At this point I’d like to re-iterate my recommendations from 2 days ago:
- Uninstall this NPM add-on
- Install Duck DNS add-on, and set it up accordingly, to get your Dynamic DNS with Let’s Encrypt certification
- Install the (other) NGINX Home Assistant SSL proxy add-on, and set it up accordingly
- Update your http block in your configuration.yaml to something like this.
# ssl_certificate: /ssl/fullchain.pem
# ssl_key: /ssl/privkey.pem
- Update your router, point your external port to the 192.xxx.xxx.73 (IP of the HAOS), and to the port per the configuration inside your NGINX Home Assistant SSL proxy add-on
- Use https and the DuckDNS domain name to connect to HA, for when you are outside,
- Use http and the .73 IP and port 8123 to connect to HA if you and HA are on the same LAN.
- And then follow your Google Home setup guide, which is outside of the scope of this thread.
Edit: adding step 6 - 8 above.
I’d recommend this, because of the intension you outlined the other day:
This NPM add-on is probably not a good fit for you / your setup.
I know what you said, but if nothing works, would seriously recommend Nabu Casa.
Will give this a go. Just wanted to see if I messed something up w npm initial setup.
Can I still use the DuckDNS add-on in conjunction with this? I want the DuckDNS add-on to keep my public IP up-to-date on duckdns.org. The DuckDNS add-on also generates Let’s Encrypt certs, but it appears I don’t need those with NGINX Proxy Manager?
Is it possible to point NGINX Proxy Manager to the same certs generated by the DuckDNS add-on?
Or, if not using the DuckDNS add-on certs, how do I set up NGINX Proxy Manager to auto-renew expiring certs like the DuckDNS add-on? Does it even have that capability?
I’m asking all this because I recently started getting emails that my Let’s Encrypt certs are expiring in a few days… so I checked the DuckDNS add-on and those certs indicate they are good until April… then I checked the certs for NGINX Proxy Manager and, based on the dates, all of them are expired as of a few months ago… However, I haven’t had any issues accessing the sites/services… so I’m not understanding what certs NGINX Proxy Manager is even using.
This is a great add-on.
Question - is there a reason why the “streams” host option is not available, unlike the docker version?
I am hoping to configure TCP & UDP port forwarding for a game server in NPM instead of in my router.
Screenshot of the dashboard at nginxproxymanager .com:
is there a explanation of how to troubleshoot the NGINX Home Assistant SSL Proxy ?
im running HA OS 7.5 with LETS encrypt and NGINX add-ons installed.
i cant seem to get it to proxy incoming 80 or 43 traffic to the ha instance on 8123.
my HA works internally over 8123 (on http no encryption) - just want to enable remote on SSL.
my configuration.yaml includes…
and nginx config :
hsts: max-age=31536000; includeSubDomains
I have a feeling that you are at the wrong place. This thread is about the community add-on Nginx Proxy Manager, and what you discribed above is about the official add-on NGINX Home Assistant SSL proxy. These 2 add-ons both use NGINX, but vastly different.
Regarding your issue, recommended you start a different thread, check the logs on both Lets encrypt and NGINX Home Assistant SSL Proxy
this is because the HASS IO addon is not up to date. It is from May 2021.
Hey guys how can I get the SSL files from NPM in order to use them for other add-ons (like MQTT, etc)?
Any possibility of increasing the limit on the 4 allow/deny fields in the access lists? I’ve got like 10 that I need to add.
is there a way to set the
proxy_ssl_server_name variable for a specific domain within the proxy manager?
there are regular security updates for Nginx. The addon itself has not been updated for a while. Does this mean that the NGINX version of the addon is also outdated and has security vulnerabilities? How can I manually update the nginx component?
Hey @frenck, the login data inside my mariadb instance is corrupted making it impossible for me change the password (and other weird behaviour). I’ve hit the “reset” toggle for the addon which clears all my settings with the exclusion of the login details.
Are you able to extend the “reset” functionality to clear all NGINX Proxy Manager settings inside MARIADB including the login details.
As far as I’ve progressed I am clueless on how to fully wipe the mariadb and start from scratch…
Ignore the above, I just found this thread and it’s given me what I need incase it helps anyone else: Home Assistant Community Add-on: Nginx Proxy Manager - #525 by Petrica “phpMyAdmin” addon to view and edit the MariaDB
In case anyone else has been running into problems with renewals failing with Cloudflare DNS challenge, there is an issue on GH here: https://github.com/hassio-addons/addon-nginx-proxy-manager/issues/258
I found a workaround to let the renewal process work but which only lasts until the add-on is restarted (and thus is not an actual fix). You’ll still have to do this every 3 months, but it beats having to nuke your entire SSL setup and re-do every cert and every proxy host every 3 months.
- Console into the
addon_1234abcd_nginxproxymanager container as root, I use portainer to allow me to do this. The Home Assistant devs have bent over backwards to try and prevent you from accessing normal container controls which doesn’t seem like a great use of anyone’s time. You’ll have to sort out how to make that happen for you, and the result will likely be a hilarious “unsupported installation” message for your efforts.
- Kill the stuck certbot instance that ran at container start and won’t complete due to the change required below:
- Remove the offending line from
sed -i 's/authenticator = webroot//' /etc/letsencrypt.ini
And that’s it! CF renewals will now work until you restart the container. This has been fixed in the upstream project for over a year now, hopefully we’ll see some of those fixes make their way into the Home Assistant add-on some day.
I issued a PR for the problem described above which is now in the current release of the add-on.
