jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-07-16 13:56:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Format and style, add to menu

Browse Source
This commit is contained in:
Fabian Affolter 2017-03-31 22:56:42 +02:00
parent 72d5b67b24
commit 4eb8f9a142
No known key found for this signature in database
GPG Key ID: DDF3D6F44AAB1336
2 changed files with 570 additions and 575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
source/_docs/ecosystem/certificates/lets_encrypt.markdown
View File

@ -1,29 +1,28 @@
---
layout: page
title: "Remote Access with SSL via LetsEncrypt"
description: "A guide to remotely accessing HA and securing the connection with an SSL certificate from LetsEncrypt"
title: "Remote Access with TLS/SSL via Let's Encrypt"
description: "A guide to remotely accessing Home Assistant and securing the connection with an SSL certificate from Let's Encrypt"
date: 2017-03-16 17:00
sidebar: true
comments: false
sharing: true
footer: true
ha_category: Infrastructure
---
<p class='warning'>
Before exposing your HA instance to the outside world it is ESSENTIAL that you have set a password following the advice on the [http](https://home-assistant.io/docs/configuration/basic/) page.
Before exposing your Home Aassistant instance to the outside world it is ESSENTIAL that you have set a password following the advice on the [http](https://home-assistant.io/docs/configuration/basic/) page.
</p>
This guide was added by mf_social on 16/03/2017 and was valid at the time of writing. This guide makes the following assumptions:
* You can access your HA instance across your local network, and access the device that it is on via SSH from your local network.
* You can access your Home Assistant instance across your local network, and access the device that it is on via SSH from your local network.
* You know the internal IP address of your router and can access your router's configuration pages.
* You have already set up a password for your HA instance, following the advice on this page: [http](https://home-assistant.io/docs/configuration/basic/)
* You want to access your HA instance when you are away from home (ie, not connected to your local network) and secure it with an SSL certificate.
* You have already set up a password for your Home Assistant instance, following the advice on this page: [http](https://home-assistant.io/docs/configuration/basic/)
* You want to access your Home Assistant instance when you are away from home (ie, not connected to your local network) and secure it with an TLS/SSL certificate.
* You have a basic understanding of the phrases I have used so far.
* You are not currently running anything on port 80 on your network (you'd know if you were).
* If you are not using HA on a debian/raspian/hassbian system you will be able to convert any of the terminology I use in to the correct syntax for your system.
* If you are not using Home Assistant on a Debian/Raspian/Hassbian system you will be able to convert any of the terminology I use in to the correct syntax for your system.
* You understand that this is a 'guide' covering the general application of these things to the general masses and there are things outside of the scope of it, and it does not cover every eventuality (although I have made some notes where people may stumble). Also, I have used some turns of phrase to make it easier to understand for the novice reader which people of advanced knowledge may say is innacurate. My goal here is to get you through this guide with a satisfactory outcome and have a decent understanding of what you are doing and why, not to teach you advanced internet communication protocols.
* Each step presumes you have fully completed the previous step succesfully, so if you did an earlier step following a different guide, please ensure that you have not missed anything out that may affect the step you have jumped to, and ensure that you adapt any commands to take in to account different file placements from other guides.
@ -31,24 +30,24 @@ Steps we will take:
0 - Gain a basic level of understanding around IP addresses, port numbers and port forwarding
1 - Set your device to have a static IP address
2 - Set up port forwarding without SSL and test connection
2 - Set up port forwarding without TLS/SSL and test connection
3 - Set up a DuckDNS account
4 - Obtain an ssl certificate from LetsEncrypt
4 - Obtain a TLS/SSL certificate from Let's Encrypt
5 - Check the incoming conection
6 - Clean up port forwards
7 - Set up a sensor to monitor the expiry date of the certificate
8 - Set up an automatic renewal of the SSL certificate.
9 - Set up an alert to warn us if something went wrong.
