Issuing certificate from custom ACME CA using TSIG (RFC2136)
Overview
This guide will show you how to issue a ACME Certificate using a custom ACME Directory with TSIG DNS Updates
Procedure
- Add the Let’s Encrypt app via Settings>Apps>Install App, search for
Let's Encrypt, clickInstall - Once installed, go to the
Configurationtab, click the three dots underOptionsand clickEdit in YAMLand input the following information:
Replace <dns server> with your RFC2136 compatible DNS server.
Replace <tsig key> with your RFC2136 secret.
Replace <email> with your email - for a private ACME CA, this might not be needed, but is needed for public CAs.
Replace <your fqdn> with the host name you will be accessing the server with.
Replace <acme directory> with your custom ACME server directory URL
Replace <your root ca> with the Root CA certificate for the ACME server.
keyfile: privkey.pemcertfile: fullchain.pemchallenge: dnsdns: provider: dns-rfc2136 rfc2136_server: <dns server> rfc2136_algorithm: hmac-sha256 rfc2136_name: acme-tsig rfc2136_secret: <tsig key> rfc2136_port: "53"email: <email>domains: - <your fqdn>acme_server: <acme directory>acme_root_ca_cert: | -----BEGIN CERTIFICATE----- <your root ca> -----END CERTIFICATE-----Save.
- Go to the Info tab, check the
Start on bootbutton, then click theStartbutton - Monitor the progress in the
Logtab - Create an automation for weekly renew
Navigate to Settings>Automations & scenes>Automations>Create Automation>Create a new automation
Click the three dots, click Edit in YAML
Paste in the following:
alias: Renew TLS certificate weeklytriggers: - at: "03:30:00" trigger: timeconditions: - condition: time weekday: - sunactions: - data: addon: core_letsencrypt action: hassio.addon_start - delay: "00:01:00" - action: homeassistant.restartSave and ensure the automation is enabled.
Or paste it directly into your automations.yaml
- Edit your
configuration.yamlto reflect the SSL changes
http: ssl_certificate: /ssl/fullchain.pem ssl_key: /ssl/privkey.pem# Uncomment below if you are using Home Assistant behind a proxy# use_x_forwarded_for: true# trusted_proxies:# - 0.0.0.0/32 server_port: 8123
# Uncomment below if you are accessing Home Assistant from different URLs# homeassistant:# internal_url: "https://ha-internal.local"# external_url: "https://ha-external.example.com"- Restart your Home Assistant server