Can't setup/start SSL/TLS. Halts HASS in it's tracks

forsquirel · February 19, 2017, 6:35pm

I’ve been searching for an answer to my problem but it seems all I can find is the problem but no solution.

I’ve got HA set up and running and I want to make it outward facing so I can do stuff while I’m away. Every time that I enable SSL it completely stops HA from starting,

[homeassistant.bootstrap] Component http failed to setup

further more I get an error for the key itself.

[homeassistant.bootstrap] Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_key’]

I originally thought it was just the forwarder I was using so I switched to duckdns and followed all the how-to’s and faqs but still no go. Would really like to get this working.

running latest (i think) on a rpi3

Tinkerer · February 19, 2017, 6:48pm

You can get the version number from the little i on the left menu, under Developer Tools.

As for the error, please post that section of the configuration file, remembering to use the code tags (looks like </> in the text editor bar) so that the formatting isn’t lost. I suspect, from the error, a typo in ssl_key.

forsquirel · February 19, 2017, 6:56pm

here’s the section from config

http:
server_port: 8123
api_password: !secret api_password
#base_url: myurl
#ssl_certificate: !secret secret_ssl_cert
#ssl_key: !secret secret_ssl_key

version 0.38.2

Tinkerer · February 19, 2017, 9:43pm

You forgot the formatting, so we can’t tell if the problem is because of the wrong number of spaces, etc.

forsquirel · February 19, 2017, 9:56pm

http:
  server_port: 8123
  api_password: !secret api_password
  #base_url: myurl
  #ssl_certificate: !secret secret_ssl_cert
  #ssl_key: !secret secret_ssl_key

Tinkerer · February 19, 2017, 10:10pm

I wonder if the issue is that it’s still parsing the !secret lines, and that’s causing issues. What if you simply delete those instead?

forsquirel · February 19, 2017, 10:38pm

If I take those out how do I specify the ssl key and certs?

Mike_D · February 20, 2017, 12:41am

Are the hash tags actually in your config file? If so your commenting out those lines, essentially “removing” them from the config.

forsquirel · February 20, 2017, 1:00am

no, they’re not in there.

trying to enable SSL and this breaks HASS

http:
  server_port: 8123
  api_password: !secret api_password
  base_url: myurl
  ssl_certificate: !secret secret_ssl_cert
  ssl_key: !secret secret_ssl_key

this does not

http:
  server_port: 8123
  api_password: !secret api_password
  #base_url: myurl
  #ssl_certificate: !secret secret_ssl_cert
  #ssl_key: !secret secret_ssl_key

I still have to have it running so I’ve just commented out the lines until I can figure out a solution

Mike_D · February 20, 2017, 1:03am

What are you using for ssl, letsencrypt?

forsquirel · February 20, 2017, 1:21am

yes. I didn’t want to deal with installing self-signed certs on devices. I’m using letsencrypt on another device (owncloud) with no issues.

Mike_D · February 20, 2017, 3:33am

I would start with double checking the path in your secret file, should be along the lines of

ssl_key: ‘/etc/letsencrypt/live/yourdomain.duckdns.org/privkey.pem’

if that looks good check permissions on everything sub the letsencrypt folder.

In the video below at the 8:48 mark @bruhautomation suggests setting permissions to 777.

forsquirel · February 20, 2017, 3:37am

path and permission isn’t an issue as I can get the same result by moving everything to the homeassistant directory and chown it to the ha user.

silfa718 · February 20, 2017, 5:00pm

I ran into the same issue yesterday. My certificate expired a couple days ago and finally got to update it yesterday, but couldn’t get it to load up. I had to comment out all the SSL stuff out to get it to load. Thought it was something I did updating the certificate.

forsquirel · February 21, 2017, 1:38am

have you found a solution yet? It’s quite annoying not being able to ssl.

Tinkerer · February 21, 2017, 7:50am

One option, which is how I’ve done it, is to use the likes of nginx in reverse proxy mode. I went with that so that I could require (SSL and) authentication from outside the house, but no authentication from inside.

forsquirel · February 21, 2017, 2:25pm

I’ve tried that and it works to a degree. I can get HA to display the login screen. Unfortunately it stops at the login page and goes no further. I just get the spinning icon and a failed loging attempt. I can’t even find anything in the logs to figure out what the actual issue is.

Tinkerer · February 21, 2017, 3:30pm

Without your nginx config, we’re just guessing what you’re doing

For reference, here’s mine:

server {
	listen 443;
	server_name MYHOST;
	access_log /var/log/nginx/MYHOST.access.log;
	error_log /var/log/nginx/MYHOST.error.log debug;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/MYHOST/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/MYHOST/privkey.pem;

	proxy_buffering off;

	location / {
		auth_basic "Restricted"; #For Basic Auth
		auth_basic_user_file /etc/nginx/.htpasswd; #For Basic Auth
		include conf.d/proxy.conf;
		proxy_pass http://localhost:8123;
		proxy_set_header Host $host;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}
}

Then there’s the proxy.conf file:

proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffers 32 4k;

forsquirel · February 21, 2017, 4:07pm

I got it working finally!

I was using the conf from the site and nginx was throwing a fit about the HTTP{} section. a few ### and It’s up and running now. :schew!:

My biggest issue was that I’m already running a dns forwarder so I piggybacked on that to keep the number of services and certificates down and having to work that across 2 devices.

Still doesn’t fix the original problem but I’m fine with this method.