addons icon indicating copy to clipboard operation
addons copied to clipboard

Published 20 hours ago verified publisher icon home-assistant

Let's Encrypt add-on terminates process and will not auto renew unless add-on manually re-started

Open Richard-West opened this issue 3 years ago • 8 comments

Describe the issue you are experiencing

I have version 4.12.0 on the Let's Encrypt add-on installed. This is set to "start on boot". Looking at the log files I can see that the add-on starts, checks the current cert files (renews if necessary), then the process is terminated. The result is that I need to manually start the add-on again when I'm within 30 days of my certificate expiring.

I would expect the add-on to remain running and periodically check the certs and renew if necessary. Is there something I have configured incorrectly? Or is this by design, or a bug?

What type of installation are you running?

Home Assistant OS

Which operating system are you running on?

Home Assistant Operating System

Which add-on are you reporting an issue with?

Let's Encrypt

What is the version of the add-on?

4.12.0

Steps to reproduce the issue

  1. Start the add-on
  2. View the logs
  3. See that the final log message contains "sending all processes the KILL signal and exiting." Log.txt

Anything in the Supervisor logs that might be useful for us?

22-03-29 08:19:05 INFO (MainThread) [supervisor.homeassistant.api] Updated Home Assistant API token
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.check] Starting system checks with state CoreState.RUNNING
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.PLUGIN
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.SECURITY/ContextType.CORE
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.FREE_SPACE/ContextType.SYSTEM
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.CORE
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.PWNED/ContextType.ADDON
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.SUPERVISOR
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.check] System checks complete
22-03-29 08:42:34 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.RUNNING
22-03-29 08:42:35 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
22-03-29 08:42:35 INFO (MainThread) [supervisor.resolution.fixup] Starting system autofix at state CoreState.RUNNING
22-03-29 08:42:35 INFO (MainThread) [supervisor.resolution.fixup] System autofix complete
22-03-29 08:44:45 INFO (MainThread) [supervisor.store.git] Update add-on https://github.com/home-assistant/addons repository
22-03-29 08:44:45 INFO (MainThread) [supervisor.store] Loading add-ons from store: 23 all - 0 new - 0 remove
22-03-29 08:44:45 INFO (MainThread) [supervisor.store] Loading add-ons from store: 23 all - 0 new - 0 remove
22-03-29 08:49:05 INFO (MainThread) [supervisor.homeassistant.api] Updated Home Assistant API token
22-03-29 09:19:05 INFO (MainThread) [supervisor.homeassistant.api] Updated Home Assistant API token
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.check] Starting system checks with state CoreState.RUNNING
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.PLUGIN
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.SECURITY/ContextType.CORE
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.FREE_SPACE/ContextType.SYSTEM
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.CORE
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.PWNED/ContextType.ADDON
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.SUPERVISOR
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.check] System checks complete
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.RUNNING
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.fixup] Starting system autofix at state CoreState.RUNNING
22-03-29 09:42:35 INFO (MainThread) [supervisor.resolution.fixup] System autofix complete
22-03-29 09:43:55 INFO (MainThread) [supervisor.updater] Fetching update data from https://version.home-assistant.io/stable.json
22-03-29 09:49:06 INFO (MainThread) [supervisor.homeassistant.api] Updated Home Assistant API token
22-03-29 09:59:07 INFO (MainThread) [supervisor.host.info] Updating local host information
22-03-29 09:59:07 INFO (MainThread) [supervisor.host.services] Updating service information
22-03-29 09:59:07 INFO (MainThread) [supervisor.host.network] Updating local network information
22-03-29 09:59:08 INFO (MainThread) [supervisor.host.sound] Updating PulseAudio information
22-03-29 09:59:08 INFO (MainThread) [supervisor.host.manager] Host information reload completed
22-03-29 10:19:06 INFO (MainThread) [supervisor.homeassistant.api] Updated Home Assistant API token
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.check] Starting system checks with state CoreState.RUNNING
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.PLUGIN
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.SECURITY/ContextType.CORE
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.FREE_SPACE/ContextType.SYSTEM
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.CORE
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.PWNED/ContextType.ADDON
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.checks.base] Run check for IssueType.TRUST/ContextType.SUPERVISOR
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.check] System checks complete
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.evaluate] Starting system evaluation with state CoreState.RUNNING
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.evaluate] System evaluation complete
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.fixup] Starting system autofix at state CoreState.RUNNING
22-03-29 10:42:35 INFO (MainThread) [supervisor.resolution.fixup] System autofix complete
22-03-29 10:49:07 INFO (MainThread) [supervisor.homeassistant.api] Updated Home Assistant API token
22-03-29 11:19:07 INFO (MainThread) [supervisor.homeassistant.api] Updated Home Assistant API token
22-03-29 11:19:57 INFO (SyncWorker_1) [supervisor.docker.interface] Cleaning addon_core_letsencrypt application
22-03-29 11:19:58 INFO (SyncWorker_1) [supervisor.docker.addon] Starting Docker add-on homeassistant/aarch64-addon-letsencrypt with version 4.12.0
22-03-29 11:21:56 INFO (SyncWorker_3) [supervisor.docker.interface] Cleaning addon_core_letsencrypt application
22-03-29 11:21:56 INFO (SyncWorker_3) [supervisor.docker.addon] Starting Docker add-on homeassistant/aarch64-addon-letsencrypt with version 4.12.0
22-03-29 11:22:20 ERROR (SyncWorker_7) [supervisor.docker.interface] Container addon_core_letsencrypt is not running

Anything in the add-on logs that might be useful for us?

