Assistance requested with inability to access via SSL connection or utilise TOTP

Good morning all,

After exhausting every option I can think of I’m hoping that someone on these forums will have more knowledge than I and will be able to point me in the right direction.

A little while ago (not quite sure when - I’ve been away with work) I ceased to be able to access HA from external to my network, which has been working without issue since install multiple versions ago (somewhere in the 70s or early 80s). I get the login page, login with the appropriate credentials and then get the “Unable to connect to Home Assistant. Retry” page.

I can still login with no issues by using the local IP address of the HA server.

All my searching pointed to a defect with the Nginx reserve proxy. I’ve tried everything that I can see in those threads with no success. However the relevant section of my Nginx configuration file is:

server {
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

upstream php-handler {
        server 127.0.0.1:9000;
        #server unix:/var/run/php5-fpm.sock;
}

#####OTHER SITES HERE####

    listen       443 ssl;
    server_name  [externaladdress];

    ssl on;
    ssl_certificate [internal path] # managed by Certbot
    ssl_certificate_key [internal path] # managed by Certbot

       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_prefer_server_ciphers on;
       ssl_dhparam /etc/ssl/certs/dhparam.pem;
       ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES$
       ssl_session_timeout 1d;
       ssl_session_cache shared:SSL:50m;
       ssl_stapling on;
       ssl_stapling_verify on;
       add_header Strict-Transport-Security max-age=15768000;

    proxy_buffering off;

    access_log /var/log/nginx/ha_access.log;
    error_log /var/log/nginx/ha_error.log;

    location / {
        proxy_pass http://[myinternalip];
    proxy_http_version  1.1;
    proxy_cache_bypass  $http_upgrade;

    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        "";
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;
    }

    location /api/websocket {
        proxy_pass http://[myinternalip]/api/websocket;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

However, in the last 48 hours I tried to access HA from a different device and had to put in my one-time code using google authenticator. It failed.
I deleted the requirement from the command line so I could log in, then tried to re-enable it, to which I got the responce “invalid code” during the setup process.

I thought there might be a time based issue (cryptographic seed) so I checked the time on the server and the docker container and they both match the realworld time. Leaving that as a dead end.

So I’m out of ideas and hoping someone else might be able to suggest something else I can try.

The details you will probably need:

  • Installation method: Docker
  • Current Version: 109.6

Docker compose:

version: "2.1"
services:
  homeassistant:
    container_name: homeassistant
    image: homeassistant/raspberrypi3-homeassistant:stable
    network_mode: "host"
    ports:
      - 8123:8123
    volumes:
      - /home/homeassistant/.homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
    restart: unless-stopped #on-failure
    depends_on:
      mosquitto:
        condition: service_started
    healthcheck:
      test: ["CMD", "curl", "-f", "http://127.0.0.1:8123"]
      interval: 30s
      timeout: 10s
      retries: 6

Relevant bits of the HA Configuration file:

homeassistant:
  # Name of the location where Home Assistant is running
  #name: Home
  # Location required to calculate the time the sun rises and sets
  #latitude: !secret lat
  #longitude: !secret long
  # Impacts weather/sunrise data (altitude above sea level in meters)
  #elevation: 85
  # metric for Metric, imperial for Imperial
  #unit_system: metric
  # Pick yours from here: http://en.wikipedia.org/wiki/List_of_tz_database_time_zones
  # time_zone: Australia/Sydney
  # Customization file
  customize: !include customize.yaml
  auth_providers:
    - type: homeassistant

http:
  # api_password: !secret http_password
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: https://[correct external address]
  # use_x_forwarded_for: true
  # trusted_proxies: 

Thankyou everyone, I really appreciate the assistance.