Homeassistant Blueprint for SSL-Certificate renewal

renew_ssl_cert.yaml

blueprint:
  name: Renew Let's Encrypt Certificate
  description: Renew Certificate when due date is below given value
  domain: automation
  input:
    cert_expiry_sensor:
        name: Certificate Expiry Sensor
        description: Sensor from the Certificate Expiry Integration (https://www.home-assistant.io/integrations/cert_expiry)
        selector:
            entity:
                integration: cert_expiry
    renew_date:
        name: Certificate renewal date
        description: Date when the SSL-Certificate will be renewed
        selector:
            number:
                min: 1
                max: 60
                mode: slider
                unit_of_measurement: "days"
        default: 31
    time_to_check_cert:
        name: Certificate check time
        description: Time when the certificate date will be checked.
        selector:
            time:
    restart_after_renewal:
        name: Restart Home Assistant
        description: Restarts the Home Assistant when the certificate is renewed. (if enabled)
        selector:
            boolean:
        default: true
    minutes_till_restart:
        name: Minutes until restart
        description: Minutes until restart of Home Assistant if restart is enabled
        selector:
            number:
                min: 1
                max: 60
                mode: slider
                unit_of_measurement: "minutes"
        default: 5
    send_notification:
        name: Send notification
        description: Sends a notification to a device if enabled
        selector:
            boolean:
        default: false
    notification_device:
        name: Device to notify
        description: Device which will be notified.
        selector:
            device:
                integration: mobile_app
    notification_title:
        name: Notification title
        description: Notification title for notification that is sent when the certificate has been renewed.
    notification_message:
        name: Notification message
        description: Notification that is sent when the certificate has been renewed.
alias: Renew SSL Cert
description: ''
trigger:
  - platform: time
    at: !input time_to_check_cert
condition:
  - condition: template
    value_template: '{{ expire_days_var < var_check }}'
action:
  - service: hassio.addon_start
    data:
      addon: core_letsencrypt
  - choose:
    - conditions:
        - condition: template
          value_template: '{{ send_notification_var }}'
      sequence:
        - device_id: !input notification_device
          domain: mobile_app
          type: notify
          title: '{{ message_title_var }}'
          message: '{{ message_var }}'
    default: []
  - choose:
    - conditions: 
        - condition: template
          value_template: '{{ restart_after_renewal_var }}'
      sequence:
        - delay:
              hours: 0
              minutes: !input minutes_till_restart
              seconds: 0
              milliseconds: 0
        - service: hassio.host_reboot
    default: []
mode: single
variables:
  certificate_var: !input cert_expiry_sensor
  var_check: !input renew_date
  message_var: !input notification_message
  message_title_var: !input notification_title
  restart_after_renewal_var: !input restart_after_renewal
  send_notification_var: !input send_notification
  expire_days_var: >-
    {{ ((as_timestamp(states(certificate_var)) - as_timestamp(now())) / 60 / 60 / 24 ) | int }}

Changed default renew_date to 31, and widened the slider range. The Let's Encrypt Expiry Bot email suggests 30 days:

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

I went with 1 day early, just to try to avoid any midnight / off-by-one bugs, and get one fewer email into my inbox