Replacing Let’s Encrypt Email Notifications with Home Assistant

So, Let’s Encrypt, the awesome folks who give us free SSL certificates, have stopped sending email notifications about expiring certificates. Why? Well, turns out managing a massive email list is a security risk (think hackers!) and sending out all those emails costs a pretty penny (and free services gotta stay free, right?).

This leaves us in a bit of a pickle. We need to know when our certificates are about to expire, or our sites will go down! Luckily, our trusty friend Home Assistant can easily fill this gap. It’s super simple to set up and gives you full control over how you’re notified. Let’s dive in!

Step 1: The Certificate Expiry Integration

First things first, we need to get Home Assistant “aware” of our certificates. We do this using the “Certificate Expiry” integration. Head over to your Home Assistant settings, find the “Integrations” section, and add it. You’ll be asked for some info:

• Host: This is the URL of the site using the certificate. For example, home-assistant.io.
• Port: This is the port the site uses. 99% of the time, you can just leave this at the default 443 (which is the standard port for HTTPS).

Repeat these steps for each certificate you want to monitor. Home Assistant will then create a sensor for each one. These sensors will hold the expiry date, which is exactly what we need!

Step 2: Automating the Notifications

Now for the magic! We’ll create an automation in Home Assistant that checks these expiry dates and sends us a notification. Since we’re using Jinja templating for dynamic messages, we’ll work directly in YAML mode.

• Navigate to Automations: In your Home Assistant frontend, go to Settings -> Automations & Scenes.
• Create New Automation: Click the “+ Create Automation” button.
• Choose “Edit in YAML”: From the three-dot menu, select “Edit in YAML”.
• Paste and Modify the YAML: Replace all the generated YAML with the following template:

alias: Certificate Expiry
description: ""
triggers:
  - trigger: time
    at:
      entity_id: sensor.home_assistant_io_certificate_expiry
      offset: "-864000"
  - trigger: time
    at:
      entity_id: sensor.brunosabot_dev_certificate_expiry
      offset: "-864000"
conditions: []
actions:
  - data:
      message: >-
        {{ states[trigger.entity_id.split(".")[0]][
        trigger.entity_id.split(".")[1]].name }}
      title: Certificate expiration in 10 days
    action: notify.mobile_app_your_device
mode: single

Let’s break this down, shall we?

• alias: Certificate Expiry: This is just the name of your automation. Make it something descriptive!
• description : This helps you understand what this automation is for. You can fill it with anything you like.
• triggers:: This section defines when the automation should run. We're using a time trigger, which means it'll run at a specific time.
• triggers.at.entity_id:: This is the sensor we're checking. For example, sensor.home_assistant_io_certificate_expiry. You'll have one of these lines for each certificate you're monitoring.
• triggers.at.offset: "-864000": This is the clever bit! 864000 represents 10 days in seconds. So, this trigger will fire 10 days before the certificate expires. You can adjust this to whatever timeframe you like. Want a warning a month before? Change it to 2592000 (30 days in seconds).
• conditions: []: We're keeping this empty for now. You could add conditions here if you wanted the notification to only fire under certain circumstances (e.g., only on weekdays).
• actions:: This is what happens when the trigger fires.
• actions.data:: This is the message that gets sent in the notification.
• actions.data.message:: This is the content of the notification. The magic here is the Jinja template: {{ states[trigger.entity_id.split(".")[0]][trigger.entity_id.split(".")[1]].name }}. This dynamically pulls the friendly name of the certificate from the sensor. No hardcoding!
• actions.data.title:: This is the title of the notification. We're setting it to "Certificate expiration in 10 days," but you can customize it.
• actions.action: notify.mobile_app_your_device: This is where the notification goes. Replace mobile_app_your_device with the name of your mobile app notification service in Home Assistant. This will send a notification to your phone.
• mode: single: This ensures the automation only runs once, even if the trigger conditions are met multiple times.

Step 3: Save and Test!

Save your automation and give it a test run! You can manually trigger it from the Home Assistant interface. You should get a notification on your phone.

And that’s it! You’ve now got Home Assistant handling your certificate expiry notifications!