8 - Set up an automatic renewal of the TLS/SSL certificate
9 - Set up an alert to warn us if something went wrong
#### {% linkable_title 0 - Gain a basic level of understanding around IP addresses, port numbers and port forwarding %}
### {% linkable_title 0 - Gain a basic level of understanding around IP addresses, port numbers and port forwarding %}
An IP address is a bit like a phone number. When you access your HA instance you type something similar to 192.168.0.200:8123 in to your address bar of your browser. The bit before the colon is the IP address (in this case 192.168.0.200) and the bit after is the port number (in this case 8123). When you SSH in to the device running HA you will use the same IP address, and you will use port 22. You may not be aware that you are using port 22, but if you are using Putty look in the box next to where you type the IP address, you will see that it has already selected port 22 for you.
An IP address is a bit like a phone number. When you access your Home Assistant instance you type something similar to 192.168.0.200:8123 in to your address bar of your browser. The bit before the colon is the IP address (in this case 192.168.0.200) and the bit after is the port number (in this case 8123). When you SSH in to the device running Home Assistant you will use the same IP address, and you will use port 22. You may not be aware that you are using port 22, but if you are using Putty look in the box next to where you type the IP address, you will see that it has already selected port 22 for you.
So, if an IP address is like a phone number, a port number is like an extension number. An analogy would be if you phone your local doctors on 192-1680-200 and the receptionist answers, you ask to speak to Dr Smith and she will put you through to extension 8123, which is the phone Dr Smith is sitting at. The doctors surgery is the device your HA is running on, Dr Smith is your HA. Thusly, your HA instance is 'waiting for your call' on port 8123, at the device IP 192.168.0.200 .
So, if an IP address is like a phone number, a port number is like an extension number. An analogy would be if you phone your local doctors on 192-1680-200 and the receptionist answers, you ask to speak to Dr. Smith and she will put you through to extension 8123, which is the phone Dr. Smith is sitting at. The doctors surgery is the device your Home Assistant is running on, Dr. Smith is your Home Assistant. Thusly, your Home Assistant instance is 'waiting for your call' on port 8123, at the device IP 192.168.0.200 .
Now, to speak to the outside world your connection goes through a router. Your router will have two IP addresses. One is the internal network number, most likely 192.168.0.1 in my example, and an external IP address that incoming traffic is sent to. In the example of calling the doctors, the external IP is your telephone number's area code.
So, when we want to connect to our HA instance from outside our network we will need to call the correct extension number, at the correct phone number, in the correct area code.
So, when we want to connect to our Home Assistant instance from outside our network we will need to call the correct extension number, at the correct phone number, in the correct area code.
We will be looking for a system to run like this (in this example I will pretend our exernal IP is 12.12.12.12):
@ -62,7 +61,7 @@ Sounds simple? It really is except for two small, but easy to overcome, complic
To get around the issue of changing IP addresses we must remember that there are two IP addresses affected. Your external one (which we will 'call' to get on to your network from the internet) and your internal one (192.168.0.200 in the example I am currently using).
So, we can use a static IP to ensure that whenever our device running HA connects to our router it always uses the same address. This way our internal IP never changes. This is covered in step 1 below.
So, we can use a static IP to ensure that whenever our device running Home Assistant connects to our router it always uses the same address. This way our internal IP never changes. This is covered in step 1 below.
We then have no control over our external IP, as our Service Provider will give us a new one at random intervals. To fix this we will use a service called DuckDNS which will give us a name for our connection (something like examplehome.duckdns.org) and behind the scenes will continue to update your external IP. So no matter how many times the IP address changes, typing examplehome.duckdns.org in to our browser will convert to the correct, up-to-date, IP address. This is covered in step 3 below.
@ -73,11 +72,11 @@ Outside world -> https://examplehome.duckdns.org -> 12.12.12.12:443 -> your rout
```
So, let's make it happen...
#### {% linkable_title 1 - set your device to have a static IP address %}
### {% linkable_title 1 - Set your device to have a static IP address %}
Whenever a device is connected to a network it has an IP address. This IP address is often dynamically assigned to the device on connection. This means there are occasions where the IP address you use to access HA, or SSH in to the device running HA, may change. Setting a static IP address means that the device will always be on the same address.
