When the Let's Encrypt addon is not restarted for a few months, then the certificates are not renewed, because they get renewed on the addon start up only.
There are two ways how to renew certificates:
Schedule a job to trigger the renew once a day or so.
Let the Let's Encrypt daemon sleep in the background and renew certificates when the time comes.
I guess we don't want things to eat up memory on our Raspberries, so triggering the renewal once a day is probably a good way.
Let's encrypt addon detects on startup whether one of the certificatees needs renewal, so restart is a cheap operation when nothing needs renewal, and we don't need to duplicate this logic. Moreover, when a renewal fails for some reason (e.g., temporary network problem), we want an opportunity to try again soon. Therefore, running the renew daily is a good default as it provides several retries.
Currently, the addon does not renew certificates unless restarted, and it also does not expose the certificates or certificate updates as entities.
Workaround:
A simple workaround is to setup an automation to restart Let's Encrypt addon once a day:
This automation also restarts nginx addon to make sure the new certificate is actually used.
Solution:
The Let's Encrypt addon should support the renewal out of the box and enabled by default.
If it is not possible for an addon to schedule its own restart, or some task to be run when the addon is not running, then there should be a blueprint bundled with the addon (or HA) for the certificate renewal and for the restart of the affected services, and most importantly, the readme really should mention this caveat, so that the users won't forget to set it up.
What type of installation are you running?
Home Assistant OS
Which operating system are you running on?
Home Assistant Operating System
Which add-on are you reporting an issue with?
Let's Encrypt
What is the version of the add-on?
5.2.3
Steps to reproduce the issue
Install & setup Let's encrypt addon.
Do not restart the addon for few months.
The certificate expires.
System Health information
No repairs.
Anything in the Supervisor logs that might be useful for us?
No response
Anything in the add-on logs that might be useful for us?
Describe the issue you are experiencing
When the Let's Encrypt addon is not restarted for a few months, then the certificates are not renewed, because they get renewed on the addon start up only.
There are two ways how to renew certificates:
I guess we don't want things to eat up memory on our Raspberries, so triggering the renewal once a day is probably a good way.
Let's encrypt addon detects on startup whether one of the certificatees needs renewal, so restart is a cheap operation when nothing needs renewal, and we don't need to duplicate this logic. Moreover, when a renewal fails for some reason (e.g., temporary network problem), we want an opportunity to try again soon. Therefore, running the renew daily is a good default as it provides several retries.
Currently, the addon does not renew certificates unless restarted, and it also does not expose the certificates or certificate updates as entities.
Workaround:
A simple workaround is to setup an automation to restart Let's Encrypt addon once a day:
This automation also restarts nginx addon to make sure the new certificate is actually used.
Solution:
The Let's Encrypt addon should support the renewal out of the box and enabled by default.
If it is not possible for an addon to schedule its own restart, or some task to be run when the addon is not running, then there should be a blueprint bundled with the addon (or HA) for the certificate renewal and for the restart of the affected services, and most importantly, the readme really should mention this caveat, so that the users won't forget to set it up.
What type of installation are you running?
Home Assistant OS
Which operating system are you running on?
Home Assistant Operating System
Which add-on are you reporting an issue with?
Let's Encrypt
What is the version of the add-on?
5.2.3
Steps to reproduce the issue
System Health information
No repairs.
Anything in the Supervisor logs that might be useful for us?
No response
Anything in the add-on logs that might be useful for us?
No response
Additional information
No response