Before I start (and it will probably be tomorrow), any tricks I need to know to get SSL set back up?
1 Like
currently pulling out my hair trying to figure this out as well…
Just made the leap to a NUC and trying to get off the ground running HASS in a Docker container. I’ve managed that OK but haven’t been successful trying to setup SSL for secure remote access from my phone outside my home network…
I would recommend doing it via NGINX reverse proxy and Let’s Encrypt.
Then I am hoping all that is possible using docker as well 
So far I like Docker although I am sure it gets even better as one learns more about it.
Of course it is
Thanks for the recommendation. I successfully got the linuxserver/letsencrypt container up and running which I think accomplishes what you’re suggesting (Nginx webserver and reverse proxy with php support and a built-in letsencrypt client).
I’m still seeing the same error in Home Assistant’s logs:
2018-02-17 17:49:45 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/opt/docker/letsencrypt/etc/letsencrypt/live/example.duckdns.org/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/opt/docker/letsencrypt/etc/letsencrypt/live/example.duckdns.org/privkey.pem'. (See /config/configuration.yaml, line 38).
The config.yaml has:
http:
api_password: !secret http_password
ssl_certificate: !secret ssl_certificate
ssl_key: !secret ssl_key
base_url: !secret base_url
I read through this thread where a similar issue occurred, however I haven’t had any luck applying the chmod solution identified there…
Any ideas or suggestions I can keep pursuing? Appreciate anything you can suggest!
You don’t need to do anything with home assistant config if you’re using a reverse proxy.
Thanks, I removed the SSL key/cert from config.yaml and now receive a
ERR_SSL_PROTOCOL_ERROR instead of connection refused - a sign of progress 
. I’ll keep playing around with the let’s encrypt setup to iron out the kinks. Appreciate the help!
The let’s encrypt docker does not handle nginx revers proxy. You need to configure a separate docker for that
The docker hub page for let’sencrypt image indicates it:
sets up an Nginx webserver and reverse proxy with php support and a built-in letsencrypt client that automates free SSL server certificate generation and renewal processes.
Are you saying that in addition to this, I need a separate nginx reverse proxy container?
That’s weird. It used to only be a let’s encrypt certificate generation. There didn’t used to be a webserver included.
trying this now
and failed… probably didn’t need the ftp & cloud, or maybe that line at all. Guess I have something wrong with the ports too since my duckdns failed.
XXXX.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain
-
The following errors were reported by the server:
Domain: cloud.XXXX.duckdns.org
Type: connection
Detail: Fetching
http://cloud.XXXX.duckdns.org/.well-known/acme-challenge/NuH3ty6ShDNbC4BdUfWYSuJjPnbi9g90BbATKDBJeGQ:
TimeoutDomain: XXXX.duckdns.org
Type: connection
Detail: Fetching
http://XXXX.duckdns.org/.well-known/acme-challenge/8vdn_yJ0yD2gfy_WsQ3z3tMb3mfqMQo3mZLin9Yc9eA:
TimeoutDomain: www.XXXX.duckdns.org
Type: connection
Detail: Fetching
http://www.XXXX.duckdns.org/.well-known/acme-challenge/gMw6Vxw6m0YM6a-v3bn7tDyl8heAFj-2XTE137c0HCw:
TimeoutDomain: ftp.XXXX.duckdns.org
Type: connection
Detail: Fetching
http://ftp.XXXX.duckdns.org/.well-known/acme-challenge/z8p945Eb_576KjuAa6FwC56xN293tjSV_b7QgtLf-_4:
Timeout
do you have port 80 forwarded to your Docker host?
I believe so, running HomeAssistant on 18122…
docker create
–cap-add=NET_ADMIN
–name=letsencrypt
-v /letsencrypt/config:/config
-e PGID=1000 -e PUID=1000
-e [email protected]
-e URL=XXXX.duckdns.org
-e VALIDATION=http
-p 80:18122 -p 443:443
-e TZ=America/Chicago
linuxserver/letsencrypt
but you have to forward port 80 on your router to your docker host…
My letsencrypt setup is the same as Corey_Johnson with the exception of -p 80:80 -p 443:443. I’ve tried mapping 80:8123 where my Home Assistant is, but doesn’t work.
I use Google Wifi and have port forwarding setup for the docker host as:
80:80
443:443
When I access my example.duckdns.org page I no longer get any SSL errors, but instead see the default nginx landing page which shows in chrome as secure.
Welcome to our server
The website is currently being setup under this address.
For help and support, please contact: [email protected]
It seems like the last piece I still haven’t gotten is pointing correctly to the Home Assistant container.
Configure your reverse proxy. You can’t just forward port 443 to 8123 and have it work with SSL. You need to configure nginx to reverse proxy traffic on 443 to 8123. 8123 should never be connected directly
OK, I updated but I’m still not seeing it.
Is what you’re describing the settings found in Portainer under port configuration or something else? I tried configuring the letsencrypt/nginx container with 443:8123 but still not working.
Looking at the letsencrypt container in Portainer:
Port configuration
80/tcp 0.0.0.0:80
8123/tcp 0.0.0.0:443
No. You need to configure the actual reverse proxy. Port mapping in docker has nothing to do with a reverse proxy configuration