Whenever a device is connected to a network it has an IP address. This IP address is often dynamically assigned to the device on connection. This means there are occasions where the IP address you use to access Home Assistant, or SSH in to the device running Home Assistant, may change. Setting a static IP address means that the device will always be on the same address.
SSH in to your system running HA and login.
SSH in to your system running Home Assistant and login.
Type the following command to list your network interfaces:
@ -85,11 +84,11 @@ Type the following command to list your network interfaces:
$ ifconfig
```
You will receive an ouput similar to the image here...
You will receive an ouput similar to the image below:
![alt tag](https://github.com/home-assistant/home-assistant.github.io/tree/current/source/images/screenshots/ip-set.jpg)
Make a note of the interface name and the IP address you are currently on. (In the picture it is the wireless connection that is highlighted, but with your setup it may be the wired one (eth0 or similar), make sure you get the correct information.
Make a note of the interface name and the IP address you are currently on. In the picture it is the wireless connection that is highlighted, but with your setup it may be the wired one (eth0 or similar), make sure you get the correct information.
Then type the following command to open the text file that controls your network connection:
@ -119,9 +118,9 @@ No
HA IP: 192.175.96.200
```
Press Ctrl + x to close the editor, pressing Y to save the changes when prompted
Press Ctrl + x to close the editor, pressing Y to save the changes when prompted.
Reboot your pi:
Reboot your Pi:
```bash
$ sudo reboot
@ -129,17 +128,15 @@ $ sudo reboot
When it comes back up check that you can SSH in to it again on the IP address you wrote down.
Make sure HA is running and access it via the local network by typing the IP address and port number in to the browser:
Make sure Home Assisstant is running and access it via the local network by typing the IP address and port number in to the browser:
```text
http://192.168.0.200:8123.
```
All working? Hooray! You now have a static IP. This will now always be your internal IP address for your HA device. This will be known as YOUR-HA-IP for the rest of this guide.
All working? Hooray! You now have a static IP. This will now always be your internal IP address for your Home Assistant device. This will be known as YOUR-HA-IP for the rest of this guide.
#### {% linkable_title 2 - set up port forwarding without SSL and test connection %}
### {% linkable_title 2 - Set up port forwarding without SSL and test connection %}
Log in to your router's configuration pages and find the port forwarding options. This bit is hard to write a guide for because each router has a different way of presenting these options. Searching google for "port forwarding" and the name of your router may help. When you find it you will likely have options similar to:
@ -173,31 +170,31 @@ Type the external IP address in to the url bar with http:// in front and :8123 a
http://12.12.12.12:8123
```
Can you see your HA instance? Awesome! If not, your router may not support ' loopback' - try the next step anyway and if that works, and this one still doesn't, just remember that you cannot use loopback, so will have to use internal addresses when you're on your home network. More on this later on if it's relevant to you.
Can you see your Home Assisstant instance? If not, your router may not support 'loopback' - try the next step anyway and if that works, and this one still doesn't, just remember that you cannot use loopback, so will have to use internal addresses when you're on your home network. More on this later on if it's relevant to you.
Just to verify this isn't some kind of witchcraft that is actually using your internal network, pick up your phone, disconnect it from your wifi so that you are on your mobile data and not connected to the home network, put the same url in the browser on your phone.
Just to verify this isn't some kind of witchcraft that is actually using your internal network, pick up your phone, disconnect it from your wifi so that you are on your mobile data and not connected to the home network, put the same URL in the browser on your phone.
Can you see it now, from a device that is definitely not connected to your local network? Excellent! You now have a remotely accesible HA instance.
Can you see it now, from a device that is definitely not connected to your local network? Excellent! You now have a remotely accesible Home Assistant instance.
But what if your external IP changes? Plus, remembering all those numbers is pretty hard, isn't it? Read on to get yourself set up with a word-based URL at DuckDNS that will track any changes to your IP address so you don't have to stress anymore...
