Home Assistant Community Add-on: Nginx Proxy Manager

carsten_h · September 7, 2021, 12:06pm

It seems I am having problems to update my SSL certificates:

[07/Sep/2021:13:12:19 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/a0a69523ad0240975cf1960414a68d7140e35c4f0fce97333e5e2146b2bc2e7f" [Client 83.135.88.74] [Length 433] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1)" "-"
[07/Sep/2021:13:12:20 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/auth/token" [Client 83.135.88.74] [Length 220] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1) Alamofire/5.4.3" "-"
[07/Sep/2021:13:12:27 +0200] - 101 101 - GET https abcdef.qwertz.duckdns.org "/api/websocket" [Client 83.135.88.74] [Length 189843] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1)" "-"
[07/Sep/2021:13:22:05 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/a0a69523ad0240975cf1960414a68d7140e35c4f0fce97333e5e2146b2bc2e7f" [Client 83.135.88.74] [Length 245] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1)" "-"
[07/Sep/2021:13:22:05 +0200] - 101 101 - GET https abcdef.qwertz.duckdns.org "/api/websocket" [Client 83.135.88.74] [Length 163] [Gzip -] [Sent-to 192.168.178.108] "Home Assistant/2021.8 (io.robbie.HomeAssistant; build:2021.216; iOS 14.7.1)" "-"
[9/7/2021] [1:28:32 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[07/Sep/2021:13:30:43 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/77da5ad6e8ce8e93aa59b796f8c0d0714d7e420a0e704d86ad93b0e3544120aa" [Client 83.135.88.74] [Length 42] [Gzip -] [Sent-to 192.168.178.108] "okhttp/4.9.1" "-"
[9/7/2021] [1:36:09 PM] [SSL      ] › ✖  error     Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Challenge failed for domain ghijkl.qwertz.duckdns.org
Failed to renew certificate npm-2 with error: Some challenges have failed.
Challenge failed for domain mnopqrs.qwertz.duckdns.org
Failed to renew certificate npm-4 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-4/fullchain.pem (failure)
2 renew failure(s), 0 parse failure(s)
    at ChildProcess.exithandler (child_process.js:308:12)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1048:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)
[07/Sep/2021:13:45:46 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/77da5ad6e8ce8e93aa59b796f8c0d0714d7e420a0e704d86ad93b0e3544120aa" [Client 83.135.88.74] [Length 42] [Gzip -] [Sent-to 192.168.178.108] "okhttp/4.9.1" "-"
[07/Sep/2021:13:45:46 +0200] - 200 200 - POST https abcdef.qwertz.duckdns.org "/api/webhook/77da5ad6e8ce8e93aa59b796f8c0d0714d7e420a0e704d86ad93b0e3544120aa" [Client 83.135.88.74] [Length 42] [Gzip -] [Sent-to 192.168.178.108] "okhttp/4.9.1" "-"
Connection Error: Error: read ECONNRESET
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0

Both certificates (ghijkl.qwertz.duckdns.org, mnopqrs.qwertz.duckdns.org) have been deleted months ago. Why is nginx still trying to update them?
The problem is that because of this my still active certificates are also not updated!

Can someone help me here?

dpavelko · September 10, 2021, 12:36am

Hi,

These forums have generally been super helpful for me, but so far I haven’t seen anyone describing the exact issue I’m having.

I have Nginx Proxy Manager installed on my homeassistant instance on my raspberry pi. I’ve got it all set up so I can access homeassistant.mydomain.com and it takes me to my homeassistant instance. Excellent!

Now I want to expose other things on my local network using additional subdomains. I go through the same steps to add additional proxy hosts for these new subdomains (which I’ve pointed to my public IP address via my DNS) but when I visit any of the subdomains it takes me to my homeassistant login page instead of the destination IP address I’ve set.

The login page displays:
You’re about to give http://subdomain.mydomain.com/ access to your Home Assistant instance.

I’ve tried doing this to access my synology server, plex server, and even tried to access the Nginx Proxy Manager this way and they all had the same behavior of just routing me to my Home Assistant instance. I’ve played with http vs https, web sockets support enabeld vs not, and am running out of ideas.

I don’t have much background managing networks so a lot of this is new for me, and I’d appreciate any suggestions about what I may be missing!