I’m currently using traefik on an external vm and thinking of switching to this. the only thing stoping me is tcp routes.
In my setup traefik handles the certs for mqtt as well (native port not websockets), how can i replicate it with NPM as it does not support tcp
any help or thoughts?
Well unfortunately it looks like it still isn’t fixed in the latest release. Trying to renew gives me:
And the log only gives:
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/00-banner.sh
Add-on: Nginx Proxy Manager
Manage Nginx proxy hosts with a simple, powerful interface
Add-on version: 0.12.1
You are running the latest version of this add-on.
System: Home Assistant OS 8.2 (aarch64 / raspberrypi4-64)
Home Assistant Core: 2022.6.5
Home Assistant Supervisor: 2022.07.0
Please, share the above information when looking for help
or support in, e.g., GitHub, forums or the Discord chat.
cont-init: info: /etc/cont-init.d/00-banner.sh exited 0
cont-init: info: running /etc/cont-init.d/01-log-level.sh
Log level is set to INFO
cont-init: info: /etc/cont-init.d/01-log-level.sh exited 0
cont-init: info: running /etc/cont-init.d/mysql.sh
cont-init: info: /etc/cont-init.d/mysql.sh exited 0
cont-init: info: running /etc/cont-init.d/nginx.sh
cont-init: info: /etc/cont-init.d/nginx.sh exited 0
cont-init: info: running /etc/cont-init.d/npm.sh
cont-init: info: /etc/cont-init.d/npm.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun manager (no readiness notification)
services-up: info: copying legacy longrun nginx (no readiness notification)
s6-rc: info: service legacy-services successfully started
[22:30:24] INFO: Starting the Manager...
[22:30:24] INFO: Starting NGinx...
[7/25/2022] [10:30:25 PM] [Global ] › ℹ info Manual db configuration already exists, skipping config creation from environment variables
[7/25/2022] [10:30:29 PM] [Migrate ] › ℹ info Current database version: 20211108145214
[7/25/2022] [10:30:43 PM] [Setup ] › ℹ info Added Certbot plugins certbot-dns-cloudflare==$(certbot --version | grep -Eo '[0-9](\.[0-9]+)+') cloudflare
[7/25/2022] [10:30:43 PM] [Setup ] › ℹ info Logrotate Timer initialized
[7/25/2022] [10:30:44 PM] [Setup ] › ℹ info Logrotate completed.
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6
[7/25/2022] [10:30:44 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized
[7/25/2022] [10:30:44 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[7/25/2022] [10:30:44 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
[7/25/2022] [10:30:44 PM] [Global ] › ℹ info Backend PID 267 listening on port 3000 ...
`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0
`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0
QueryBuilder#omit is deprecated. This method will be removed in version 3.0
Model#$omit is deprected and will be removed in 3.0.
[25/Jul/2022:22:32:44 +0200] - 502 502 - GET https domain.com "/" [Client 18.104.22.168] [Length 150] [Gzip -] [Sent-to 192.168.1.2] "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0" "-"
[25/Jul/2022:22:33:01 +0200] - 502 502 - POST https bitwarden.domain.com "/identity/connect/token" [Client 192.168.1.1] [Length 552] [Gzip -] [Sent-to 192.168.1.2] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36 Edg/103.0.1264.71" "-"
[25/Jul/2022:22:33:03 +0200] - 405 405 - HEAD https home.domain.com "/" [Client 22.214.171.124] [Length 0] [Gzip -] [Sent-to 192.168.1.2] "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)" "https://home.domain.com"
[25/Jul/2022:22:33:23 +0200] - 200 200 - GET https home.domain.com "/" [Client 126.96.36.199] [Length 9551] [Gzip -] [Sent-to 192.168.1.2] "Mozilla/5.0+(compatible; UptimeRobot/2.0; http://www.uptimerobot.com/)" "https://home.domain.com"
[7/25/2022] [10:33:29 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates via Cloudflare for Cert #2: *.domain.com, domain.com
[7/25/2022] [10:33:29 PM] [SSL ] › ℹ info Command: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew
[7/25/2022] [10:33:33 PM] [Express ] › ⚠ warning Command failed: certbot renew --config "/etc/letsencrypt.ini" --cert-name "npm-2" --disable-hook-validation --no-random-sleep-on-renew
Another instance of Certbot is already running.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/tmpqdornppd/log or re-run Certbot with -v for more details.
Hello, everyone. I installed and set up the Nginx Proxy Manager with Home Assistant.
So far everything works, if I call the xxx.duckdns.org address, the login window comes from the access
After I entered the access data. Am I on my Home Assistant page.
Problem 1: As soon as I make a few clicks, he immediately wants me to log in again (Access List Nginx Proxy Manager).
When I switch to the Settings/Integrations page and want to set up Octoprint, for example, I get the following error:
If I remove the access list in the Nginx Proxy Manager, everything works fine. With Access List this error occurs every few minutes. It makes no difference whether I use the Homeassistant Android app or the Chrome browser on my cell phone or computer.
Does anyone have a solution for me?
The address with https://xxxx.duckdns.org:8111 seems strange to me!
With nginx Proxy manager my external address for HA is https://yyy.xxx.duckdns.org
There is an additional subdomain in front and the port is not neccessary!
Hello Cartsen, unfortunately exactly the same error after the changeover.
For everyone who is running into the INTERNAL ERROR issue, just choose “use DNS challenge” and put your DuckDNS token in, takes me several days to find out.
hope this will save your time