But what if your external IP changes? Plus, remembering all those numbers is pretty hard, isn't it? Read on to get yourself set up with a word-based URL at DuckDNS that will track any changes to your IP address so you don't have to stress anymore.
#### {% linkable_title 3 - Set up a DuckDNS account %}
### {% linkable_title 3 - Set up a DuckDNS account %}
Open your browser and go to duckdns.org.
Open your browser and go to https://duckdns.org.
Sign in and create an account using one of the id validation options in the top right corner.
In the domains section pick a name for your subdomain, this can be anything you like, and click add domain.
The URL you will be using later to access your HA instance from outside will be the subdomain you picked, followed by duckdns.org . For our example we will say our URL is examplehome.duckdns.org
The URL you will be using later to access your Home Assistant instance from outside will be the subdomain you picked, followed by duckdns.org . For our example we will say our URL is examplehome.duckdns.org
On the top left of duckdns.org select the install option. Then pick your operating system from the list. In our example we will use a raspberry pi. In the dropdown box select the url you just created.
On the top left of duckdns.org select the install option. Then pick your operating system from the list. In our example we will use a Raspberry Pi. In the dropdown box select the url you just created.
Duckdns.org will now generate personalised instructions for you to follow so that your device can update their website every time your IP address changes. Carefully follow the instructions given on duckdns.org to set up your device.
At the end of the instructions DuckDNS will suggest you set up port forwarding. No need, we have already done this in step 2.
What you have now done is set up DuckDNS so that whenever you type examplehome.duckdns.org in to your browser it will convert that to your router's external IP address. Your external IP address will always be up to date because your device running HA will update DuckDNS every time it changes.
What you have now done is set up DuckDNS so that whenever you type examplehome.duckdns.org in to your browser it will convert that to your router's external IP address. Your external IP address will always be up to date because your device running Home Assistant will update DuckDNS every time it changes.
Now type your new URL in to your address bar on your browser with port 8123 on the end:
@ -207,16 +204,16 @@ http://examplehome.duckdns.org:8123
What now happens behind the scenes is this:
- DuckDNS receives the request and forwards the request to your router's external IP address (which has been kept up to date by your device running HA)
- DuckDNS receives the request and forwards the request to your router's external IP address (which has been kept up to date by your device running Home Assisstant)
- Your router receives the request on port 8123 and checks the port forwarding rules
- It finds the rule you created in step 2 and forwards the request to your HA instance
- Your browser displays your HA instance frontend.
- Your browser displays your Home Assisstant instance frontend.
Did it work? Super!
You now have a remotely accesible HA instance that has a text-based URL and will not drop out if your service provider changes your IP. But, it is only as secure as the password you set, which can be snooped during your session by a malicious hacker with relative ease. So we need to set up some encryption with SSL, read on to find out how.
You now have a remotely accesible Home Assistant instance that has a text-based URL and will not drop out if your service provider changes your IP. But, it is only as secure as the password you set, which can be snooped during your session by a malicious hacker with relative ease. So we need to set up some encryption with SSL, read on to find out how.
#### {% linkable_title 4 - Obtain an ssl certificate from LetsEncrypt %}
### {% linkable_title 4 - Obtain an TLS/SSL certificate from Let's Encrypt %}
First we need to set up another port forward like we did in step 2. Set your new rule to:
@ -231,14 +228,13 @@ Protocol - Both
Remember to save the new rule.
<p class='note'>
In cases where your ISP blocks port 80 you will need to change the port forward options to forward port 443 from outside to port 443 on your HA device. Please note that this will limit your options for automatically renewing the certificate, but this is a limitation because of your ISP setup and there is not a lot we can do about it!
In cases where your ISP blocks port 80 you will need to change the port forward options to forward port 443 from outside to port 443 on your Home Assistant device. Please note that this will limit your options for automatically renewing the certificate, but this is a limitation because of your ISP setup and there is not a lot we can do about it!
</p>
now SSH in to the device your HA is running on.
now SSH in to the device your Home Assistant is running on.
