Skip to content

Issuing certificate from custom ACME CA using TSIG (RFC2136)

Overview

This guide will show you how to issue a ACME Certificate using a custom ACME Directory with TSIG DNS Updates

Procedure

  1. Add the Let’s Encrypt app via Settings>Apps>Install App, search for Let's Encrypt, click Install
  2. Once installed, go to the Configuration tab, click the three dots under Options and click Edit in YAML and input the following information:

Replace <dns server> with your RFC2136 compatible DNS server.

Replace <tsig key> with your RFC2136 secret.

Replace <email> with your email - for a private ACME CA, this might not be needed, but is needed for public CAs.

Replace <your fqdn> with the host name you will be accessing the server with.

Replace <acme directory> with your custom ACME server directory URL

Replace <your root ca> with the Root CA certificate for the ACME server.

keyfile: privkey.pem
certfile: fullchain.pem
challenge: dns
dns:
provider: dns-rfc2136
rfc2136_server: <dns server>
rfc2136_algorithm: hmac-sha256
rfc2136_name: acme-tsig
rfc2136_secret: <tsig key>
rfc2136_port: "53"
email: <email>
domains:
- <your fqdn>
acme_server: <acme directory>
acme_root_ca_cert: |
-----BEGIN CERTIFICATE-----
<your root ca>
-----END CERTIFICATE-----

Save.

  1. Go to the Info tab, check the Start on boot button, then click the Start button
  2. Monitor the progress in the Log tab
  3. Create an automation for weekly renew

Navigate to Settings>Automations & scenes>Automations>Create Automation>Create a new automation Click the three dots, click Edit in YAML

Paste in the following:

alias: Renew TLS certificate weekly
triggers:
- at: "03:30:00"
trigger: time
conditions:
- condition: time
weekday:
- sun
actions:
- data:
addon: core_letsencrypt
action: hassio.addon_start
- delay: "00:01:00"
- action: homeassistant.restart

Save and ensure the automation is enabled.

Or paste it directly into your automations.yaml

  1. Edit your configuration.yaml to reflect the SSL changes
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
# Uncomment below if you are using Home Assistant behind a proxy
# use_x_forwarded_for: true
# trusted_proxies:
# - 0.0.0.0/32
server_port: 8123
# Uncomment below if you are accessing Home Assistant from different URLs
# homeassistant:
# internal_url: "https://ha-internal.local"
# external_url: "https://ha-external.example.com"
  1. Restart your Home Assistant server