Let's Encrypt add-on should not use network at all if cert isn't within renewal window #4238
Description
Describe the issue you are experiencing
Today every time I start the add-on it does:
Sending GET request to https://acme-v02.api.letsencrypt.org/directory
This should not happen for several reasons:
- It depends on network even when renewal is not needed
- It adds unnecessary load to the infrastructure of LE
- It loads info about directory that is then not used
- It leaks info to network, dns, ocsp, https, etc despite being then not used
Network connections should only be used when the desicion to attempt renewal has already been taken. Container should not crash if network is missing when the renewal window has not arrived yet.
It should be "possible" to run the container every second of every day and only bother myself!
I should not need hacks like this to run the container daily.
You have the cert! You can use basic tools to check its end date, and they even have ways for you to check with no math needed for you!
$ openssl x509 -enddate -noout -in <filename>.crt -checkend 3888000
notAfter=xxx x xx:xx:xx xxxx GMT
Certificate will not expire
$ echo $?
0
$ openssl x509 -enddate -noout -in <filename>.crt -checkend 7776000
notAfter=xxx x xx:xx:xx xxxx GMT
Certificate will expire
$ echo $?
1Then just check the exit code, this is entirely local, takes so little time as to be hard to measure accurately and no network is needed!!
if (openssl ... -checkend 3888000) exit_code > 0 {
optionally notify user of cert renewal window
renew cert
notify on error
}
log that renewal was not needed, or heck just let the openssl command above output to debug log.
exit 0
What type of installation are you running?
Home Assistant OS
Which operating system are you running on?
Home Assistant Operating System
Which add-on are you reporting an issue with?
Let's Encrypt
What is the version of the add-on?
5.4.9
Steps to reproduce the issue
- Setup addon, normally, get certs, etc
- Enable
Verbose Mode - Start it again, observe redundant http request
- Observe after useless request, the container stops, because renwal was not needed yet
System Health information
N/A
Anything in the Supervisor logs that might be useful for us?
Anything in the add-on logs that might be useful for us?
<container starts>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Received response:
HTTP 200
Server: nginx
Date: Fri, 21 Nov 2025 13:31:26 GMT
Content-Type: application/json
Content-Length: 1063
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
<directory payload removed>
}
Cannot extract OCSP URI from /data/letsencrypt/archive/ha.example.com/cert3.pem
Notifying user: Certificate not yet due for renewal
Keeping the existing certificate
Certificate not yet due for renewal
Notifying user: Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<container stops>Additional information
No response