<p class='note'>
If you're running the 'standard' setup on a raspberry pi the chances are you just logged in as the 'pi' user. If not, you may have logged in as the HA user. There are commands below that require the HA user to be on the sudoers list. If you are not using the 'standard' pi setup it is presumed you will know how to get your HA user on the sudoers list before continuing. If you are running the 'standard' pi setup, from your 'pi' user issue the following command (where <hass> is the HA user):
If you're running the 'standard' setup on a Raspberry Pi the chances are you just logged in as the 'pi' user. If not, you may have logged in as the Home Assistant user. There are commands below that require the Home Assistant user to be on the `sudoers` list. If you are not using the 'standard' pi setup it is presumed you will know how to get your Home Assistant user on the `sudoers` list before continuing. If you are running the 'standard' pi setup, from your 'pi' user issue the following command (where <hass> is the Home Assistant user):
```bash
$ sudo adduser <hass> sudo
@ -246,7 +242,7 @@ $ sudo adduser <hass> sudo
</p>
If you did not already log in as the user that currently runs HA, change to that user (usually hass or homeassistant - you may have used a command similar to this in the past):
If you did not already log in as the user that currently runs Home Assistant, change to that user (usually `hass` or `homeassistant` - you may have used a command similar to this in the past):
```bash
$ su -s /bin/bash hass
@ -267,7 +263,7 @@ $ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
```
Now we will run the certbot program to get our ssl certificate. You will need to include your email address and your duckDNS url in the appropriate places:
Now we will run the certbot program to get our ssl certificate. You will need to include your email address and your DuckDNS url in the appropriate places:
```text
$ ./certbot-auto certonly --standalone --preferred-challenges http-01 --email your@email.address -d examplehome.duckdns.org
@ -283,19 +279,19 @@ $ ls /etc/letsencrypt/live/
This should show a folder named exactly after your DuckDNS url.
Our HA user needs access to files within the letsencrypt folder, so issue the following commands to change the permissions.
Our Home Assistant user needs access to files within the letsencrypt folder, so issue the following commands to change the permissions.
```bash
$ sudo chmod 755 /etc/letsencrypt/live/
$ sudo chmod 755 /etc/letsencrypt/archive/
```
Did all of that go without a hitch? Wahoo! Your LetsEncrypt certificate is now ready to be used with home assistant. Move to step 5 to put it all together...
Did all of that go without a hitch? Wahoo! Your Let's Encrypt certificate is now ready to be used with Home Assistant. Move to step 5 to put it all together
#### {% linkable_title 5 - check the incoming conection %}
### {% linkable_title 5 - Check the incoming conection %}
<p class='note'>
Following on from Step 4 your SSH will still be in the certbot folder. If you edit your configuration files over SSH you will need to change to your homeassistant folder:
Following on from Step 4 your SSH will still be in the certbot folder. If you edit your configuration files over SSH you will need to change to your `homeassistant` folder:
```bash
$ cd ~/.homeassistant
@ -318,7 +314,7 @@ Protocol - Both
Remember to save the rule changes.
Now edit your configuration.yaml file to reflect the SSL entries and your base URL (changing the examplehome subdomain to yours):
Now edit your configuration.yaml file to reflect the SSL entries and your base URL (changing the `examplehome` subdomain to yours):
```yaml
http:
@ -328,53 +324,53 @@ http:
base_url: examplehome.duckdns.org
```
You may wish to set up other options for the http component at this point, these extra options are beyond the scope of this guide but can be found on the http component page here: [http](https://home-assistant.io/components/http/)
You may wish to set up other options for the [http](https://home-assistant.io/components/http/) component at this point, these extra options are beyond the scope of this guide.
Save the changes to configuration.yaml. Restart HA.
Save the changes to configuration.yaml. Restart Home Assistant.
In step 3 we accessed our HA from the outside world with our DuckDNS URL and our port number. We are going to use a slightly different URL this time.
