Docker and SSL Configuration

Texangeek · September 14, 2018, 6:26pm

Would appreciate some input on configuring SSL to work with HA within a Docker container.

I have:

Using Letsencrypt created a SSL certificate for ‘my domain.com’ and ‘*.mydomain.com’ (wildcard certificate). The certificate files are stored in the folder ~/docker/letsencrypt/data/live/mydomain.com
Updated my docker-compose file to share the folder on the host containing the certificates with the Docker container.

- ${USERDIR}/docker/letsencrypt/data/live/mydomain.com:/SSL

Modified the permissions on the mydomain folder such that it is available to everyone (host is a Mac: everyone: read & write).
Revised my configuration.yaml to include the following:

ssl_certificate: /SSL/fullchain.pem
ssl_key: /SSL/privkey.pem

However HA throws an error on startup to the effect that it cannot find the files:

2018-09-14 12:50:29 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/SSL/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/SSL/privkey.pem'. (See /config/configuration.yaml, line 43). Please check the docs at https://home-assistant.io/components/http/

When I attach to the Docker container I can open the SSL folder and list out the files that it contains. I can also see that the correct permissions appear to be set.

root@hass:/usr/src/app# cd /SSL
root@hass:/SSL# ls -l
total 20
-rw-r----- 1 root root 682 Sep 14 11:41 README
lrwxrwxrwx 1 root root  37 Sep 14 11:41 cert.pem -> ../../archive/mydomain.com/cert1.pem
lrwxrwxrwx 1 root root  38 Sep 14 11:41 chain.pem -> ../../archive/mydomain.com/chain1.pem
lrwxrwxrwx 1 root root  42 Sep 14 11:41 fullchain.pem -> ../../archive/mydomain.com/fullchain1.pem
lrwxrwxrwx 1 root root  40 Sep 14 11:41 privkey.pem -> ../../archive/mydomain.com/privkey1.pem

What am I doing wrong?

lolouk44 · September 14, 2018, 6:53pm

For some reason I have the same issue. I have a script that renews the cert and copies the files in the ha folder

Texangeek · September 14, 2018, 8:29pm

Would you mind posting a copy of the script that you use?

LetsEncrypt recommends that the files aren’t moved but I guess copying them into the HA folder could be OK.

Thanks for your help.

lolouk44 · September 14, 2018, 8:45pm

Sorry not in front of my pc now. Will try later
It’s basically 2 python scripts. One checks how many days left on the cert. It runs on a crontab one a day and calls the second one when I have less than 30 days left.the second one renews the certs, copies the files and restarts the docker container

lolouk44 · September 15, 2018, 7:57am

SSL Status python script:

#!/usr/bin/python
# -*- coding: utf-8 -*-

import requests, subprocess
import datetime
import time
import sys

MQTT_Host = "192.168.0.24"
MQTT_Port = "1883"
MQTT_User = "username"
MQTT_Password = "password"

try:
	p = subprocess.check_output(["ssl-cert-check", "-b", "-c", "/etc/letsencrypt/live/your_domain_here/cert.pem"], shell=False)
	#print"%s" % p.split()[-1]
	if (p.split()[-1] < 29):
		p = subprocess.check_output(["/home/cctv/Scripts/RenewSSLCert.sh"], shell=False)
		p = subprocess.check_output(["ssl-cert-check", "-b", "-c", "/etc/letsencrypt/live/your_domain_here/cert.pem"], shell=False)
	MQTT_Command = ["mosquitto_pub", "-h", MQTT_Host, "-p", "1883", "-u", MQTT_User, "-P", MQTT_Password, "-t", "Sensors/SSLDays", "-r", "-m", p.split()[-1]]
	ps = subprocess.Popen(MQTT_Command)
except:
	print ("Unable to get SSL Status (%s)" % datetime.datetime.now().strftime("%d/%m/%y %H:%M"))

renew SSL bash script:

sudo  ~/certbot/certbot-auto renew --quiet --no-self-upgrade --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8123 --pre-hook "docker stop hass" --post-hook "cp /etc/letsencrypt/live/your_domain_here/fullchain.pem ~/docker_ha/shell_scripts/fullchain.pem && cp /etc/letsencrypt/live/your_domain_here/privkey.pem ~/docker_ha/shell_scripts/privkey.pem && docker restart hass"

Texangeek · September 15, 2018, 5:57pm

Thanks! I’ll give them a try.

keiran.harris · March 10, 2019, 7:31am

hi @Texangeek - did you get a resolution on this? I have the same problem. Im running raspian debian in my case - pi3. For now, i need to hash-comment-out this part of my config file in order to get the HA webserver to even start up again on port 8123 (in http:// mode only):

[snip]
http:
api_password: XXXXXXX
ssl_certificate: ‘/KSSL/fullchain.pem’
ssl_key: ‘/KSSL/privkey.pem’

Ive used the -v switch when spinning up my container to create the /KSSL/ mound point, and its pointed to my full /etc/letsencrypt/live/XXXXX/ directory.

