Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Let's Encrypt does not renew certificates automatically #3817

Open
jkufner opened this issue Oct 31, 2024 · 1 comment
Open

Let's Encrypt does not renew certificates automatically #3817

jkufner opened this issue Oct 31, 2024 · 1 comment
Labels

Comments

@jkufner
Copy link

jkufner commented Oct 31, 2024

Describe the issue you are experiencing

When the Let's Encrypt addon is not restarted for a few months, then the certificates are not renewed, because they get renewed on the addon start up only.

There are two ways how to renew certificates:

  1. Schedule a job to trigger the renew once a day or so.
  2. Let the Let's Encrypt daemon sleep in the background and renew certificates when the time comes.

I guess we don't want things to eat up memory on our Raspberries, so triggering the renewal once a day is probably a good way.

Let's encrypt addon detects on startup whether one of the certificatees needs renewal, so restart is a cheap operation when nothing needs renewal, and we don't need to duplicate this logic. Moreover, when a renewal fails for some reason (e.g., temporary network problem), we want an opportunity to try again soon. Therefore, running the renew daily is a good default as it provides several retries.

Currently, the addon does not renew certificates unless restarted, and it also does not expose the certificates or certificate updates as entities.

Workaround:

A simple workaround is to setup an automation to restart Let's Encrypt addon once a day:

alias: "Let's Encrypt: Certificate renewal"
description: ""
triggers:
  - trigger: time
    at: "04:00:00"
conditions: []
actions:
  - data:
      addon: core_letsencrypt
    action: hassio.addon_restart
    alias: Restart Let's encrypt addon
  - delay:
      hours: 0
      minutes: 10
      seconds: 0
      milliseconds: 0
  - data:
      addon: core_nginx_proxy
    action: hassio.addon_restart
    alias: Restart nginx addon
mode: single

This automation also restarts nginx addon to make sure the new certificate is actually used.

Solution:

The Let's Encrypt addon should support the renewal out of the box and enabled by default.

If it is not possible for an addon to schedule its own restart, or some task to be run when the addon is not running, then there should be a blueprint bundled with the addon (or HA) for the certificate renewal and for the restart of the affected services, and most importantly, the readme really should mention this caveat, so that the users won't forget to set it up.

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

5.2.3

Steps to reproduce the issue

  1. Install & setup Let's encrypt addon.
  2. Do not restart the addon for few months.
  3. The certificate expires.

System Health information

No repairs.

Anything in the Supervisor logs that might be useful for us?

No response

Anything in the add-on logs that might be useful for us?

No response

Additional information

No response

Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@github-actions github-actions bot added the stale label Nov 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant