home.domain1.co.uk is resolved as 192.168.1.36 with IPv4?
nginx on 192.168.1.36 is started and listening? Any logs from nginx?
Symbolic link in sites-enabled points to file in sites-available?
btw I would have recommended to open your own thread instead of posting into a 2 year old topic.
Yes, http://home.domain1.co.uk and https://home.domain1.co.uk are both being forwarded to 192.168.1.36. Although I donât see these requests in /var/log/nginx/access.log ??
nginx is started and listening, and serving up pages on domain2.com - these requests are appearing in the access.log.
Re. symbolic links, I did run this:
sudo ln -s /etc/nginx/sites-available/mysite.com /etc/nginx/sites-enabled/
Is this what you mean?
Are you running apache by any change?
If so, you can use apache as proxy forwarderâŚ
I myself run http on my own web server and HA on https (proxy forwarded)
So port 80 and 443 are both forwarded to apache; from there 443 is forwarded to HA (the certificates also resides on apache)
No I only run nginx.
Good point re. this being an old thread - Iâll raise the SSL question in a separate thread.
The client receives the certificate from nginx server
nginx will fail to validate the certificate on your HA server, you might see errors or warnings in the nginx log. Putting
proxy_ssl_verify off;
into both âlocationâ configuration items should tell nginx to ignore the certificate on the HA server, but I have not verified this.
If the client receives the cert from the nginx server (a certificate which was copied from the HA server), isnât it already ignoring the certificate on the HA server?
When the time comes to renew the certificate, presumably I would need to temporarily direct port 80 to the HA server if I wanted the Letâs Encrypt add-in to renew it?
Or would it be possible to permanently direct port 80 to the HA server by making changes to the nginx config?
the client ( browser on your PC, Mac, Tablet, âŚ) doesnât care about the certificate on the HA server, it only communicates with nginx. But nginx communicates with the HA and the subject in the certificate does not match the hostname in the https-Requests
Not sure, Iâm not using the LE Addon, Iâm updating my certificate manually using the acme.sh script. Iâm using the same wildcard certificate for all servers in my internal domain, but issuing wildcard certificates from LE is quite a bit of manual work ( DNS-01 challenge at Lets Encrypt)
So is it the case that I only need to keep the SSL cert updated on the nginx server - I can forget about the cert on the HA server?
The SSL cert only needs to be on the thing handling SSL, in your case thatâs NGINX. It doesnât need to be accessible to HA at all.
Yes, only the certificate on nginx is required.
You might consider to remove the certificate from HA configuration (and change back in the nginx configuration from https to http), assuming all access to HA is done through nginx
Currently you might see warnings in nginx log because the certificate does not match the name in the request, in 3 months or less additionally the certificate has expired.
HmmmâŚso now I am confused. I now have a valid SSL cert on the nginx server, so I removed this section from configuration.yaml and restarted HA:
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem
I now get âERR_CONNECTION_REFUSEDâ when I try to connect using:
https://mydomain
if I try to connect to this URL:
https://mydomain:8123
I get âThis site canât provide a secure connection - ERR_SSL_PROTOCOL_ERRORâ
âŚwhich suggests that requests are still being forwarded to the HA server on port 443, and the SSL certificates on that server are still being referenced??
This is the config for my HA domain on the nginx server:
server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/mydomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain/privkey.pem;
server_name mydomain;
location / {
proxy_pass http://192.168.1.225:8123/;
proxy_set_header Host $host;
}
location /api/websocket {
proxy_pass http://192.168.1.225:8123/api/websocket;
proxy_set_header Host $host;
}
}
It should now be forwarding incoming https requests to port 80 on the HA server, but it seems that this is not happening. Ports 443 and 80 on the router are definitely being forwarded to the nginx server.
Any idea what I might be doing wrong?
Hi
with your configuration in nginx you are forwarding all incoming https-requests with http to 192.168.1.225 on port 8123, looks ok for me.
You might need this in configuration.yaml, the link explains why
http:
use_x_forwarded_for: true
trusted_proxies:
- 192.168.1.36 # your nginx-server
- 192.168.1.0/24 # The whole subnet
I also have the following additional settings in my nginx-configuration ( inside the location)
This sets additional HTTP-Headers for communication between nginx and HA
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
Correction - this is what is happening when I access the URLâs in question:
https://home.mydomain.co.uk:8123/
ERR_SSL_PROTOCOL_ERROR
https://home.mydomain.co.uk/
net::ERR_CERT_COMMON_NAME_INVALID
Proceed to home.mydomain.co.uk (unsafe)
If I proceed I get presented with the HA login page. When I enter my credentials I get:
Unable to connect to Home Assistant.
