Add letsencrypt to Home Assistant with own domain-name

Robert AndresenHome Assistant, Tutorials Leave a Comment

Follow

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Source: https://certbot.eff.org/lets-encrypt/ubuntubionic-other 

certbot -d subdomain.mydomain.no --manual --preferred-challenges dns certonly

Source: https://serverfault.com/questions/750902/how-to-use-lets-encrypt-dns-challenge-validation 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.subdomain.mydomain.no with the following value:

AloooongAutoGenerated-Token-123

Before continuing, verify the record is deployed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Before pressing enter, I added the TXT record in my DNS. After adding it, I waited a couple of minutes before pressing enter.

Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/subdomain.mydomain.no/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/subdomain.mydomain.no/privkey.pem
   Your cert will expire on 2019-09-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Add to Home Assistant

For now, I copied the certificates from /etc/letsencrypt/live/… to a SSL folder under my Home Assistant config.

http:
  base_url: !secret HTTP_BASE_URL
  ssl_certificate: /config/ssl/fullchain.pem
  ssl_key: /config/ssl/privkey.pem
  server_port: !secret HTTP_SERVER_PORT
  ip_ban_enabled: True
  cors_allowed_origins: !include http_cors_allowed_origins.yaml
  login_attempts_threshold: 10

Renew

It looks like the domain-registrar has to support a script to update TXT record, to renew a certificate. You can see different examples on the sources above.

I have asked my domain-registrar if they support this. If not I will maybe change provider. I’ll try to update this article when I have found a solution for this.