#OpenSSL via shell_command

Hello everyone!

I used to run automation steps in Home Assistant (HA) to generate .p12 and .cer certificates using OpenSSL via shell_command. Back in January 2025, this worked because the HA container apparently included OpenSSL or allowed it somehow. Now, it fails with “command not found.”

I tried switching to the Advanced SSH & Web Terminal add-on (which does have OpenSSL) and sending commands via hassio.addon_stdin, but that no longer seems to work either—no output files are created, and no errors appear in the logs.

My questions:

1. Is there a known way to trigger external commands (e.g., OpenSSL) from within HA when the base container doesn’t include them anymore?
2. Does the Advanced SSH & Web Terminal add-on still allow hassio.addon_stdin commands at all?
3. Are there alternative approaches you recommend (like a custom add-on with OpenSSL, or another method entirely) to run these certificate-generation scripts from HA?

I’d appreciate any advice on how best to automate .p12 and .cer generation now that OpenSSL is no longer available inside the HA container.

1. Not from within HA. You could use shell_command to SSH into another instance (which could be your SSH add-on) to run custom scripts.
2. That was removed several years ago due to it being classified as a vulnerability
3. You'd have to specify more details on what you're doing. There are add-ons for things like Let's Encrypt, but I'm assuming you're looking to do some type of self-signed generation based on what you've provided.

1. I'm trying to keep everything on my main HAOS.
2. I understand, it explains why Advanced SSH & Web Terminal add-on was not responding to hassio.addon_stdin requests
3. I'm already generating fullchain.pem and privkey.pem files using Let's Encrypt add-on. What I want is when my automation activates Let's Encrypt and renew my fullchain.pem and privkey.pem files, I want to generate a script to generate .cer and .p12 files from it, compress it into a zip file, and send it as an attachment by email. On January 2025 it was working flawlessly with shell_commands and I could process these steps with the following shell_commands in my configurations.yaml:
   shell_command:
   move_zip_to_www: "mv /ssl/as2_donparlor.zip /config/www/as2_donparlor.zip"
   delete_zip_from_ssl: "rm -f /ssl/as2_donparlor.zip"
   delete_zip_from_www: "rm -f /config/www/as2_donparlor.zip"
   delete_cer_from_ssl: "rm -f /ssl/as2_donparlor.cer"
   compress_certificate: "bash /config/scripts/compress_certificate.sh"
   generate_p12_and_cer: "bash /config/scripts/generate_p12_and_cer.sh"

But 3 months later, it's not working anymore and I'm trying to think out of the box to find solutions.

Here is the automation that was running fine last January:

alias: Métro / Renouvellement et envoi de certificat v2
description: Automatisation pour renouveler, générer, compresser, et envoyer le certificat.
triggers:
  - at: "13:22:00"
    trigger: time
conditions:
  - condition: template
    value_template: >
      {{ now().strftime('%Y-%m-%d') >=
      states('input_datetime.prochaine_date_de_renouvellement') }}
actions:
  - data:
      addon: core_letsencrypt
    action: hassio.addon_start
  - delay: "00:02:00"
  - action: shell_command.generate_p12_and_cer
    data: {}
  - action: shell_command.compress_certificate
    data: {}
  - action: shell_command.move_zip_to_www
    data: {}
  - delay: "00:00:10"
  - data:
      title: Renouvellement du certificat as2 pour Métro
      message: Voici le nouveau certificat ZIP contenant le .cer.
      data:
        images:
          - /config/www/as2_donparlor.zip
    action: notify.gmail
  - action: shell_command.delete_zip_from_www
    data: {}
  - action: shell_command.delete_zip_from_ssl
    data: {}
  - action: shell_command.delete_cer_from_ssl
    data: {}
  - target:
      entity_id: input_datetime.prochaine_date_de_renouvellement
    data:
      date: |
        {{ (now() + timedelta(days=60)).strftime('%Y-%m-%d') }}
    action: input_datetime.set_datetime
mode: single

I think the most straightforward way would be to do what I mentioned and use shell_command to SSH into the add-on and execute your command as you had before. Should be pretty much the same thing.

You said: You could use shell_command to SSH into another instance (which could be your SSH add-on) to run custom scripts.

Into which add-on?

You can also just do apk add ... to install what you need before running the main command.
That looks really unclean. Perhaps best you execute a script instead that does something like this

if [[ -z $(command -v commandhere) ]]; then
    apk add packagehere
fi

Rest of code here

The SSH add-on ... you can SSH into its container from the homeassistant container via shell_command and pass it commands that way (as opposed to the defunct stdin)

Hi everyone,
Thanks so much for all your suggestions! It turns out the simplest workaround was exactly what you mentioned: using shell_command to SSH into the Advanced SSH & Web Terminal add-on and run my scripts from there. Since OpenSSL is available inside that add-on, I can generate .p12 and .cer files again without issues.

Key steps:

1. Set up SSH keys

• I generated a key pair on my computer, then copied the private key into /config/ssh_keys/id_ed25519 and placed the public key in the add-on’s authorized_keys (under username: root in my case).

• This means Home Assistant can now do ssh -i /config/ssh_keys/id_ed25519 root@<my-HA-IP> without any password.

2. Update my shell_commands

• Instead of calling bash /config/scripts/myscript.sh directly (which fails because the Home Assistant container no longer has OpenSSL), I replaced it with something like:

shell_command:
  generate_p12_and_cer: >
    ssh -i /config/ssh_keys/id_ed25519 -o StrictHostKeyChecking=no root@192.168.xx.xx 'bash /config/scripts/generate_p12_and_cer.sh'

• Similarly for compressing, moving, deleting, etc. – all done by executing commands via SSH in the add-on.

3. Use IP instead of localhost

• From inside Home Assistant, localhost points to itself, not the SSH add-on. So I had to use my main HA IP address (e.g., 192.168.xx.xx). That way, the SSH connection actually reaches the add-on.

Now my original automation triggers Let’s Encrypt, waits two minutes, then calls those updated shell_commands. They run inside the SSH add-on, where OpenSSL is installed, and produce the .p12/.cer just like before!

Huge thanks for suggesting I “use shell_command to SSH into the add-on!” That definitely worked once I switched from hassio.addon_stdin to a standard SSH approach.

How is this simpler than my suggestion showing an extremely trivial approach? You can also just use the hostname of the addon which stays the same rather than the HA ip.