My Docker Stack

but you have to forward port 80 on your router to your docker host…

My letsencrypt setup is the same as Corey_Johnson with the exception of -p 80:80 -p 443:443. I’ve tried mapping 80:8123 where my Home Assistant is, but doesn’t work.

I use Google Wifi and have port forwarding setup for the docker host as:

80:80 
443:443 

When I access my example.duckdns.org page I no longer get any SSL errors, but instead see the default nginx landing page which shows in chrome as secure.

Welcome to our server
The website is currently being setup under this address.

For help and support, please contact: [email protected]

It seems like the last piece I still haven’t gotten is pointing correctly to the Home Assistant container.

Configure your reverse proxy. You can’t just forward port 443 to 8123 and have it work with SSL. You need to configure nginx to reverse proxy traffic on 443 to 8123. 8123 should never be connected directly

OK, I updated but I’m still not seeing it.

Is what you’re describing the settings found in Portainer under port configuration or something else? I tried configuring the letsencrypt/nginx container with 443:8123 but still not working.

Looking at the letsencrypt container in Portainer:

Port configuration	
80/tcp  0.0.0.0:80
8123/tcp  0.0.0.0:443

No. You need to configure the actual reverse proxy. Port mapping in docker has nothing to do with a reverse proxy configuration

Here is my NGINX Reverse Proxy config (redacted personal info of course):

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    # Update this line to be your domain
    server_name <MYDOMAINNAME>;

    # These shouldn't need to be changed
    listen 80 ipv6only=off;
    return 301 https://$host$request_uri;
}

server {
    # Update this line to be your domain
    server_name <MYDOMAINNAME>;

    # Ensure these lines point to your SSL certificate and key
    ssl_certificate /etc/letsencrypt/live/<MYDOMAINNAME>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<MYDOMAINNAME>/privkey.pem;
    # Use these lines instead if you created a self-signed certificate
    # ssl_certificate /etc/nginx/ssl/cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;


    # These shouldn't need to be changed
    listen 443 ipv6only=off http2; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    access_log /var/log/nginx/hass.access.log;
    error_log /var/log/nginx/hass.error.log;

    proxy_buffering off;

    location / {
        proxy_pass http://<IPorHOSTNAMEtoHASS>:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

This reverse proxy is actually hosted on a Digital Ocean droplet and proxied back to my home network, so I never have to mess with loopback NAT, but the concept should be the same. What this accomplishes is that I have lets encrypt on the VPS (Digital Ocean droplet) and so my home assistant has a certificate, but I don’t have to mess with ANY SSL configuration on home assistant itself. This means that while I am working locally on my home network, it is a local IP address, and does not require SSL. When outside the network, it is SSL enabled.

2 Likes

You might want to consider doing the basic SSL setup for now and figuring out Nginx later. The instructions on this page are pretty straightforward and gets you up and running at https://xxxxx.duckdns.org:8123 pretty quick. There is a Docker container for it.

(LINK)

The only thing you should do different is forward port 80 to port 80 on your Home Assistant device (not 80:8123 like it says). After your certificate is pulled, remove that port forward and just leave 8123:8123.

Thanks, I’ll pursue your recommendation as I’m clearly in over my head (for the time being) with the solution I’ve been trying the past few days…

I’ll follow-up once successful in case anyone else is in a similar situation.

Followed those instructions without error until the last part of actually trying to access HASS securely at my https://example.duckdns.org:8123 address.

I see the following errors in home assistant:

2018-02-18 12:11:01 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/etc/letsencrypt/live/example.duckdns.org/fullchain.pem/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/etc/letsencrypt/live/example.duckdns.org/privkey.pem'. (See /config/configuration.yaml, line 38). Please check the docs at https://home-assistant.io/components/http/

based on the error message you are pointing to an incorrect directory. Is your domain example.duckdns.org?

No, I just redacted the actual DuckDNS subdomain.

I can see the full key and private key in the directory that’s referenced in the error so I know it’s there.

Just to keep things straight here’s what I’ve tried:

  1. Home Assistant is running in a Docker container
  2. I followed these instructions step by step without any errors following the steps specifically called out for Docker.
  3. Tried multiple port forwarding config’s on between my router/host machine including the ones outlined in the guide, what gregg098 suggested, etc.

