My Docker Stack

Share your Projects!
58

Thanks, I removed the SSL key/cert from config.yaml and now receive a
ERR_SSL_PROTOCOL_ERROR instead of connection refused - a sign of progress :slight_smile: . I’ll keep playing around with the let’s encrypt setup to iron out the kinks. Appreciate the help!

59

The let’s encrypt docker does not handle nginx revers proxy. You need to configure a separate docker for that

60

The docker hub page for let’sencrypt image indicates it:

sets up an Nginx webserver and reverse proxy with php support and a built-in letsencrypt client that automates free SSL server certificate generation and renewal processes.

Are you saying that in addition to this, I need a separate nginx reverse proxy container?

61

That’s weird. It used to only be a let’s encrypt certificate generation. There didn’t used to be a webserver included.

62

trying this now

63

and failed… probably didn’t need the ftp & cloud, or maybe that line at all. Guess I have something wrong with the ports too since my duckdns failed.

XXXX.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain

64

do you have port 80 forwarded to your Docker host?

65

I believe so, running HomeAssistant on 18122…

docker create
–cap-add=NET_ADMIN
–name=letsencrypt
-v /letsencrypt/config:/config
-e PGID=1000 -e PUID=1000
-e [email protected]
-e URL=XXXX.duckdns.org
-e VALIDATION=http
-p 80:18122 -p 443:443
-e TZ=America/Chicago
linuxserver/letsencrypt

66

but you have to forward port 80 on your router to your docker host…

67

My letsencrypt setup is the same as Corey_Johnson with the exception of -p 80:80 -p 443:443. I’ve tried mapping 80:8123 where my Home Assistant is, but doesn’t work.

I use Google Wifi and have port forwarding setup for the docker host as:

80:80 
443:443

When I access my example.duckdns.org page I no longer get any SSL errors, but instead see the default nginx landing page which shows in chrome as secure.

Welcome to our server
The website is currently being setup under this address.

For help and support, please contact: [email protected]

It seems like the last piece I still haven’t gotten is pointing correctly to the Home Assistant container.

68

Configure your reverse proxy. You can’t just forward port 443 to 8123 and have it work with SSL. You need to configure nginx to reverse proxy traffic on 443 to 8123. 8123 should never be connected directly

69

OK, I updated but I’m still not seeing it.

Is what you’re describing the settings found in Portainer under port configuration or something else? I tried configuring the letsencrypt/nginx container with 443:8123 but still not working.

Looking at the letsencrypt container in Portainer:

Port configuration	
80/tcp  0.0.0.0:80
8123/tcp  0.0.0.0:443
70

No. You need to configure the actual reverse proxy. Port mapping in docker has nothing to do with a reverse proxy configuration

71

Here is my NGINX Reverse Proxy config (redacted personal info of course):

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    # Update this line to be your domain
    server_name <MYDOMAINNAME>;

    # These shouldn't need to be changed
    listen 80 ipv6only=off;
    return 301 https://$host$request_uri;
}

server {
    # Update this line to be your domain
    server_name <MYDOMAINNAME>;

    # Ensure these lines point to your SSL certificate and key
    ssl_certificate /etc/letsencrypt/live/<MYDOMAINNAME>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<MYDOMAINNAME>/privkey.pem;
    # Use these lines instead if you created a self-signed certificate
    # ssl_certificate /etc/nginx/ssl/cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;


    # These shouldn't need to be changed
    listen 443 ipv6only=off http2; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    access_log /var/log/nginx/hass.access.log;
    error_log /var/log/nginx/hass.error.log;

    proxy_buffering off;

    location / {
        proxy_pass http://<IPorHOSTNAMEtoHASS>:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

This reverse proxy is actually hosted on a Digital Ocean droplet and proxied back to my home network, so I never have to mess with loopback NAT, but the concept should be the same. What this accomplishes is that I have lets encrypt on the VPS (Digital Ocean droplet) and so my home assistant has a certificate, but I don’t have to mess with ANY SSL configuration on home assistant itself. This means that while I am working locally on my home network, it is a local IP address, and does not require SSL. When outside the network, it is SSL enabled.

2 Likes
72

You might want to consider doing the basic SSL setup for now and figuring out Nginx later. The instructions on this page are pretty straightforward and gets you up and running at https://xxxxx.duckdns.org:8123 pretty quick. There is a Docker container for it.

(LINK)

The only thing you should do different is forward port 80 to port 80 on your Home Assistant device (not 80:8123 like it says). After your certificate is pulled, remove that port forward and just leave 8123:8123.

73

Thanks, I’ll pursue your recommendation as I’m clearly in over my head (for the time being) with the solution I’ve been trying the past few days…

I’ll follow-up once successful in case anyone else is in a similar situation.

74

Followed those instructions without error until the last part of actually trying to access HASS securely at my https://example.duckdns.org:8123 address.

I see the following errors in home assistant:

2018-02-18 12:11:01 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/etc/letsencrypt/live/example.duckdns.org/fullchain.pem/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/etc/letsencrypt/live/example.duckdns.org/privkey.pem'. (See /config/configuration.yaml, line 38). Please check the docs at https://home-assistant.io/components/http/
75

based on the error message you are pointing to an incorrect directory. Is your domain example.duckdns.org?

76

No, I just redacted the actual DuckDNS subdomain.

I can see the full key and private key in the directory that’s referenced in the error so I know it’s there.

Just to keep things straight here’s what I’ve tried:

  1. Home Assistant is running in a Docker container
  2. I followed these instructions step by step without any errors following the steps specifically called out for Docker.
  3. Tried multiple port forwarding config’s on between my router/host machine including the ones outlined in the guide, what gregg098 suggested, etc.
77

And this is why I prefer a reverse proxy. There are zero configuration changes needed in Home Assistant.

I have a firewall rule in place for my reverse proxy (because my proxy is hosted externally) to be the only allowed communication on port 8123 to my home assistant/docker host. Otherwise, if I were hosting the reverse proxy internally, I would just port forward ports 80/443 on my router/firewall to my reverse proxy.

The reverse proxy handles ALL of the SSL stuff. Home assistant doesn’t know and doesn’t care that access externally requires SSL.