Lost HTTPS access

jonasgustavsson · May 24, 2020, 12:16pm

Hi,
My HA was running really fine, up until one day when I couldn’t access it’s web interface anymore. It came out of the blue.

After some initial troubleshooting, I realized this happened probably 90 days after I installed the Let’s encrypt plugin. So a qualified guess is that the failure is due to the certificate being expired.

I don’t have HTTP access either, as I removed it for security reasons.
My configuration.yaml:

http:
  base_url: https://mydomain.duckdns.org:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Good thing is that I have SSH and samba access. So I’m pretty sure this can be sorted, if I would just know how… I’ve made several attempts trying to google an answer, but now after two months without results, I need to get some help here, please.

Thanks!

juan11perez · May 24, 2020, 1:52pm

how did you install HA?

and have you confirmed your cert suspicions using certchecker?

baz123 · May 24, 2020, 2:03pm

Check the addon logs - I had problems when Cloudflare changed something in the security model so the API Token failed to work.

You should get an email with an expiry warning notice.

koying · May 24, 2020, 2:04pm

Educated guess are great.
Opening your browser’s web development console to check what is actually going wrong is even better

kirpat · May 24, 2020, 2:07pm

base_url have been changed to
external_url
internal_url
Please check changelog for it

jonasgustavsson · May 24, 2020, 5:38pm

how did you install HA?
It’s installed using Hass.io image, and then also installed Let’s Encrypt and DuckDNS add-ons. So my installation should be fairly standard.
and have you confirmed your cert suspicions using certchecker?
Opening your browser’s web development console to check what is actually going wrong is even better
I just figured out how to do it and can see that, yes, the certificate for mydomain.duckdns.org expired on 29th of March.

So the solution is most likely to get the certificate renewed. But how do I do that using SSH? I’ve tried to figure out if certbot is available as part of the Let’s Encrypt add-on, but without any conclusions. Perhaps there’s some port I need to open in my router.

(As a side note, I just stumbled on the sensor “Certificate Expiry” - once this issue is solved I’ll for sure add that sensor so I don’t end up in the same situation again)

juan11perez · May 24, 2020, 5:50pm

you cant control docker from ssh in hassio.
if you cant access your webgui locally then not sure how you can fix this

and by the way letsencrypt should auto renew your certificate, but since you’ve closed port 80 i guess it cant do it.

jonasgustavsson · May 24, 2020, 6:10pm

you cant control docker from ssh in hassio.
if you cant access your webgui locally then not sure how you can fix this

OK, that explains why I was unsuccessful.

and by the way letsencrypt should auto renew your certificate, but since you’ve closed port 80 i guess it cant do it.

I just checked, and I have been having port 80 open all the way along for my HA. So I don’t know why it hasn’t updated.

juan11perez · May 24, 2020, 6:22pm

then it should have updated automatically.
can you not login via http from inside your network?

jonasgustavsson · May 24, 2020, 6:26pm

can you not login via http from inside your network?

Unfortunately not. I remember choosing not to configure that since “why would I ever need it”. I regret that today. I can’t remember what kind of config I choose to remove/not configure unfortunately.

wolfpins · May 24, 2020, 6:32pm

And when you try your home ip with https:// .

juan11perez · May 24, 2020, 6:33pm

sorry have you got access to the same network as the ha host?
or are you in a remote location

jonasgustavsson · May 24, 2020, 6:36pm

And when you try your home ip with https:// .

I get to a HA page with the error message.

You're about to give https://[my-wan-ip]/ access to your Home Assistant instance.
Logging in with Home Assistant Local.
Error: invalid client id or redirect uri**

sorry have you got access to the same network as the ha host?

Yes, I’m on the same network as the HA host.

juan11perez · May 24, 2020, 6:41pm

so why dont you just type http://localip:8123

jonasgustavsson · May 24, 2020, 6:44pm

My browser then gives me

**192.168.1.100**  didn’t send any data.
ERR_EMPTY_RESPONSE

juan11perez · May 24, 2020, 6:44pm

http://192.168.1.100:8123

takes you to your webui

jonasgustavsson · May 24, 2020, 6:47pm

Nope. As said, my browser gives me

This page isn’t working

192.168.1.100 didn’t send any data.
ERR_EMPTY_RESPONSE

juan11perez · May 24, 2020, 6:48pm

then you have another problem which is not the certificate only
your ha is not running correctly.
you need to check your logs
if you have samba you should be able to see your homeassstantl.log

jonasgustavsson · May 24, 2020, 7:13pm

I checked home-assistant.log. Nothing of interest here really, only two entries from two non-relevant plugins having issues.
As said, I do remember intentionally disabling HTTP access. But I don’t remember how.

(BTW, thanks for your patience so far in helping me)

juan11perez · May 24, 2020, 7:22pm

you cant disable htttp access within your network.
if ha is running correctly, then you should be able to access your webui