That’s the way https works - you are REQUIRED to use the external address as used to generate the certificate or https will refuse to connect.
i connect locally with http and not with https.
i dont know if you can do that how you have setup now, but if you can then that would be the smartest way.
if setup like that AD doesnt need to go on the internet to come back to your local network to connect to HA.
so you will gain in speed and AD will still work if the internet is down.
I have used HA with appdaemon using https but with the external address without problem until I lost my internet connection at home during several days. The appdaemon goes down and my home automation with HA becomes unusable.
Thus using an external address with https is not reliable for my home automation.
I have use both the
- cert_path: <path/to/root/CA/cert>
- cert_verify: False
in the configuration file appdaemon.yaml, but it does not work.
Debugging appdaemon, the problem appears in line 1207 of appdaemon.py
sslopt = {} if conf.certpath: sslopt['ca_certs'] = conf.certpath ws = create_connection( "{}/api/websocket".format(url), sslopt=sslopt )
during the call create_connection.
From the documentation of websocket, to disable the ssl cert verification, you have to supply the following option sslopt:
sslopt={“cert_reqs”: ssl.CERT_NONE})
By adding this line before the call to create_connection (and importing ssl) ,
import ssl .......... sslopt['cert_reqs'] = ssl.CERT_NONE
I was able to run appdaemon using a local internet address with https.
May be this should be included in the next release with a test of the parameter cert_verify.
OK thanks for your research -, this will be in the next version (Probably the v3 Beta, releasing early in the new year).
A.
but why?
why would anyone want to use certification inside his private network?
certification is to securre a secure connection between client and server.
and i may hope that ANY connection inside your own network is secured.
as i see it:
certification inside a secure network:
advantages:
- none
disadvantages:
- slowing down the speed
- more difficult to setup
- it creates difficulties with combining in and outside because in most situations only 1 port can be secure.
The problem is if you use https to access HA from outside , you have to use https even from your local network. You cannot use http from your local network.
As appdaemon needs to access HA, the only way is to use https but without certification for the connection between appdaemon and HA
i access HA from outside with https and from inside with http.
the way to set that up: (and avoid the risk of having your automations stop when the internet is down)
1 Like
I agree with Rene and have a similar setup, it makes everything simpler AND more resilient.
1 Like
Can you please share your nginx conf?
depends on what you want.
i have HA and AD enabled by NGINX.
but i have no need for dashboard outside my network, so i didnt enable that.
this is my NGINX setup for the moment:
server {
listen 80;
server_name *.duckdns.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name YOURNAME.duckdns.org;
ssl on;
ssl_certificate /etc/letsencrypt/live/YOURNAME.duckdns.org/fullchain.pem; # /etc/nginx/cert.crt;
ssl_certificate_key /etc/letsencrypt/live/YOURNAME.duckdns.org/privkey.pem; # /etc/nginx/cert.key;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_prefer_server_ciphers on;
proxy_buffering off;
location / {
proxy_pass http://HA_IP:8123;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /api/appdaemon/ {
allow all;
proxy_pass http://AD_IP:5051;
proxy_set_header Host $host;
proxy_redirect http:// http://;
}
}
1 Like
Hey @aimc, is this in the beta? I’m experiencing the same issue.
I have cert_verify = False and still getting “certificate verify failed” in the error log.
Running latest beta of appdaemon.
cert_verify is deprecated, but the current beta does this by default. What error are you getting?
I just followed the docs and cert_verify was there…
This is the full error I’m getting:
2018-02-11 21:06:13.057974 WARNING AppDaemon: Traceback (most recent call last):
File “c:\users\shlomi\appdata\local\programs\python\python35\lib\site-packages\urllib3\connectionpool.py”, line 601, in urlopen
chunked=chunked)
File “c:\users\shlomi\appdata\local\programs\python\python35\lib\site-packages\urllib3\connectionpool.py”, line 346, in _make_request
self._validate_conn(conn)
File “c:\users\shlomi\appdata\local\programs\python\python35\lib\site-packages\urllib3\connectionpool.py”, line 850, in validate_conn
conn.connect()
File “c:\users\shlomi\appdata\local\programs\python\python35\lib\site-packages\urllib3\connection.py”, line 326, in connect
ssl_context=context)
File "c:\users\shlomi\appdata\local\programs\python\python35\lib\site-packages\urllib3\util\ssl.py", line 329, in ssl_wrap_socket
return context.wrap_socket(sock, server_hostname=server_hostname)
File “c:\users\shlomi\appdata\local\programs\python\python35\lib\ssl.py”, line 385, in wrap_socket
_context=self)
File “c:\users\shlomi\appdata\local\programs\python\python35\lib\ssl.py”, line 760, in init
self.do_handshake()
File “c:\users\shlomi\appdata\local\programs\python\python35\lib\ssl.py”, line 996, in do_handshake
self._sslobj.do_handshake()
File “c:\users\shlomi\appdata\local\programs\python\python35\lib\ssl.py”, line 641, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:720)
Damn, not one of those lines is in my code so I’m not sure where to start. One question, are you using SSE or Websockets?
Can you post the entire log from startup so I can figure out how far it got, ideally with “-D DEBUG” set on the command line…
EDIT: I was wrong about the cert verify param, it is still in the code.
I found myself facing the same problem as mentioned in this thread that Appdaemon stops working when internet connection is lost. I installed Nginx and got it to work with Hass, though Appdaemon won’t connect to Hass locally (they run on the same server).
Will you also share the relevant part of your appdaemon.yaml and configuration.yaml? I need help to see if I missed something.
my appdaemon.yaml wont really help you.
but when you share yours i can tell what is wrong (if any)
do you have SSL activated in Hass?, in that case you need to deactivate that.
everything about https and ssl should be removed from appdaemon.yaml and configuration.yaml
its also helpfull if you tell in which way you did install hass and AD. (hassio, venv, docker)
Very kind of you!
As far as I can see, no ssl is activated in Hass. All the ssl-offloading should be handled by Nginx, which is hosted on the same server. Hass and Appdaemon are run in separate venv:s.
Here are the relevant part of my configuration files:
configuration.yaml
http:
server_host: 127.0.0.1
use_x_forwarded_for: true
trusted_proxies: 127.0.0.1
appdaemon.yaml
appdaemon:
plugins:
HASS:
type: hass
ha_url: https://my_hass_url
token: !secret token
With the above configuration the complete system works, though when internet goes down, appdaemon loses it’s connection to hass and therefore stops functioning.
I guess that the setting below should be something else, since appdaemon still connects to Hass via the internet.
ha_url: https://my_hass_url
ha_url should be your local url
so something like:
ha_url: http://192.168.178.x:8123
to make sure that you got a working url, test the url in a browser.
Thank you!
You’re suggestion was part of the solution. What finally made it all work was a series of alterations.
1. Proxy Pass
According to https://www.home-assistant.io/docs/ecosystem/nginx/ proxy_pass in nginx.conf should be set as.
proxy_pass http://127.0.0.1:8123;
Though, in your example above it was set as.
proxy_pass http://HA_IP:8123;
Setting it as http://HA_IP:8123; worked.
2. Server host
When proxy_pass was set as http://HA_IP:8123, server_host in configuration.yaml had to be set accordingly as.
server_host: HA_IP
that is - not as:
server_host: 127.0.0.1
3. HA Url
Finally, ha_url in appdaemon.yaml was set as.
ha_url: http://HA_IP:8123
Again, thanks so much!
your welcome. now appdaemon will work also when you internet goes down.