are a ONE-RULE person (from step 6), you can automatically renew your certificate with your current port mapping by temporarily stopping Home Assistant and telling certbot to bind port 8123 internally, and using a tls-sni challenge so that the Let’s Encrypt CA binds port 443 externally. The flags used to specify these additional steps are shown below.
If you are a TWO-RULE person (from step 6), you can automatically renew your certificate using a http-01 challenge and port 80.
There are a number of options for automating the renewal process:
Your certificate can be renewed as a ‘cron job’ - cron jobs are background tasks run by the computer at specified intervals (and are totally independant of Home Assistant). Defining cron is outside of the scope of this guide but you will have had dealings with crontab when setting up DuckDNS in step 3
To set a cron job to run the script at regular intervals:
@@ -424,17 +381,30 @@ Protocol - Both30 2 * * 1 ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
30 2 * * 1 ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop home-assistant@homeassistant.service" --post-hook "sudo systemctl start home-assistant@homeassistant.service"
+tls-sni challenge, so the Let’s Encrypt CA will attempt to bind port 443 externally (which you have forwarded)--tls-sni-01-port 8123 tells certbot to bind port 8123 internally, which matches with the port forwarding rules that are already in place.You can set an automation in Home Assistant to run the certbot renewal script.
-Add the following sections to your configuration.yaml
+Add the following sections to your configuration.yaml if you are a TWO-RULE person
shell_command:
renew_ssl: ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
@@ -448,6 +418,7 @@ Protocol - Both
service: shell_command.renew_ssl
If you are a ONE-RULE person, replace the certbot-auto command above with ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop home-assistant@homeassistant.service" --post-hook "sudo systemctl start home-assistant@homeassistant.service"
You can manually update the certificate when your certificate is less than 30 days to expiry.
To manually update:
@@ -470,6 +441,9 @@ Protocol - Both$ ./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
certbot-auto command above with ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "sudo systemctl stop home-assistant@homeassistant.service" --post-hook "sudo systemctl start home-assistant@homeassistant.service"So, now were all set up. We have our secured, remotely accesible HA instance and we’re on track for keeping our certificates up to date. But what if something goes wrong? What if the automation didn’t fire? What if the cron job forgot to run? What if the dog ate my homework? Read on to set up an alert so you can be notified in plenty of time if you need to step in and sort out any failures.
We set up our automatic renewal of our certificates and whatever method we used the certificate should be renewed on or around 30 days before it expires. But what if a week later it still hasn’t been? This alert will go off if the expiry time on the certificate gets down to 21 days. This will give you 3 weeks to fix the problem, get your new certificate installed and get another 90 days of secure Home Assistant connections in play.
diff --git a/sitemap.xml b/sitemap.xml index a6e27bdaec..93a62e9f3c 100644 --- a/sitemap.xml +++ b/sitemap.xml @@ -3685,62 +3685,62 @@