Let's Encrypt addon ERR_SSL_PROTOCOL_ERROR issue

I’m trying to get an SSL connection going again on my new set up but I’m running into the ERR_SSL_PROTOCOL_ERROR error.

My setup:

Using Let’sEncrypt addon on HAOS (running on proxmox)

My port forwarding 80 and 443 is sent to the internal LAN IP address of HAOS.
Using http I can access my HA instance through http://my.example.com
However when I use https://my.example.com I’m getting ERR_SSL_PROTOCOL_ERROR

I’m not sure what the issue is here. Any help or tips is appreciated!

The config:

Latest logs, the cert has been requested/renewed earlier:

[11:02:06] INFO: Selected http verification
[11:02:06] INFO: Detecting existing certificate type for <SNIP>
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[11:02:07] INFO: Existing certificate using 'ecdsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal; no action taken.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

Are you portforwarding port 443 to an internal port with SSL activated?

Port 80 and 443 are forwarded on my router towards the internal IP of HA OS

Is that what you’re asking?

Your internal port 8123 is probably a http port.
It does not run https.
A port can only run or the other.

I’m not sure what you’re getting at, I’ve been running 8123 > 8123 and 443 (https) > 8123 on another setup fine, not convinced that is the issue :slight_smile:

Yes, because both 8123 and 443 was using https, but what about 80?
That one would not work then.
Your internal port was only running https then.

I’ve changed it back to

80 > 80
443 > 8123
8123 > 8123

Still not working unfortunately. I’ve also tested by pointing 8123 to a another port so only 443 would point to 8123, but that didn’t fix it.

Just because you point your portforwarding to a port does not make it change.
Your port 8123 is probably still a http port on HA, so it will not work with 443 pointing towards it.
8123 will work, if you do it with http only though.

OK I follow your thought, so what would I need to do to make it work with https then?

You need to have an internal https port to forward to.
It can be done with NGinX, which then allow both http and https connections on different ports, or it can be done with just changing the http service in HA, which then only allow https connections.

Is there a tutorial that explains the combo Let’s Encrypt and Nginx addons and how to config them? I seem unable to make it work unfortunately.

Did you read the part regarding configuring HA to enable SSL

The Nginx Proxy Manager addon does both for you.

Hello @Skye,

Here Certbot Instructions | Certbot and see
nginx - User Guide — Certbot 2.12.0.dev0 documentation
Certbot command-line options