No response

Additional information

No response

Richard-West avatar Mar 29 '22 15:03 Richard-West

Had to deal with this myself today. Need a cronjob/scheduled task to check if the cert is due for renewal, renew, and restart any required services.

andyzib avatar Apr 01 '22 01:04 andyzib

@andyzib I ended up writing a simple automation that runs daily to start the Let's Encrypt Add-On. The add-on then goes and checks if the cert needs to be updated, then shuts down (like it normally does - I guess by design??)

Anyway, this seems to work.

alias: 'Schedule: Let''s Encrypt startup'
description: ''
trigger:
  - platform: time
    at: '05:05:00'
condition: []
action:
  - service: hassio.addon_start
    data:
      addon: core_letsencrypt
mode: single

Richard-West avatar Apr 01 '22 13:04 Richard-West

This is definitely an issue, but I don't quite think its an issue inherently with how this addon is getting it done, as the same behavior occurs with certbot/certbot, and the usual just use cron to schedule it is the mechanism.

If we cannot get the behavior to match with this addon where its a constantly running container, adding something to the documentation at the very least would be advisable, or seeing if the addon can create and manage the schedule for firing up the container

Kennochas avatar Apr 20 '22 21:04 Kennochas

I have just created a PR for the documentation to add a section adding details of setting up an automation to run the Add-on once a day. I fell foul of an expired certificate earlier today and ended up googling to find a solution. I am not sure if there would be a circumstance that prevents this from being set in the Add-on itself, but having the note in the docs would be beneficial to anyone else setting it up.

Twincarb avatar May 16 '22 18:05 Twincarb

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Jun 22 '22 10:06 github-actions[bot]

Let's keep this open

mateuszdrab avatar Jun 22 '22 19:06 mateuszdrab

@mdegat01 IMO most people using this addon want to set-and-forget. That is, they install the add-in, configure it once, and then just trust it to renew for them. Using a blueprint increases complexity.

As a compromise here, why not make this a configuration option for the addon? Changes would be, roughly:

  1. Add a "Renew Automatically" configuration option to the addon that is on by default for new installs.
  2. Change addon's startup attribute from manual to application so that it auto runs when HA starts up.
  3. In addons/letsencrypt/rootfs/etc/services.d/lets-encrypt, rename run to renew.
  4. Create new run script that runs the following workflow: a. Execute renew script to renew certificate when addon starts. b. If "Renew Automatically" is on, create a cron job that runs renew every Sunday at midnight. The addon should stay running. c. If "Renew Automatically" is off, the addon exits as it does today.

This way, we can accommodate both what I think is the most common workflow by default while still letting edge case users do whatever they do today.

Also, since this addon is often paired with the NGINX Home Assistant SSL Proxy, we should do one of the following:

  1. Add an off-by-default configuration option to the Let's Encrypt addon to automatically restart NGINX Home Assistant SSL Proxy after certificate renewal.
  2. Modify NGINX Home Assistant SSL Proxy to restart after it detects that the SSL certs have been renewed. (Easiest way is to look for updates to the cert file itself; not by monitoring other services.)

Thoughts on this? I'm happy to do the work, but only want to do it if the PR will be approved 😀.

elahd avatar Jul 18 '22 16:07 elahd

Had to fix like 20 setups with the same issue, worst part is I can't even login into the Hass if SSL is expired... 😫

aurimasniekis avatar Aug 13 '22 09:08 aurimasniekis

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

github-actions[bot] avatar Sep 12 '22 10:09 github-actions[bot]

@mdegat01 IMO most people using this addon want to set-and-forget. That is, they install the add-in, configure it once, and then just trust it to renew for them. Using a blueprint increases complexity.

As a compromise here, why not make this a configuration option for the addon? Changes would be, roughly:

  1. Add a "Renew Automatically" configuration option to the addon that is on by default for new installs.
  2. Change addon's startup attribute from manual to application so that it auto runs when HA starts up.
  3. In addons/letsencrypt/rootfs/etc/services.d/lets-encrypt, rename run to renew.
  4. Create new run script that runs the following workflow: a. Execute renew script to renew certificate when addon starts. b. If "Renew Automatically" is on, create a cron job that runs renew every Sunday at midnight. The addon should stay running. c. If "Renew Automatically" is off, the addon exits as it does today.

This way, we can accommodate both what I think is the most common workflow by default while still letting edge case users do whatever they do today.

Also, since this addon is often paired with the NGINX Home Assistant SSL Proxy, we should do one of the following:

  1. Add an off-by-default configuration option to the Let's Encrypt addon to automatically restart NGINX Home Assistant SSL Proxy after certificate renewal.
  2. Modify NGINX Home Assistant SSL Proxy to restart after it detects that the SSL certs have been renewed. (Easiest way is to look for updates to the cert file itself; not by monitoring other services.)

Thoughts on this? I'm happy to do the work, but only want to do it if the PR will be approved 😀.

Imho this is the way to do it. The run script should run the renew script at startup and then start cron with an interval configurable by the user, a daily default would be good

mateuszdrab avatar Sep 19 '22 12:09 mateuszdrab