403: Forbidden

I’m running hassio on a rbpi3 with lets encrypt ssl. I have a domain registered that I use as adress for the pi. However, after a powerloss I can no longer access my hassio through https://domain:8123… I can only access my hassio through https://192.168.1.99:8123

nothing is wrong with the installation as far as I can see, i have reinstalled everything because the time was wrong, the problem was that the pi couldn’t go out to internet due to wrong dns’es and set the time or download updates, update addons and so on… So i reinstalled and fixed that and now I get this… Has anyone seen this before? What could be wrong?

Do you mean https://hassio.local:8123 ? If it worked you would get a certificate name error anyway. H hav enever been able to access HA through https://domain:8123

It looks like https://hassio:8123 also works because it points to the local network IP, I get a name error but I can continue to the logon screen just as with the IP-address.

It also works if I set a dns-override in my local “hosts”-file for 192.168.1.99 to my dns.

So now when the dns resolves to my external IP it won’t work, but any dns-alias that resolves to the hassio local ip will work, can it be something with the firewall? but I havent changed anything, the only difference is the hassio-upgrade to latest version

Update. tried to browse https://external-IP:8123 and it gives me the same error (403: Forbidden)

it is not dns-related at all, it simply wont work if I come from the outside anymore…:frowning: the only thing I can think of is that I upgraded my pfsense firewall to latest a few weeks ago…

hmm…

What does the authentication section in your configuration.yaml look like?

you mean this? I’ll try to remove IP-ban mabye…?

http:
  base_url: https://mydomain:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  # Secrets are defined in the file secrets.yaml
  api_password: !secret http_password
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  # base_url: example.duckdns.org:8123
  ip_ban_enabled: True
  login_attempts_threshold: 3
1 Like

I get these in my log every time I get the 403 error I think…

2019-03-24 20:02:43 ERROR (MainThread) [homeassistant.core] Error doing job: SSL handshake failed
Traceback (most recent call last):
  File "uvloop/handles/stream.pyx", line 609, in uvloop.loop.UVStream._on_eof
  File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata
  File "/usr/local/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1056)

API password needs to be moved according to the Release Notes. Here is my authentication but I have not yet set up the api password.

  # Authentication providers
  auth_providers:
  - type: homeassistant
  • http.api_password - Deprecated - Users who are still using api_password for authentication will need to move its configuration under auth_providers. Please see the updated documentation for further details. Those who don’t make this change will see an INFO level reminder in the Home Assistant logs until the fix is made for a time, but please note, api_password authentication will eventually be removed completely and we advise users to change to use one of the other authentication methods. If you manually specify auth providers in your configuration.yaml , you will need to migrate your API Password from the http section to the auth provider section to continue using it. (@awarecan - #21884) (api docs) (frontend docs) (hassio docs) (http docs) (mqtt docs) (websocket_api docs) (zeroconf docs) (camera.proxy docs)

Are the paths to your certificate & key correct? (in an ssl folder off your config folder)

( http.api_password - Deprecated)
that sounds promising

however, it seems that my external IP got banned… I got in after I set the ip_ban_enabled to False

but I cant find any ip_bans.yaml in my config folder? Shouldnt it be created? How can i unban if I dont have the file?

it didnt get banned!.. I can get to my hassio from the outside with my phone if I switch WiFi off… it is when I’m on the inside (wifi) and go to https://mydomain:8123 (which points to the external IP) that it wont work.

If I redirect the domainname to the internal IP it works from the inside… but I want all traffic to go throught my firewall so redirection my domain to my internal IP of the RBpi is not an option…

guess I’m on deep water here…

I also added:

homeassistant:
  auth_providers:
   - type: homeassistant
   - type: legacy_api_password
     api_password: !secret http_password

the weird thing here is that everything just works if I just set the ip_ban_enabled to False

very thempted after all these hours of searching…

the log keeps spitting out these two errors…

Error doing job: SSL handshake failed
Traceback (most recent call last):
  File "uvloop/handles/stream.pyx", line 609, in uvloop.loop.UVStream._on_eof
  File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata
  File "/usr/local/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1056)

Error doing job: SSL error errno:1 reason: SSLV3_ALERT_CERTIFICATE_UNKNOWN
Traceback (most recent call last):
File “uvloop/sslproto.pyx”, line 504, in uvloop.loop.SSLProtocol.data_received
File “uvloop/sslproto.pyx”, line 204, in uvloop.loop._SSLPipe.feed_ssldata
File “uvloop/sslproto.pyx”, line 171, in uvloop.loop._SSLPipe.feed_ssldata
File “/usr/local/lib/python3.7/ssl.py”, line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_CERTIFICATE_UNKNOWN] sslv3 alert certificate unknown (_ssl.c:1056)

1 Like

Experiencing the same issue. Seem like a widespread problem, huge diaster for me

1 Like

I’m glad I’m not alone, sadly enough… But I solved it for now with disabling ip banning, maybe it works for you too? Feels wrong but either that or no home automation at all. And my home is deeply dependant on ha nowadays, it keeps my housetemperature at level :slight_smile:

1 Like

How to disable that? What is the effect of disabling that?

Check the http component documentation. The variable is ip_ban_enabled: false. It should be false by default

1 Like

Same position as you. Everything was working absolutely fine pre 0.92.0. after that my web interface and Google Assistant (self configured, not with Nabu casa) started to work intermittently and today I ran into this issue (403).
Basically it comes down to connectivity.

I find it odd that I do absolutely nothing and it starts working again, my IP is not banned, my public IP is updated in Cloudflare (or Route53).

I only had one IP banned on my list (I know the source and it’s fine), but it kept me from externally accessing my web interface from other IPs (for example connecting via 4G with my phone) and it also broke my Google Assistant (which had nothing to do with the banned public IP which belonged to my network).
I started using Suricata and got a new router recently, at first I blamed it… Turns out it was just mere coincidence, after a couple weeks of issues here and there I tracked it down to being an HA issue only. Not the firewall, not cloudflare, not NGINX, not Google API, etc.
So far disabling the IP ban as you suggested seems to be working. In 2 years of having Homeassistant I haven’t had an unrecognized banned IP so hopefully I’ll fine.

Just had a power loss myself and now have this issue. So weird.

Had to remove the banned entry in the ip_bans.yaml file, my home’s external IP was banned.

2 Likes

Odd because I just had an SD card failure and had to rebuild everything from my GitHub repository… (snapshot didn’t restore everything onto the new card :() Now I’m getting this error, too. Will try to turn off IP banning when I get home.

Hmm, I find it kind of weird for so many people to have the same issue since when I had it the first time. I taught there would be some fix for this by now, or at least some explanation. I have stopped upgrading since ver 0.90 because of these problems. I’m afraid that if I upgrade the issues will be worse and I dont have the time to fiddle unfortunately. I’ll buy a new SD next time I upgrade just in case :slight_smile:

Hi, Just had a same situation (a Year latter)
Thanks for tips with baned IP, my external IP existed in ip_bans.yaml,
After I removed it, all works back again

3 Likes