<IfModule mod_ssl.c>
<VirtualHost *:443>
ProxyPreserveHost On
ProxyRequests Off
ServerName servername
ServerAdmin mymail
# Lets encrypt for external ssl
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/xx.xx.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xx.xx.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/xx.xx.de/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# Singed with my own signing authority. malte.crt added but its also installed.
SSLProxyEngine On
SSLProxyCACertificateFile /usr/local/share/ca-certificates/malte.crt
SSLProxyCheckPeerName Off # Makes no difference if on or off
#SSLProxyCheckPeerExpire On
# I tested ws:// and wss:// but no diference
ProxyPass /api/websocket wss://serv:443/api/websocket
ProxyPassReverse /api/websocket wss://serv:443/api/websocket
ProxyPass / https://serv:443/
ProxyPassReverse / https://serv:443/
</VirtualHost>
Upon connection the apache error log shows:
[Thu Aug 17 07:49:28.575671 2017] [proxy:error] [pid 20692] (502)Unknown error 502: [client xx.xx.xxx.xxx:53950] AH01084: pass request body failed to 172.16.1.102:443 (serv), referer: https://xx.xx.de/
[Thu Aug 17 07:49:28.575850 2017] [proxy:error] [pid 20692] [client xx.xx.xxx.xxx:53950] AH00898: Error during SSL Handshake with remote server returned by /static/custom-elements-es5-adapter.js, referer: https://xx.xx.de/
[Thu Aug 17 07:49:28.575933 2017] [proxy_http:error] [pid 20692] [client xx.xx.xxx.xxx:53950] AH01097: pass request body failed to 172.16.1.102:443 (serv) from xx.xx.xxx.xxx (), referer: https://xx.xx.de/
[Thu Aug 17 07:49:28.709895 2017] [proxy:error] [pid 20685] (502)Unknown error 502: [client xx.xx.xxx.xxx:53952] AH01084: pass request body failed to 172.16.1.102:443 (serv), referer: https://xx.xx.xx/
[Thu Aug 17 07:49:28.710064 2017] [proxy:error] [pid 20685] [client xx.xx.xxx.xxx:53952] AH00898: Error during SSL Handshake with remote server returned by /static/webcomponents-lite.js, referer: https://xx.xx.de/
[Thu Aug 17 07:49:28.710144 2017] [proxy_http:error] [pid 20685] [client xx.xx.xxx.xxx:53952] AH01097: pass request body failed to 172.16.1.102:443 (serv) from xx.xx.xxx.xxx (), referer: https://xx.xx.de/
[Thu Aug 17 07:49:29.487714 2017] [proxy:error] [pid 20686] (502)Unknown error 502: [client xx.xx.xxx.xxx:53954] AH01084: pass request body failed to 172.16.1.102:443 (serv)
[Thu Aug 17 07:49:29.487907 2017] [proxy:error] [pid 20686] [client xx.xx.xxx.xxx:53954] AH00898: Error during SSL Handshake with remote server returned by /service_worker.js
[Thu Aug 17 07:49:29.487986 2017] [proxy_http:error] [pid 20686] [client xx.xx.xxx.xxx:53954] AH01097: pass request body failed to 172.16.1.102:443 (serv) from xx.xx.xxx.xxx ()
It appears as if you have created some sort of loop in your Apache configuration.
Apache is listening on port 443, so HA cannot listen on the same port, but that’s where you sent the proxy requests to.
You are saying that you have enabled SSL in HA as well, so what port is HA listening on? That port number needs to go into the serv:443 part in all the proxy pass directives.
I don’t believe I created a loop, because the apache proxy is physically a different machine, then the machine where HA is running on. So it looks like:
Internet -----> Apache Proxy pc ------> HA pc (serv)
Therefore it should be fine if both proxy and HA run on port 443. Or my I wrong?
The error messages indicate that the issue happens during the SSL handshake, i.e. while the secure connection is being established. Since your HA certificate is self signed, Apache may stumble upon that. You could increase the log level and see if that shows any more detail why the handshake fails.
Ahh that was the hint I needed. I thought apache was already logging everything, but it has loglevels as well ^^. So I found the issue. I needed to add:
SSLProxyCheckPeerCN Off to my config. Now it works.
I found out by adding: LogLevel info to my config and then I reconnected. Afterwards I could find:
[Mon Aug 21 20:57:47.824662 2017] [ssl:info] [pid 9526] [remote 172.16.1.10:443] AH02005: SSL Proxy: Peer certificate CN mismatch: Certificate CN: serv Requested hostname: xx.xx.de
In my Log file. And then a crosscheck with the documentation of apache showed, that there is the option SSLProxyCheckPeerCN to toggle this.
So Next step would be to find out how to fix this really instead of just turning it off. I Issued the certificate singing request with a Common Name of: serv because, that is the name of the machine where HA is running on. Looking at the log, I assume apache tries to connect via ip address, and that obviously fails, because its not the CN of the certificate.
your configuration is bad because you encrypt tls twice: client <–tls–>apache <–tls–> hass
i’m proposing to you this scheme: client <–tls–>apache <–http–> hass
<VirtualHost *:443>
ProxyPreserveHost On
ProxyRequests Off
ServerName domain.com
SSLProxyEngine On
ProxyPass "/" "http://localhost:8123/"
ProxyPassReverse "/" "http://localhost:8123/"
RewriteEngine on
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* ws://localhost:8123%{REQUEST_URI} [P]
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/domain.com/chain.pem
ErrorLog /var/log/apache2/domain.com.error.log
TransferLog /var/log/apache2/domain.com.access.log
</VirtualHost>
<VirtualHost *:80>
ServerName domain.com
ServerSignature Off
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [NE,R,L]
</VirtualHost>
Have you set up the “home…” hostname with DDNS or does that service support wildcard subdomains? Have you added a virtual host configuration entry for that new hostname in Apache? Have you set up an SSL certificate for that new hostname? Are requests to that histname arriving at Apache? Have you followed the documentation to set up the proxypass rules that forward all requests to HA?
I’m looking for the same configuration.
Unfortunately Apache Proxy manual is unusefull for me.
Main_domaim woking well on 443. But https connection not working for hassio, because start with main_domain certs…
Is it working scheme if hassio start on differnt PC (pri3)? Looks like working only on the same localhost.