This is still a good guide for HA Core, but when using HA Core, you might also run the Mosquitto MQTT Broker on the same machine in a secured mode (like for Owntracks or MQTT bridging). The broker will not automatically pick up changed/renewed SSL certs, so the renew_ssl shell command would probably look more like:
shell_command:
renew_ssl: 'certbot renew --quiet --no-self-upgrade --standalone --preferred-challenges http-01 --pre-hook "sudo systemctl stop mosquitto.service" --post-hook "sudo systemctl start mosquitto.service"'
Now certbot can run without sudo if it has write access to the cert folders/files, but
sudo is still needed to start/stop services (like the Mosquitto MQTT Broker), so this will hang, because the homeassistant user would ask for a sudo password.
I didn’t want to make the homeassistant user part of the sudo group, so I used a sudoers file /etc/sudoers.d/030_homeassistant_shell_commands for this:
%homeassistant ALL=(ALL) NOPASSWD: ALL
This will allow members of the homeassistant group to use sudo without a password and should eventually be more refined (much as the old hassbian scripts sudoer rules), because as shown it poses a certain security risk to systems that are reachable from “outside” your network.
This is just to show how it can be done, so your HA Core can automate even more things. For more detailed information, please check man sudoers.5.