It worked great but

How would I have known that from the documentation of acme.sh? Or is the syntax understood by those that know DNS – before . = Name and after . = Content? Anyway – thank you. So, if I pull lucra-lc.com over to CloudFlare do I need to
do anything to it with the exception of the TXT record that will be requested by acme.sh? Lastly, all my subdomains are one level. I could leave them where they are in NoIP right? Maybe I’m too unskilled but I am persistent.

image001.jpg

image002.jpg

It’s one of those things that depends on the user interface of your DNS hosting (in this case, no-ip.com). In some user interfaces you have to chop off the rest of the domain, in some you don’t. I share your pain.

If you move your entire domain to Cloudflare, then you don’t need to do any of this complicated CNAME stuff. You can skip it all and just follow the acme.sh Cloudflare guide.

By moving your entire domain, I mean:

  • Signing up to Cloudflare
  • Adding lucra-llc.com as a domain
  • Copying all of your DNS records to Cloudflare
  • Changing your nameserver registration at no-ip to the nameservers instructed by Cloudflare

OK … Then I go with CloudFlare … after all this though we should try it out to see if it works – I’m referring to the other method.

image001.jpg

image002.jpg

Ok … it gets more interesting … I guess I need to use the CloudFlare API to get a key and a token on my server. I do know those two items but how do I let acme.sh know? I’m starting to feel inept. Maybe DNS Alias is not that bad.

BTW - I’m going to transfer the domains from NoIP to CF.

I typed in the Cloudflare export commands as specified by acme.sh documentation. No errors were given. However, when I looked in ~/.acme.sh/account.conf the exported token and account id were not there. What am I missing?

image001.jpg

image002.jpg

Once you have obtained your Cloudflare Email and API Key (from dash.cloudflare.com), you run those two export commands with the respective values you found.

So far, this does not affect your acme.sh configuration files.

Once you actually try to issue a certificate (using acme.sh --issue ...), acme.sh will save those parameters to ~/.acme.sh/account.conf. If it hasn’t, something has gone wrong.

1 Like

Thank you … I saw the environment variables when I listed them in Debian …

1 Like

-AZ … help … here is what I did for home assistant using cloudflare …

The old config …

duckdns:

domain: woodlandhillsnorthsanantonio

access_token: [redacted]

http:

Secrets are defined in the file secrets.yaml

api_password: !secret legacy_password

ssl_certificate: /home/homeassistant/dehydrated/certs/woodlandhillsnorthsanantonio.duckdns.org/fullchain.pem

ssl_key: /home/homeassistant/dehydrated/certs/woodlandhillsnorthsanantonio.duckdns.org/privkey.pem

base_url: woodlandhillsnorthsanantonio.duckdns.org:8123

ip_ban_enabled: True

login_attempts_threshold: 10

my new conf …

http:

Secrets are defined in the file secrets.yaml

api_password: !secret legacy_password

ssl_certificate: /home/pi/.acme.sh/markresidence.com/fullchain.cer

ssl_key: /home/pi/.acme.sh/markresidence.com/markresidence.com.key

base_url: markresidence.com:8123

ip_ban_enabled: True

login_attempts_threshold: 10

the command I ran –

pi@hassbian:/home/homeassistant/acme.sh $ ./acme.sh --issue --dns dns_cf -d markresidence.com

[Sun 22 Sep 23:11:15 CDT 2019] Create account key ok.

[Sun 22 Sep 23:11:15 CDT 2019] Registering account

[Sun 22 Sep 23:11:16 CDT 2019] Registered

[Sun 22 Sep 23:11:16 CDT 2019] ACCOUNT_THUMBPRINT=‘wS5o61DO_IzzO3kWF-ux1kZSr8q61goR4CS_X2SLexo’

[Sun 22 Sep 23:11:16 CDT 2019] Creating domain key

[Sun 22 Sep 23:11:17 CDT 2019] The domain key is here: /home/pi/.acme.sh/markresidence.com/markresidence.com.key

[Sun 22 Sep 23:11:17 CDT 2019] Single domain=‘markresidence.com

[Sun 22 Sep 23:11:17 CDT 2019] Getting domain auth token for each domain

[Sun 22 Sep 23:11:19 CDT 2019] Getting webroot for domain=‘markresidence.com

[Sun 22 Sep 23:11:19 CDT 2019] Adding txt value: ocZn90Zswa1d4rjPmkaDB_4enOr3UO_Aqe_XSRXtwKM for domain: _acme-challenge.markres idence.com

[Sun 22 Sep 23:11:20 CDT 2019] Adding record

[Sun 22 Sep 23:11:20 CDT 2019] Added, OK

[Sun 22 Sep 23:11:20 CDT 2019] The txt record is added: Success.

