Cant get SSL working

jimmyeao · September 15, 2019, 3:24pm

Having a bit of a nightmare getting SSL working - I need it for the Smartthings integration
I had it working, but my HA got broken when the VM ran out of space and corrupter one of the docker containers
After a clean build, and restoring the snapshot, not all the dockers start unless I comment out the lines for SSL.

redcated config entry:

http:
base_url: https://ha.mydomain.com:8123
ssl_certificate: /config/certificate.pem
ssl_key: /config/privkey.pem
use_x_forwarded_for: true
trusted_proxies:
- 192.168.0.102

(indents are there but showing here for some reason)
the certificates are letsencrypt certs that my reverse proxy (nginx) renews, and I have a script that copies them over when they get updated.

No changes have been made to NGINX (this was working perfectly) so I am assuming the issue is somewhere in my config, or permissions.

if i comment out the ssl parts (and below) it works fine over plain old http

from the host logs
Sep 15 16:31:35 hassio dockerd[439]: time=“2019-09-15T16:31:35.780073752+01:00” level=info msg=“Container f6fdf77b3663c6549fabade6838a171281b5cd8c131aa1507cbcbc538d19d4bb failed to exit within 60 seconds of signal 15 - using the force”
Sep 15 16:31:37 hassio containerd[377]: time=“2019-09-15T16:31:37.083757254+01:00” level=info msg=“shim reaped” id=f6fdf77b3663c6549fabade6838a171281b5cd8c131aa1507cbcbc538d19d4bb
Sep 15 16:31:37 hassio dockerd[439]: time=“2019-09-15T16:31:37.100136538+01:00” level=info msg=“ignoring event” module=libcontainerd namespace=moby topic=/tasks/delete type=“*events.TaskDelete”
Sep 15 16:31:37 hassio dockerd[439]: time=“2019-09-15T16:31:37.133059103+01:00” level=warning msg=“f6fdf77b3663c6549fabade6838a171281b5cd8c131aa1507cbcbc538d19d4bb cleanup: failed to unmount IPC: umount /var/lib/docker/containers/f6fdf77b3663c6549fabade6838a171281b5cd8c131aa1507cbcbc538d19d4bb/mounts/shm, flags: 0x2: no such file or directory”
Sep 15 16:31:37 hassio containerd[377]: time=“2019-09-15T16:31:37.332694448+01:00” level=info msg=“shim containerd-shim started” address=“/containerd-shim/moby/f6fdf77b3663c6549fabade6838a171281b5cd8c131aa1507cbcbc538d19d4bb/shim.sock” debug=false pid=12974

and in supervisor logs

flamingm0e · September 15, 2019, 3:39pm

Because you’re quoting instead of using code tags.

Why aren’t you using nginx for your SSL and don’t bother with the SSL on HA?

jimmyeao · September 15, 2019, 3:48pm

Because smartthings wont set up unless HA is also running SSL - thats the only reason

flamingm0e · September 15, 2019, 4:01pm

Smart things has to see a legitimate cert right?

Nginx can do that and you point smart things to your public URL that nginx holds the cert for.

Self-signed SSL certificates are not supported by the SmartThings Cloud API.

So you’re accomplishing the same thing with nginx as a reverse proxy

jimmyeao · September 15, 2019, 5:17pm

Smart things has to see a legitimate cert right?

Nginx can do that and you point smart things to your public URL that nginx holds the cert for.

Sadly not, the Smartthings integration won’t proceed unless HA is configured for SSL locally.
Happily, all sorted now - was missing an intermediate cert in the chain

flamingm0e · September 15, 2019, 5:25pm

I don’t understand.

If smart things requires a real certificate, it can’t connect locally. It has to use the hostname configured on the certificate.

jimmyeao · September 15, 2019, 6:03pm

Its the way the integration works on HA, it checks locally to see if it is set up for SSL, if it isnt, to wont even proceed to the next step where it attempts to establish the connection with smartthings. Its really annoying, as you would expect it to work with NGINX providing the SSL connection

flamingm0e · September 15, 2019, 6:15pm

That’s odd. Thanks for the information.