In step 3 we accessed our Home Assistant from the outside world with our DuckDNS URL and our port number. We are going to use a slightly different URL this time.
```text
https://examplehome.duckdns.org
```
Note the S after http, and that no port number is added. This is because https will use port 443 automatically, and we have already set up our port forward to redirect this request to our HA instance on port 8123.
Note the S after http, and that no port number is added. This is because https will use port 443 automatically, and we have already set up our port forward to redirect this request to our Home Assistant instance on port 8123.
You should now be able to see your HA instance via your DuckDNS URL, and importantly note that your browser shows the connection as secure.
You should now be able to see your Home Assistant instance via your DuckDNS URL, and importantly note that your browser shows the connection as secure.
You will now NO LONGER be able to access your HA via your old internal IP address in the way you previously have. Your default way to access your HA instance, even from inside your house, is to use your DuckDNS URL.
You will now NO LONGER be able to access your Home Assistant via your old internal IP address in the way you previously have. Your default way to access your Home Assistant instance, even from inside your house, is to use your DuckDNS URL.
In cases where you need to access via the local network only (which should be few and far between) you can access it with the following URL (note the added S after http):
In cases where you need to access via the local network only (which should be few and far between) you can access it with the following URL (note the added **S** after http):
```text
https://YOUR-HA-IP:8123
```
...and accepting the browsers warning that you are connecting to an insecure site. This warning occurs because your certificate expects your incoming connection to come via your DuckDNS URL. It does not mean that your device has suddenly become insecure.
and accepting the browsers warning that you are connecting to an insecure site. This warning occurs because your certificate expects your incoming connection to come via your DuckDNS URL. It does not mean that your device has suddenly become insecure.
Some cases such as this are where your router does not allow 'loopback' or where there is a problem with incoming connections due to technical failure. In these cases you can still use your internal connection and ignore the warnings.
If you were previously using a webapp on your phone/tablet to access your HA you should delete the old one and create a new one with the new address. The old one will no longer work as it is not keyed to your new, secure URL. Instructions for creating your new webapp can be found here:
If you were previously using a webapp on your phone/tablet to access your Home Assistant you should delete the old one and create a new one with the new address. The old one will no longer work as it is not keyed to your new, secure URL. Instructions for creating your new webapp can be found here:
```text
https://home-assistant.io/docs/frontend/mobile/
```
All done? Accessing your HA from across the world with your DuckDNS URL and a lovely secure logo on your browser? Ace! Now lets clean up our port forwards so that we are only exposing the parts of our network that are absolutely neccesary to the outside world....
All done? Accessing your Home Assistant from across the world with your DuckDNS URL and a lovely secure logo on your browser? Ace! Now let's clean up our port forwards so that we are only exposing the parts of our network that are absolutely neccesary to the outside world.
#### {% linkable_title 6 - Clean up port forwards %}
### {% linkable_title 6 - Clean up port forwards %}
In step 2 we created a port forwarding rule called ha_test. This opens port 8123 to the world, and is no longer neccessary.
In step 2 we created a port forwarding rule called `ha_test`. This opens port 8123 to the world, and is no longer neccessary.
Go to your router's configuration pages and delete the ha_test rule.
Go to your router's configuration pages and delete the `ha_test` rule.
You should now have two rules in relation to HA for your port forwards, named:
You should now have two rules in relation to Home Assistant for your port forwards, named:
```text
ha_ssl and ha_letsencrypt
```
If you have any more for HA you should delete them now. If you only have ha_ssl this is probably because during step 4 you had to use port 443 instead of port 80, so we deleted the rule during step 5.
If you have any more for Home Assistant you should delete them now. If you only have `ha_ssl` this is probably because during step 4 you had to use port 443 instead of port 80, so we deleted the rule during step 5.
You are now part of one of two groups:
@ -383,13 +379,13 @@ You are now part of one of two groups:
Please remember whether you are a ONE-RULE person or a BOTH-RULE person for step 8!
LetsEncrypt certificates only last for 90 days. When they have less than 30 days left they can be renewed. Renewal is a simple process.