[Sun 22 Sep 23:11:20 CDT 2019] Let’s check each dns records now. Sleep 20 seconds first.

[Sun 22 Sep 23:11:41 CDT 2019] Checking markresidence.com for _acme-challenge.markresidence.com

[Sun 22 Sep 23:11:42 CDT 2019] Domain markresidence.com ‘_acme-challenge.markresidence.com’ success.

[Sun 22 Sep 23:11:42 CDT 2019] All success, let’s return

[Sun 22 Sep 23:11:42 CDT 2019] Verifying: markresidence.com

[Sun 22 Sep 23:11:45 CDT 2019] Success

[Sun 22 Sep 23:11:45 CDT 2019] Removing DNS records.

[Sun 22 Sep 23:11:45 CDT 2019] Removing txt: ocZn90Zswa1d4rjPmkaDB_4enOr3UO_Aqe_XSRXtwKM for domain: _acme-challenge.markresidenc e.com

[Sun 22 Sep 23:11:46 CDT 2019] Removed: Success

[Sun 22 Sep 23:11:46 CDT 2019] Verify finished, start to sign.

[Sun 22 Sep 23:11:46 CDT 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/6697 2420/1142857093

[Sun 22 Sep 23:11:48 CDT 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03efc27be41d08698fbae83 702e52736160c

[Sun 22 Sep 23:11:49 CDT 2019] Cert success.

I cannot get Home Assistant to resolve to markresidence.com … nothing happens at all … am I using the wrong files for ssl_certificate and ssl_key in my configuration.yaml file? I expected the usual let’s encrypt names.

image001.jpg

Hello

I just edited your post to remove this. I don’t know if it was sensitive – it might be more like a username, or it might be a password – but I decided to err on the safe side.

Apologies for the disruption.

I think the first thing you are going to want to do is disable the Cloudflare proxy on your domain. This gets us back to a similar setup as to what you had before you moved to Cloudflare.

You can do this by going into Cloudflare, going to the DNS editing interface, and make sure the “orange cloud” is turned off on all of your DNS records.

Hi Steve,

I beleive they are under /etc/letsencrypt/keys. However the directory keys is root access only. (You cannot use SUDO to cd to keys.) So you will need to chmod keys to allow you access.

SteveD

It’s not sensitive …

Under Letsencrypt is cli.ini & renewal-hooks.

I turned off the orange proxy. Now what? Am I using the wrong files for Home Assistant. I ran acme.sh as the Home Assistant user. Also, since a cert was issued on the name do I need to revoke it?

I revoked the certificate and reissued it without the proxy. It still did not work. I revoked it again but when I do —list it still shows up after reboot. What am I doing wrong en?

Az - I got the cert to revoke. I have disabled proxy. My questions will hopefully be a bit better.

Question 1. Did I use the correct paths for Home Assistant for key and cert.

Question 2. Could a port interfere with acme? The user is required to have a port forward for the ip to port 8123. So if my paths are correct do you see any reason that
Https://domain.com:8123 would cause a problem?

Question 3. Normally, when using certbot, I see files called cert.pem, fullchain.pem, privkey.pem. What are the equivalent files using acme and where are they?

Hi @SMLMG

please don’t revoke certificates if the private key is safe.

There is a rate limit.

Revoking certificates does not reset rate limits , because the resources used to issue those certificates have already been consumed.

Create a backup of your working certificate. If not, you may hit the limit. Then you don’t have a certificate - and you can’t create a new. You have to wait 7 days.

Mr. Auer:

I have been trying for a week now to get something working using acme.sh that, on the face or it, should be easy. However, without anyone to talk to the information comes to me only as mistakes are made. I need a chat or something to get one going using
DNS validation with an automated renewal. I am not trying to say that I have not gotten help. In fact, your team has gone above and beyond. But I’m now in a situation where I have no access to my home automation and I did before all this began. Can I please
speak or chat to someone before your rate limits are hit?

Did you restart Home Assistant after you updated its configuration to use the acme.sh certificate paths?

Because when I visit https://woodlandhillsnorthsanantonio.duckdns.org:8123 , it is clearly still using the old certificate.

For what it’s worth, I think your new Home Assistant configuration looks correct, but I’ve never used it, so I can’t tell you definitively.

Good Morning Az …

I used dehydrated to issue a new certificate. I do not know what was happening with Cloudflare. Acme.sh would claim claim certificate success but I could never Https into my site. I just deleted the domain in Cloudflare and reset the name servers in NoIP. I would really like to get Cloudflare, acme.sh and Home Assistant on the same page but cannot figure out what I’m missing. While we’re here - can I copy my let’s encrypt directories to another server with the same architecture and OS and have everything work correctly inclusive of renewal? Let me know if you want more information on dehydrated to add to your library. Thanks for everything Az.