-
-
Save zollak/e9d3abd7bb33a3e4dc9d49e062861752 to your computer and use it in GitHub Desktop.
Homeassistant Blueprint for SSL-Certificate renewal
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| blueprint: | |
| name: Renew Let's Encrypt Certificate | |
| description: Renew Certificate when due date is below given value | |
| domain: automation | |
| input: | |
| cert_expiry_sensor: | |
| name: Certificate Expiry Sensor | |
| description: Sensor from the Certificate Expiry Integration (https://www.home-assistant.io/integrations/cert_expiry) | |
| selector: | |
| entity: | |
| integration: cert_expiry | |
| renew_date: | |
| name: Certificate renewal date | |
| description: Date when the SSL-Certificate will be renewed | |
| selector: | |
| number: | |
| min: 1 | |
| max: 60 | |
| mode: slider | |
| unit_of_measurement: "days" | |
| default: 30 | |
| time_to_check_cert: | |
| name: Certificate check time | |
| description: Time when the certificate date will be checked. | |
| selector: | |
| time: | |
| restart_after_renewal: | |
| name: Restart Home Assistant | |
| description: Restarts the Home Assistant when the certificate is renewed. (if enabled) | |
| selector: | |
| boolean: | |
| default: true | |
| minutes_till_restart: | |
| name: Minutes until restart | |
| description: Minutes until restart of Home Assistant if restart is enabled | |
| selector: | |
| number: | |
| min: 1 | |
| max: 60 | |
| mode: slider | |
| unit_of_measurement: "minutes" | |
| default: 1 | |
| send_notification: | |
| name: Send notification | |
| description: Sends a notification to a device if enabled | |
| selector: | |
| boolean: | |
| default: false | |
| notification_device: | |
| name: Device to notify | |
| description: Device which will be notified. | |
| selector: | |
| device: | |
| integration: mobile_app | |
| default: None | |
| notification_title: | |
| name: Notification title | |
| description: Notification title for notification that is sent when the certificate has been renewed. | |
| default: SSL certificate renewed | |
| notification_message: | |
| name: Notification message | |
| description: Notification that is sent when the certificate has been renewed. | |
| default: HA SSL certificate renewed | |
| alias: Renew SSL Cert | |
| description: 'Renew SSL Certificate: Turn on NAT rule on firewall, Start Lets Encrypt addon, Optional: send notification, Then turn off NAT rule on firewall, Finally Reboot HA' | |
| trigger: | |
| - platform: time | |
| at: !input time_to_check_cert | |
| condition: | |
| - condition: template | |
| value_template: '{{ expire_days_var < var_check }}' | |
| action: | |
| - service: switch.turn_on | |
| data: {} | |
| target: | |
| entity_id: switch.r0_lte_nat_r0_letsencrypt_for_ha | |
| - service: hassio.addon_start | |
| data: | |
| addon: core_letsencrypt | |
| - choose: | |
| - conditions: | |
| - condition: template | |
| value_template: '{{ send_notification_var }}' | |
| sequence: | |
| - device_id: !input notification_device | |
| domain: mobile_app | |
| type: notify | |
| title: '{{ message_title_var }}' | |
| message: '{{ message_var }}' | |
| default: [] | |
| - choose: | |
| - conditions: | |
| - condition: template | |
| value_template: '{{ restart_after_renewal_var }}' | |
| sequence: | |
| - delay: | |
| hours: 0 | |
| minutes: !input minutes_till_restart | |
| seconds: 0 | |
| milliseconds: 0 | |
| - service: switch.turn_off | |
| data: {} | |
| target: | |
| entity_id: switch.r0_lte_nat_r0_letsencrypt_for_ha | |
| - service: hassio.host_reboot | |
| default: [] | |
| mode: single | |
| variables: | |
| certificate_var: !input cert_expiry_sensor | |
| var_check: !input renew_date | |
| message_var: !input notification_message | |
| message_title_var: !input notification_title | |
| restart_after_renewal_var: !input restart_after_renewal | |
| send_notification_var: !input send_notification | |
| expire_days_var: >- | |
| {{ ((as_timestamp(states(certificate_var), 0) - as_timestamp(now())) / 60 / 60 / 24 ) | int }} |
Before starting the Let's Encrypt add-on, the switch switch.r0_lte_nat_r0_letsencrypt_for_ha is turn on the NAT rule of the firewall (port 80), and at the end it will turn off before reboot HA.
Changed default renew_date to 30, and widened the slider range. The Let's Encrypt Expiry Bot email suggests 30 days:
We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.
I have changed the sequence at the end. Waiting before restart must be before the firewall rule set back the original value. 2 sec is not enough to the certificate renewal. In the new settings 1 minute is the smallest value. You can modify the script setting seconds if you would fine tune it. I also set the default value for restart HA after renewal to 1 min.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I corrected a typo in the input variable
minutes_till_restartto match the usage in the action sequence.