Let's Encrypt certificates only last for 90 days. When they have less than 30 days left they can be renewed. Renewal is a simple process.
Move on to step 7 to see how to monitor your certificates expiry date, and be ready to renew your certificate when the time comes...
Move on to step 7 to see how to monitor your certificates expiry date, and be ready to renew your certificate when the time comes.
#### {% linkable_title 7 - Set up a sensor to monitor the expiry date of the certificate %}
Setting a sensor to read the number of days left on your SSL certificate before it expires is not required, but it has the following advantages:
Setting a sensor to read the number of days left on your TLS/SSL certificate before it expires is not required, but it has the following advantages:
* You can physically see how long you have left, pleasing your inner control freak
* You can set automations based on the number of days left
@ -398,7 +394,7 @@ Setting a sensor to read the number of days left on your SSL certificate before
If you do not wish to set up a sensor you can skip straight to step 8 to learn how to update your certificates.
The sensor will rely on a command line program that needs to be installed on your device running HA. SSH in to the device and run the following commands:
The sensor will rely on a command line program that needs to be installed on your device running Home Assistant. SSH in to the device and run the following commands:
```bash
$ sudo apt-get update
@ -409,7 +405,7 @@ $ sudo apt-get install ssl-cert-check
In cases where, for whatever reason, apt-get installing is not appropriate for your installation you can fetch the ssl-cert-check script from `http://prefetch.net/code/ssl-cert-check` bearing in mind that you will have to modify the command in the sensor code below to run the script from wherever you put it, modify permission if neccessary and so on.
</p>
To set up a senor add the following to your configuration.yaml (remembering to correct the URL for your DuckDNS):
To set up a senor add the following to your `configuration.yaml` (remembering to correct the URL for your DuckDNS):
```yaml
sensor:
@ -420,13 +416,13 @@ sensor:
command: "ssl-cert-check -b -c /etc/letsencrypt/live/examplehome.duckdns.org/cert.pem | awk '{ print $NF }'"
```
Save the configuration.yaml. Restart HA.
Save the configuration.yaml. Restart Home Assistant.
On your default_view you should now see a sensor badge containing your number of days until expiry. If you've been following this guide from the start and have not taken any breaks in between, this should be 89 or 90. The sensor will update every 3 hours. You can place this reading on a card using groups, or hide it using customize. These topics are outside of the scope of this guide, but information can be found on their respective components pages: [Group](https://home-assistant.io/components/group/) and [Customize](https://home-assistant.io/docs/configuration/customizing-devices/)
On your default_view you should now see a sensor badge containing your number of days until expiry. If you've been following this guide from the start and have not taken any breaks in between, this should be 89 or 90. The sensor will update every 3 hours. You can place this reading on a card using groups, or hide it using customize. These topics are outside of the scope of this guide, but information can be found on their respective components pages: [Group](/components/group/) and [Customize](/docs/configuration/customizing-devices/)
Got your sensor up and running and where you want it? Top drawer! Nearly there, now move on to the final steps to ensure that you're never without a secure connection in the future.
#### {% linkable_title 8 - Set up an automatic renewal of the SSL certificate. %}
### {% linkable_title 8 - Set up an automatic renewal of the TLS/SSL certificate. %}
The certbot program we downloaded in step 4 contains a script that will renew your certificate. The script will only obtain a new certificate if the current one has less than 30 days left on it, so running the script more often than is actually needed will not cause any harm.
@ -476,17 +472,15 @@ Protocol - Both
* Save the rule
If you are a BOTH-RULE person, you have a number of options at this point.
#######Option 1:
Your certificate can be renewed as a 'cron job' - cron jobs are background tasks run by the computer at specified intervals (and are totally independant of HA). Defining cron is outside of the scope of this guide but you will have had dealings with crontab when setting up DuckDNS in step 3
#### Option 1:
Your certificate can be renewed as a 'cron job' - cron jobs are background tasks run by the computer at specified intervals (and are totally independant of Home Assistant). Defining cron is outside of the scope of this guide but you will have had dealings with `crontab` when setting up DuckDNS in step 3
To set a cron job to run the script at regular intervals:
* SSH in to your device running HA.
