Hass.io LetsEncrypt + Nginx

AndBobsYourUncle · August 4, 2017, 6:29pm

So, I have Hass.IO installed and everything is working great.

However, it appears that the official add-ons for Nginx and LetsEncrypt are incompatible with each other? They each take up port 443, so LetsEncrypt dies immediately.

So, my question… is my certificate going to expire since the LetsEncrypt container can never start and stay running with Nginx running as well? Is this something that will be taken care of in a future update?

Perviously, before I switched to Hass.IO, I was using Docker to do everything in containers, and I was using https://hub.docker.com/r/jrcs/letsencrypt-nginx-proxy-companion/

I had built my own version of that Docker image that ran on a Pi. It reads in environment variables set on the containers to figure out what their hostnames should be, and automatically renews certificates for each one. So, is this something that can even be setup? I’m assuming there is no easy, straightforward way for me to add environment variables to the Home Assistant container.

bestlibre · August 5, 2017, 8:11am

I have created two addons for that purpose. It is not a full automatic solution like the docket container you speak of : virtualhost need to be declared by hand and the nginx proxy need to be restarted manually. But it’s working well enough for my purpose. The addons are (here)[https://github.com/bestlibre/hassio-addons/tree/master/certbot] and (here)[https://github.com/bestlibre/hassio-addons/tree/master/nginx_proxy]

plonka2000 · August 23, 2017, 3:57pm

Hi,
I’d really like to get your nginx_proxy addon working, but I seem to be having a few problems.

I created certs using the LetsEncrypt addon:

{
  "challenge": "https",
  "email": "[email protected]",
  "domains": [
    "domain.com",
    "home.domain.com",
    "url2.domain.com",
    "url3.domain.com"
  ],
  "certfile": "letsencrypt/live/primary/fullchain.pem",
  "keyfile": "letsencrypt/live/primary/privkey.pem"
}

the certs seem to be in the right place when I check.

I setup your addon:

{
  "vhosts": [
    {
      "vhost": "home.domain.com",
      "remote": "172.168.178.130",
      "port": "8123",
      "default_server": true,
      "certname": "primary"
    },
    {
      "vhost": "url2.domain.com",
      "remote": "172.168.178.102",
      "port": "8081",
      "certname": "primary"
    },
    {
      "vhost": "url3.domain.com",
      "remote": "172.168.178.102",
      "port": "5050",
      "certname": "primary"
    }
  ]
}

When I use your addon, I get the following error:

starting version 3.2.2
nginx: [emerg] SSL_CTX_load_verify_locations("/ssl/letsencrypt/live/primary/chain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/ssl/letsencrypt/live/primary/chain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file error:0BFFF002:x509 certificate routines:CRYPTO_internal:system lib)

So I copied fullchain.pem to chain.pem and that error seems to be gone.

When I start the addon, I all I see is:

starting version 3.2.2

Now, when I try to access URLs https://home.domain.com, https://url2.domain.com or https://url3.domain.com I get nothing but a long timeout.

Can you assist?

Also, I cant get your certbot to work.
I used this config:

{
  "debug": true,
  "email": "[email protected]",
  "certificats": [
    {
      "name": "certbot",
      "domains": "domain.com,home.domain.com,url2.domain.com,url3.domain.com"
    }
  ],
  "ssl_only": false
}

bestlibre · August 23, 2017, 4:46pm

I haven’t tried to mix the official let’s encrypt addon with my proxy.

For my let’s encrypt addon, certname in nginx and let’s encrypt must be the same. So either primary (as in the nginx conf) or certbot.

You can also try my caddy proxy add-on.

Hope this helps. I’m on my phone right now and cannot check more.

plonka2000 · August 23, 2017, 9:40pm

Thanks for the response, I did get your certbot to work.
It generated a certbot-0001 set of certs which i’ve set into nginx_proxy.

Still getting timeouts, i’m not really sure why.

nginx log in UI only shows:

starting version 3.2.2

bestlibre · August 23, 2017, 10:14pm

Can you try to proxyfy without ssl (do not set the certificate name) ?

The only logs I have are the same as yours (I will look to increase the log level). But I can reach the proxyfied services.

I proxyfy 4 services, 3 local to the pi, one on another host. My configs, for 4 subdomains, with two different certs (one for each physical hosts) are :

nginx proxy :

{
  "vhosts": [
    {
      "vhost": "sub1.redacted.tld",
      "default_server": true,
      "certname": "rpi",
      "port": "8123"
    },
    {
      "vhost": "sub2.redacted.tld",
      "port": "3380",
      "default_server": false,
      "certname": "rpi"
    },
    {
      "vhost": "sub3.redacted.tld",
      "certname": "rpi",
      "port": "3000"
    },
    {
      "remote": "192.168.0.2",
      "vhost": "sub4.redacted.tld",
      "certname": "nas",
      "port": "443"
    }
  ]
}

certbot :

{
  "debug": false,
  "email": "[email protected]",
  "certificats": [
    {
      "domains": "sub1.redacted.tld,sub2.redacted.tld,sub3.redacted.tld",
      "name": "rpi"
    },
    {
      "domains": "sub3.redacted.tld",
      "name": "nas"
    }
  ],
  "ssl_only": false
}

plonka2000 · August 24, 2017, 10:21pm

Hey, thanks so much for this help.
This is awesome, I finally got it to work with 2 separate certs.

I see you also updated the GitHub repo with additional logging info.

lastly, I used this config to get the nginx_proxy to work correctly:

{
  "vhosts": [
    {
      "vhost": "cert.domain1.com",
      "remote": "172.17.0.1",
      "port": "10443"
    },
    {
      "vhost": "cert.domain2.com",
      "remote": "172.17.0.1",
      "port": "10443"
    },
    {
      "vhost": "home.domain1.com",
      "remote": "172.17.0.1",
      "port": "8123",
      "certname": "certbot-cert1"
    },
    {
      "vhost": "url1.domain1.com",
      "remote": "172.17.0.1",
      "port": "8080",
      "certname": "certbot-cert1",
      "default_server": true
    },
    {
      "vhost": "url2.domain2.com",
      "remote": "192.168.178.101",
      "port": "80",
      "certname": "certbot-cert2"
    }
  ]
}

It accompanies this config for certbot:

{
  "debug": true,
  "email": "[email protected]",
  "certificats": [
    {
      "name": "certbot-cert1",
      "domains": "domain1.com,cert.domain1.com,home.domain1.com,url1.domain1.com"
    },
    {
      "name": "certbot-cert2",
      "domains": "domain2.com,cert.domain2.com,url2.domain2.com"
    }
  ],
  "ssl_only": false
}

Thanks for all your help, and thanks for creating a great tool.