???
Hmm, thatâs two issues
https://home.mydomain.co.uk:8123/
we have not seen your full nginx configuration, but it didnât look like it is providing any service on port 8123?
home.mydomain.co.uk is the hostname for your nginx-server on 192.168.1.36 and this is also the server name you have a certificate for?
you have shell access on your nginx-server?
openssl x509 -in /etc/letsencrypt/live/mydomain/fullchain.pem; -text -noout |grep -A1 Subject
shows the Subject and Subject Alternative Name the certificate was created for
see my previous post, access with websockets might not work due to missing headers
Correct - my nginx is not providing a service on port 8123.
home.mydomain.co.uk is the hostname for my Home Assistant instance on 192.168.1.225. I have certificates for this domain on the nginx server (192.168.1.36) as this is where https requests land first.
Looking at the nginx logs, I am seeing requests being generated for https://home.mydomain.co.uk/lovelace
(when I enter https://home.mydomain.co.uk/)
If I try running that openssl command on the nginx server I get the certificate (a chunk of encrypted text) plus this:
-text command not found
Am I misunderstanding where the SSL certs for the HA domain should be hosted? Should they actually be on the HAOS host, rather than the nginx host? If so, will renewal be problematic, as LetsEncrypt needs to do it over port 80, and that port is forwarded to the nginx server, not the HA server?
EDIT: if I re-enable the SSL certs on the HA server then I can access it without any problems using this URL@
https://home.mydomain.co.uk:8123
So it seems that my web requests are definitely using the SSL certs on the HA server
???
sorry, typo when I build the command using the filename you provided, there is a semicolon where it shouldnât be:
openssl x509 -in /etc/letsencrypt/live/mydomain/fullchain.pem -text -noout |grep -A1 Subject
You are trying to put the nginx server between your browser and HA
Browser ===https ==> Nginx ===http===> HA
https is between Browser and Nginx and the certificates are on the Nginx Server
However: The URL has to point to the nginx server
home.mydomain.co.uk should resolve to the IP of your nginx-Server ( 192.168.1.36) in your internal network
Your browser uses https://home.mydomain.co.uk, this connects to your Nginx and validates the certificate to match the Subject of âhome.mydomain.co.ukâ
Nginx forwards all requests to your HA server on IP 192.168.1.225, using http, certificates are not used between Nginx and HA
With SSL configured on HA and using home.mydomain.co.uk ( currently resolving to 192.168.1.225) you directly connect to HA from your browser, Nginx is not involved here. Thatâs why you received the ERR_SSL_PROTOCOL_ERROR above, at this point HA was not configured tor SSL
Currently your HA is configured for SSL and answers all requests directly.
Port 443 is forwarded on my router.to the nginx server on 192.168.1.36, and home.mydomain.co.uk resolves to my external IP address, if thatâs what you mean?
I just tried accessing https://home.mydomain.co.uk/ from the WAN (using 4G on my phone). This should be going to the nginx server, but Iâm getting ERR_EMPTY_RESPONSE", and the requests are not registering in the access.log of the nginx server. If I add port 8123 (https://home.mydomain.co.uk:8123/``` then I get routed to the HA server on 192.168.1.225 (and the requests still arenât registering in the nginx access.log).
This doesnât seem to be what is happening - if I disable the SSL certificates on the HA server (in the http section of configuration.yaml) I get an SSL error when I try to access it using the external URL (https://home.mydomain.co.uk). This error goes away if I re-instate the SSL certs on the HA server.
Sorry I canât see the difference between that and the original command?
the difference is the semicolon after âfullchain.pemâ and before â-textâ in the original command
A few things are really odd in your configurationâŚ
When you access https://home.mydomain.co.uk:8123/ from the WAN your router should refuse the connection. Do you have a port forwarding rule for 8123 on your router still enabled?
Which IP is pinged when you ping from inside your network?
ping -4 home.mydomain.co.uk
if correctly configured that should be either 192.168.1.36 or your external IP
perhaps check the port forwarding on your router again, it sounds like it is not forwarding port 443 to port 443 on the nginx server, otherwise you should see it in the logs.
Armin
Oh sorry - Iâve just noticed that I still had port 8123 forwarded to the HA server:
That resolves to my external IP address.
The openssl command shows one of my other domain names as the subject. I guess because I have a CNAME record for my HA domain which directs to that address.
So I have now removed the port forward of 8123 to the nginx server. Port 8123 is now not forwarded anywhere from the router.
Now, if I enter https://home.mydomain.co.uk:8123 I get to the HA login page, but after entering my details I get âUnable to connect to Home Assistantâ.
I get exactly the same thing if I enter https://home.mydomain.co.uk/