* Change to your HA user (command similar to_:
* SSH in to your device running Home Assistant.
* Change to your Home Assistant user (command similar to):
```bash
$ su - s /bin/bash hass
@ -506,8 +500,8 @@ $ crontab -e
* Save the file and exit
#######Option 2:
You can set an automation in HA to run the certbot renewal script.
#### Option 2:
You can set an automation in Home Assistant to run the certbot renewal script.
Add the following sections to your configuration.yaml
@ -525,13 +519,13 @@ automation
service: shell_command.renew_ssl
```
#######Option 3:
#### Option 3:
You can manually update the certificate when your certificate is less than 30 days to expiry.
To manually update:
* SSH in to your device running HA.
* Change to your HA user (command similar to_:
* SSH in to your device running Home Assistant.
* Change to your Home Assistant user (command similar to):
```bash
$ su - s /bin/bash hass
@ -549,13 +543,13 @@ $ cd ~/certbot/
$ ./certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01
```
So, now were all set up. We have our secured, remotely accesible HA instance and we're on track for keeping our certificates up to date. But what if something goes wrong? What if the automation didn't fire? What if the cron job forgot to run? What if the dog ate my homework? Read on to set up an alert so you can be notified in plenty of time if you need to step in and sort out any failures...
So, now were all set up. We have our secured, remotely accesible HA instance and we're on track for keeping our certificates up to date. But what if something goes wrong? What if the automation didn't fire? What if the cron job forgot to run? What if the dog ate my homework? Read on to set up an alert so you can be notified in plenty of time if you need to step in and sort out any failures.
#### {% linkable_title 9 - Set up an alert to warn us if something went wrong. %}
### {% linkable_title 9 - Set up an alert to warn us if something went wrong. %}
We set up our automatic renewal of our certificates and whatever method we used the certificate should be renewed on or around 30 days before it expires. But what if a week later it still hasn't been? This alert will go off if the expiry time on the certificate gets down to 21 days. This will give you 3 weeks to fix the problem, get your new certificate installed and get another 90 days of secure HA connections in play.
We set up our automatic renewal of our certificates and whatever method we used the certificate should be renewed on or around 30 days before it expires. But what if a week later it still hasn't been? This alert will go off if the expiry time on the certificate gets down to 21 days. This will give you 3 weeks to fix the problem, get your new certificate installed and get another 90 days of secure Home Assistant connections in play.
In your configuration.yaml add the following automation, adding your preferred notification platform where appropriate:
In your `configuration.yaml` add the following automation, adding your preferred notification platform where appropriate:
```yaml
automation:
@ -572,4 +566,4 @@ automation:
If you receive this warning notification, follow the steps for a manual update from step 8. Any error messages received at that point can be googled and resolved. If the manual update goes without a hitch there may be something wrong with your chosen method for automatic updates, and you can start troubleshooting from there.
So, that's it. We've taken a HA instance that was only reachable on the local network, made it accessible from the internet, secured it, and set up a system to ensure that it always stays secure. Well done, go and treat yourself to a cookie!
So, that's it. We've taken a Home Assistant instance that was only reachable on the local network, made it accessible from the internet, secured it, and set up a system to ensure that it always stays secure. Well done, go and treat yourself to a cookie!

1
source/_includes/asides/docs_navigation.html
View File

@ -190,6 +190,7 @@
<ul>
<li>{% active_link /docs/ecosystem/certificates/tls_self_signed_certificate/ Self-signed certificate %}</li>
<li>{% active_link /docs/ecosystem/certificates/tls_domain_certificate/ Certificate domain owners %}</li>
<li>{% active_link /docs/ecosystem/certificates/lets_encrypt/ Let's Encrypt (detailed) %}</li>
</ul>
</li>
<li>{% active_link /docs/ecosystem/scenegen/ scenegen %}</li>