Home Assistant expired root certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: simpleabri.duckdns.org

I ran this command: no ssl access

It produced this output:

The operating system my web server runs on is (include version): Home Assistant 2023.5 with duckdns and NGINX on Raspberry Pi 4

I can login to a root shell on my machine (yes or no, or I don't know): yes

Hi, I still have the expired CA X3 root certificate. How can I force the root certificate upgrade on Home Assistant OS ?

Shouldn't be an issue. Let's Encrypt by default provides the "long chain" for Android compatibility and modern systems should also be fine with that. See Extending Android Device Compatibility for Let's Encrypt Certificates - Let's Encrypt for more info.


Hello @hugojmj, welcome to the Let's Encrypt community. :slightly_smiling_face:

This may help explain:


Thanks @Osiris ! Just am a bit confused my server is latest version Home Assistant Arm Linux on a Pi so not Android. As clients am using Ubuntu 20 and IOS 15 so relatively new hard- and software. Any idea what I can do to upgrade the expired root cert ?

1 Like

Why would you want to? There's no such thing as upgrading the expired cert. The only thing possible is to serve the "short chain", but unless you're running into actual issues (and not some website telling you stuff about the chain) I would advice against that.


What exact problem are you trying to fix?
[Even if you could, somehow have that expired root cert renewed, I doubt it would fix your problem.]

Let's (re)focus on these questions:


Your certificate chain is OK in the sense that it's the expected default chain for Let's Encrypt. Some/most software that integrates Let's Encrypt certificates can let you optionally choose the newer ISRG Root X1 as your preferred chain/issuer.

You mentioned nginx so I assume you are proxing back to home assistant internally and using nginx as your https front end. If so you are probably using Certbot to manage your cert?

My own HA on a Raspberry PI (using the docker based Home Assistant OS) runs Python/3.10 aiohttp/3.8.1 as the server, not nginx, which is why I'm assuming you went to extra effort to use nginx as your web server.

[As an aside, you can use Tailscale for remote access instead of running a public server]