But im getting the same error as you:

2019-03-10 19:06:15 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘/KSSL/fullchain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘/KSSL/privkey.pem’. (See /config/configuration.yaml, line 46). Please check the docs at HTTP - Home Assistant
2019-03-10 19:06:15 ERROR (MainThread) [homeassistant.setup] Setup failed for http: Invalid config.

Shout back if you got a resolution, as im kinda stuck!

lolouk44 · March 10, 2019, 9:47am

Not sure if this is the answer that you’re after but ever since I moved my ssl stuff to the let’s encrypt docker and used the built in nginx with it I no longer have ssl related errors in ha

keiran.harris · March 13, 2019, 6:45am

thanks @lolouk44 - hmmm interesting. Whats the architecture of what you propose? Do you have a link to a howto or something?

lolouk44 · March 13, 2019, 7:29am

this is what I followed:

baz123 · March 13, 2019, 9:24pm

I had the same issue. I tried the Hass.io NGINX SSl Proxy and it just worked.

The only addition is that I added the domain name into my Pi-hole /etc/hosts so I knew an nslookup returned the right IP.

I’m going to have to work out a means of updating the certificates automatically.

lolouk44 · March 13, 2019, 11:14pm

that’s the beauty of the letsencrypt docker container, it takes care of the certs renewal automatically by itself.

baz123 · March 14, 2019, 7:32am

BUT (AFAIK) it does not do DNS-01 challenge for a wildcard certificate so is useless in my circumstance. The beauty of a wildcard certificate is:

I do not need an externally facing website for an internal domain name. The internal sub domain names are completely invisible externally.
I get just one certificate for all the internal machines.

lolouk44 · March 14, 2019, 8:02am

I won’t pretend to know everything there is to know about certificates, I’m still relatively new to this so bear it in mind when I ask:
If it’s all internal and not exposed to the Internet why do you need https encryption?

baz123 · March 14, 2019, 2:47pm

Yes it is a bit over the top you’d think. Firstly more and more browsers make non https browsing difficult. Secondly, Troy Hunt thinks it is a good idea and he know more about this than I do .

I have discovered that I can apt-get install python3-certbot-dns-cloudflare which is easy to do. I think will work on individual machines, and using a DNS-01 challenge does not require the FQDN to be previously defined. You can point the certificates to the right folder so Hass.io will just pick them up (needs testing but is a fantastic solution).

keiran.harris · March 17, 2019, 8:40am

went down the rabbit hole on this stuff this weekend!

Wanted to learn kubernetes, so ive spun up a cluster with the end goal being a Home Assistant container (amongst others), orchestrated by kubernetes. After that i want to spin up Envoy as the ‘sidecar proxy’ fronting Home Assistant with Istio orchestrating the proxy (why? see https://kubedex.com/istio-vs-linkerd-vs-linkerd2-vs-consul/ … these are going to be big in my industry, so wanted to learn them at home). Envoy is able to SSL reverse proxy. so will try for that for the HA setup.

Good in theory…!
(im currently stuck how to present the /config HA directory to kube and have asked for help here - Kubernetes Helm Chart )…

Ill update here when i get it all working.

keiran.harris · March 23, 2019, 11:29pm

For anyone interested i think i hit a roadblock here thats probably a showstopper for me running HA under Kube. The problem is access to /dev/ttyXXX usb zwave stick doesnt seem to be possible without a ‘device package’. And id be surprised if anyone could be botherered writing one for this. I suspect at least for now im part of a very small lit of people wanting to run HA under kube.

barisahmet · March 24, 2019, 2:12pm

The files in “live” directory are symbolic links. You should mount the directory where actual files are in your docker container, otherwise your container can not access those files because they are not mounted.

Cirion · July 20, 2019, 8:55am

I just got my docker working in unraid with SSL.
The thing to figure out is where the SSL directory is.

In my case I put my SSL directory in the root of my Home-Assistant folder:

/media/appdata/home-assistant/ssl

In my configuration.yaml this was then:

ssl_certificate: /config/ssl/fullchain.pem
ssl_key: /config/ssl/privkey.pem

kerryland · December 1, 2021, 8:29am

This got me completely stumped with my “supervised” installation so I thought I’d add a comment to help the next person.

It would seem that the ssl_certificate and ssl_key paths are, despite the use of a leading ‘/,’ are always relative.

I had to put the keys into /usr/share/hassio/ssl on the file system, but they are defined in /usr/share/hassio/homeassistant/configuration.yaml like this:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

I guess it’s something to do with the docker configuration.

Symbolic links are fine.