And this is why I prefer a reverse proxy. There are zero configuration changes needed in Home Assistant.

I have a firewall rule in place for my reverse proxy (because my proxy is hosted externally) to be the only allowed communication on port 8123 to my home assistant/docker host. Otherwise, if I were hosting the reverse proxy internally, I would just port forward ports 80/443 on my router/firewall to my reverse proxy.

The reverse proxy handles ALL of the SSL stuff. Home assistant doesn’t know and doesn’t care that access externally requires SSL.

Still trying to figure it out. I would rather go the reverse proxy route with SSL. Looks like I’ve hit some limit with Let’s Encrypt though now lol. Guess I’m stuck VPN’ing it :frowning:

There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

I don’t think it’s a limitation of let’s encrypt. Your configuration looks wrong.

Remember that each container is it’s own entity. They know nothing of each other. You are trying to map a port on your docker host to one inside the let’s encrypt container but let’s encrypt container isn’t listening on that port. Your home assistant port means nothing to let’s encrypt. It can’t authorize because your docker internal port isn’t listening to anything.

Docker map 80 to 80 and 443 to 443. Get your certs.

Then reverse proxy the port 443 to your home assistant IP and port.

1 Like

Ok so here is what I just tried.

in pfSense. Port Foward ports 80 & 443 to the Docker instance (192.168.30.6)
in Docker run:

docker create
–cap-add=NET_ADMIN
–name=letsencrypt
-v /letsencrypt/config:/config
-e PGID=1000 -e PUID=1000
-e [email protected]
-e URL=XXXX.duckdns.org
-e VALIDATION=http
-p 80:80 -p 443:443
-e TZ=America/Chicago
linuxserver/letsencrypt

It compiled and is running. (looks like I tried this before but forgot to move the corresponding rules in pfSense above my default block rules).

So now I can hit https://xxxx.duckdns.org but I get a default “this page is being setup”.

I am trying to figure this part out now. Is this done in the router?

2 Likes

Ok I got a little further. I added this to my default.conf:

server {
	listen 443 ssl default_server;

	root /config/www;
	index index.html index.htm index.php;

#	server_name _;
	server_name wwpi.duckdns.org;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
		proxy_pass http://192.168.30.6:18122;
	}

Now I get the HA logo page to sign in but after entering my password is just spins and eventually says “Unable to connect”.

1 Like

@flamingm0e OMG, finally!!! I can get through via DuckDNS with SSL!!! Thank you thank you thank you!

Now… how do I update Home Assistant inside the docker? Lol

@subjectbit Here’s how I got it - updated ‘default’ file to:

	server_name wwpi.duckdns.org;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
	proxy_pass http://192.168.30.6:18122;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}

Crap… I’m really happy this works but now I cannot VPN into my network (via pfSense)… related to the 443 port being forwarded directly to the Docker machine I am guessing.

Has anyone had this issue?

Edit** - I figured it out. when creating the port forwards for NGINX I made them TCP/UDP. Should have only been TCP and then UDP still works for my VPN connection.

Thanks for the update and congrats on getting it working! I’ve followed along and still unable to connect. No errors in NGNIX, Lets Encrypt logs, or home assistant but when trying to connect via duckDNS, receiving a

ERR_CONNECTION_REFUSED

Would you mind posting the default fault if there’s anything else relevant that I might be missing? I think this is the same default file found ~/letsencrypt/nginx/site-confs… right?

Finally, I’m using Google WiFi for port forwarding. So far, I’ve just forward 80:80 and 443:443 on my host machine. Is there anything additional you did in pfSense?

‘default’ from site-confs:

# main server block
server {
	listen 443 ssl default_server;

	root /config/www;
	index index.html index.htm index.php;

#	server_name _;
	server_name xxxx.duckdns.org;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
	proxy_pass http://192.168.30.6:xxxx;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}
}

nginx.conf:

## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##
	map $http_upgrade $connection_upgrade {
		default upgrade;
		'' close;
	}
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;

	gzip on;
	gzip_disable "msie6";

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;
  
}
daemon off;

Snip from pfSense: (Home_Assistant alias is the IP of my Docker machine)