You are on a Stratch system, right?
In this case there is already a systemd timer in place that checks for required cert renewal two times a day.
for related log entries (it is very verbose).
Thanks for correcting my syntax above. Ah okay the fullchain is used by HA, some use this, some use cert only.
I will correct my commands above as well.
And jep I forgot the permissions that are required. But note that chmod -R 777 /etc/letsencrypt
from security point of view is veeeeery bad! Every user has full R/W access to your very private SSL key now, can manipulate or steal it, which renders the whole "you-are-really-you" check of SSL useless. And even worse, since browsers/clients still think that it's a secure connection, that gives wrong impression to everyone who users the web application, feeling secure but actually could have been easily tricked. Then better disable SSL, so every knows that it is not encrypted and no identity validation is done.
I know most likely it's only yourself using HA here, but I am a bid drastic above to make the point clear and prevent everyone from learning bad habits.
At least do the following:
Code: Select all
chmod -R root:root /etc/letsencrypt
chmod -R 750 /etc/letsencrypt
usermod -a -G root homeassistant
Re-assures that key+cert is only/fully owned by root.
Grant only read (and execute to read directory content) access to the root group.
Adds the homeassistant user to the root group to grant him cert+key read access.
However adding a user to the root group is as well not ideal. Better again is to create a new group for this, e.g. named ssl
and then add all users that require SSL read access to this new group instead.
The most secure way is to create a copy of the privkey+fullchain and chown homeassistant:homeassistant
those. But this practically a bid annoying, since you need to redo this after every certificate renewal. At best a systemd unit timer hook would do that.