Thanks,
Dylan

Petrica · September 10, 2021, 5:29am

Did you requested a new SSL certificate for each subdomain or you used the same as for homeassistant.mydomain.com?

dpavelko · September 10, 2021, 7:19pm

Hi Petricia,
Thanks for the quick response!

When I try to generate a new SSL Certificate I get a message that says Internal Error and I don’t know how to troubleshoot that further. So I was just trying to use no SSL and route with http.

Just to try all options I tried using my existing certificate and … that worked! Wow, not sure why/how I didn’t try that combo. Thank you! Thank you!

RuSpray · October 4, 2021, 5:54pm

hi, i can’t get a certificate for a domain

what logs to add?

Petrica · October 5, 2021, 9:48am

Have you correctly forwarded ports 443 and 80 to the device hosting the NPM (or, otherwise, setup the DNS challenge)?

Logs for the addon are hardly of any use but most of the times issues appear when users do not forward both ports mentioned above.

RuSpray · October 5, 2021, 6:09pm

I tried, access on port 80 works
on port 443 it is written: Error while establishing a secure connection

Petrica · October 6, 2021, 6:58am

Where do you see this?

Can you confirm that your router has the port forward menu accessible and you forwarded ports 443 and 80?

Without further information about your internet connection (mobile/wired/PPPOE/FTTH/FTTB/etc.) and your LAN (ie. HA directly connected to the ISP’s router or double NAT, either by running through a second router or having HA as a VM running with NAT instead of bridged adapter etc.) it would be difficult to provide any advice.

RuSpray · October 6, 2021, 1:24pm

I open login invitation remotely.
It means this: The provider gives me the Internet with a wire, I connect it to the router via PPPOE with a login and password, the provider gives me (and maybe not only me) a dynamic IP, I convert it to a domain name using duckdns .org, on the network I have a normal subnet with a mask of 24, dns 8.8.8.8, just discovered that I can log in remotely with the add-on disabled, which means the duckdns add-on decides it for me. now it is clear why I can log in remotely. then the ports are forwarded, but they are not used by those for whom they are intended. this is bad.

Petrica · October 6, 2021, 1:35pm

Just to be sure: on the router, the port 80 is forwarded to 80 and 443 is forwarded to 443 (not to 8123) of the device running NPM addon (which might be or might be not the same as the one running HA)?

And you have registered a domain with DuckDNS and installed the DuckDNS addon from the addon store and that shows you something like

NOCHANGE
[14:35:35] INFO: OK
11.22.33.44

?

Have you tried to use before other reverse proxy server from the addon store (such as NGINX Home Assistant SSL proxy)?

RuSpray · October 6, 2021, 3:53pm

I will try immediately

RuSpray · October 6, 2021, 3:55pm

exactly
before that everything worked according to the same scheme, nov moved to another server

RuSpray · October 6, 2021, 4:00pm

just redirected properly shows: 400: Bad Request

Petrica · October 6, 2021, 4:11pm

When was the last time you updated the previous setup and you had a working config?

Do you have the trusted_proxies in your configuration.yaml? HTTP - Home Assistant

RuSpray · October 6, 2021, 4:19pm

updated six months ago
no proxy

RuSpray · October 6, 2021, 4:29pm

do I need to specify the ip address of the internal docker or can I specify the domain name?

Petrica · October 6, 2021, 4:40pm

Then the change occurred after that. Add the lines below to the http section like in the example.

  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.0.200
    - 172.30.33.0/24

No domain name in here. 172.30.33.0 is the Docker internal IP (keep it as such) and 10.0.0.200 would likely be 192.168.0.xx

RuSpray · October 6, 2021, 4:46pm

registered a proxy, but ssl does not receive
I go by http

Petrica · October 7, 2021, 7:42am

Can you try getting a new subdomain with NPM and point it to HA? (like hasubdomain2.domain.duckdns.org)

My guess is that Let’s Encrypt doesn’t renew your previous hasubdomain1.domain.duckdns.org to be used on the new installation so you could try with a new subdomain.

carsten_h · October 7, 2021, 11:19am

Does someone know how bugs in Nginx proxy manager can be addressed?

I wrote an issue on github because after deleting two Proxy Hosts and their SSL certificates, Nginx proxy manager still tries to update them although they do not exist. This produces an error and all other still existing SSL cerificates are not updated.

But nobody is reacting on the issue since months! This is really sad!