Help with SSL setup

noysboy · June 2, 2020, 12:00pm

Im a bit lost on this “err_connection_refused”

I have the fullchain and privkey files in the the /ssl directory and when I restart homeassistant I get:

root@homeassistant:/usr/share/hassio# ha core info
arch: amd64
audio_input: null
audio_output: null
boot: true
image: homeassistant/qemux86-64-homeassistant
ip_address: 172.30.32.1
last_version: 0.110.4
machine: qemux86-64
port: 8123
ssl: true
version: 0.110.3
version_latest: 0.110.4
wait_boot: 600
watchdog: true

However, if I try to connect to anything in chrome I get “err_connection_refused”

Here is my configuration.yaml:

http:
   ssl_certificate: /ssl/fullchain.pem
   ssl_key: /ssl/privkey.pem

homeassistant:
  internal_url: "http://192.168.0.20:8123"
  external_url: "https://[xxx].com:4926"

In my router, I have port 4926 -> 8123

Everything works fine, both internally and externally if I comment out the ssl stuff (and change the external to http vs https)

BUT, as soon as I have the ssl stuff in, I lose all access to the web gui and have to go into the command line to edit the yaml and restart.

I can only assume that something in the ssl files is changing some ip/networking info somewhere, but im stuck. Any help is appreciated.

gerdesj · June 2, 2020, 12:16pm

Check your certificate files are valid like this:

# cd /usr/share/hassio/ssl/
# openssl x509 -noout -modulus -in fullchain.pem | openssl md5         
(stdin)= 2bad6e4da312586b148163b2a3d1c456
# openssl rsa -noout -modulus -in privkey.pem | openssl md5
(stdin)= 2bad6e4da312586b148163b2a3d1c456

Those two md5 hashes (stdin)= … should be identical.

noysboy · June 2, 2020, 12:42pm

Oh dear, mine are different hashes.
Now to backtrack…

gerdesj · June 2, 2020, 12:48pm

Would you like a hand to generate certs?

noysboy · June 2, 2020, 1:00pm

I just regenerated the certs and the hashes now match.
all up and running.

Its probable that I messed up something the first time with file names and/or copy/paste. The tip to check the hashes was extremely helpful.

THANK YOU!

gerdesj · June 2, 2020, 1:03pm

I do a lot of work with SSL/TLS and having checks is rather handy. Instead of the | openssl md5 you can also use | md5sum. Its just a way to summarise the huge long modulus string that you get from the first command.

Glad to hear you are up and running.