My Docker Stack

Share your Projects!
61

That’s weird. It used to only be a let’s encrypt certificate generation. There didn’t used to be a webserver included.

62

trying this now

63

and failed… probably didn’t need the ftp & cloud, or maybe that line at all. Guess I have something wrong with the ports too since my duckdns failed.

XXXX.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain

64

do you have port 80 forwarded to your Docker host?

65

I believe so, running HomeAssistant on 18122…

docker create
–cap-add=NET_ADMIN
–name=letsencrypt
-v /letsencrypt/config:/config
-e PGID=1000 -e PUID=1000
-e [email protected]
-e URL=XXXX.duckdns.org
-e VALIDATION=http
-p 80:18122 -p 443:443
-e TZ=America/Chicago
linuxserver/letsencrypt

66

but you have to forward port 80 on your router to your docker host…

67

My letsencrypt setup is the same as Corey_Johnson with the exception of -p 80:80 -p 443:443. I’ve tried mapping 80:8123 where my Home Assistant is, but doesn’t work.

I use Google Wifi and have port forwarding setup for the docker host as:

80:80 
443:443

When I access my example.duckdns.org page I no longer get any SSL errors, but instead see the default nginx landing page which shows in chrome as secure.

Welcome to our server
The website is currently being setup under this address.

For help and support, please contact: [email protected]

It seems like the last piece I still haven’t gotten is pointing correctly to the Home Assistant container.

68

Configure your reverse proxy. You can’t just forward port 443 to 8123 and have it work with SSL. You need to configure nginx to reverse proxy traffic on 443 to 8123. 8123 should never be connected directly

69

OK, I updated but I’m still not seeing it.

Is what you’re describing the settings found in Portainer under port configuration or something else? I tried configuring the letsencrypt/nginx container with 443:8123 but still not working.

Looking at the letsencrypt container in Portainer:

Port configuration	
80/tcp  0.0.0.0:80
8123/tcp  0.0.0.0:443
70

No. You need to configure the actual reverse proxy. Port mapping in docker has nothing to do with a reverse proxy configuration

71

Here is my NGINX Reverse Proxy config (redacted personal info of course):

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    # Update this line to be your domain
    server_name <MYDOMAINNAME>;

    # These shouldn't need to be changed
    listen 80 ipv6only=off;
    return 301 https://$host$request_uri;
}

server {
    # Update this line to be your domain
    server_name <MYDOMAINNAME>;

    # Ensure these lines point to your SSL certificate and key
    ssl_certificate /etc/letsencrypt/live/<MYDOMAINNAME>/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/<MYDOMAINNAME>/privkey.pem;
    # Use these lines instead if you created a self-signed certificate
    # ssl_certificate /etc/nginx/ssl/cert.pem;
    # ssl_certificate_key /etc/nginx/ssl/key.pem;

    # Ensure this line points to your dhparams file
    ssl_dhparam /etc/nginx/ssl/dhparams.pem;


    # These shouldn't need to be changed
    listen 443 ipv6only=off http2; # if your nginx version is >= 1.9.5 you can also add the "http2" flag here
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    access_log /var/log/nginx/hass.access.log;
    error_log /var/log/nginx/hass.error.log;

    proxy_buffering off;

    location / {
        proxy_pass http://<IPorHOSTNAMEtoHASS>:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

This reverse proxy is actually hosted on a Digital Ocean droplet and proxied back to my home network, so I never have to mess with loopback NAT, but the concept should be the same. What this accomplishes is that I have lets encrypt on the VPS (Digital Ocean droplet) and so my home assistant has a certificate, but I don’t have to mess with ANY SSL configuration on home assistant itself. This means that while I am working locally on my home network, it is a local IP address, and does not require SSL. When outside the network, it is SSL enabled.

2 Likes
72

You might want to consider doing the basic SSL setup for now and figuring out Nginx later. The instructions on this page are pretty straightforward and gets you up and running at https://xxxxx.duckdns.org:8123 pretty quick. There is a Docker container for it.

(LINK)

The only thing you should do different is forward port 80 to port 80 on your Home Assistant device (not 80:8123 like it says). After your certificate is pulled, remove that port forward and just leave 8123:8123.

73

Thanks, I’ll pursue your recommendation as I’m clearly in over my head (for the time being) with the solution I’ve been trying the past few days…

I’ll follow-up once successful in case anyone else is in a similar situation.

74

Followed those instructions without error until the last part of actually trying to access HASS securely at my https://example.duckdns.org:8123 address.

I see the following errors in home assistant:

2018-02-18 12:11:01 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/etc/letsencrypt/live/example.duckdns.org/fullchain.pem/fullchain.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/etc/letsencrypt/live/example.duckdns.org/privkey.pem'. (See /config/configuration.yaml, line 38). Please check the docs at https://home-assistant.io/components/http/
75

based on the error message you are pointing to an incorrect directory. Is your domain example.duckdns.org?

76

No, I just redacted the actual DuckDNS subdomain.

I can see the full key and private key in the directory that’s referenced in the error so I know it’s there.

Just to keep things straight here’s what I’ve tried:

  1. Home Assistant is running in a Docker container
  2. I followed these instructions step by step without any errors following the steps specifically called out for Docker.
  3. Tried multiple port forwarding config’s on between my router/host machine including the ones outlined in the guide, what gregg098 suggested, etc.
77

And this is why I prefer a reverse proxy. There are zero configuration changes needed in Home Assistant.

I have a firewall rule in place for my reverse proxy (because my proxy is hosted externally) to be the only allowed communication on port 8123 to my home assistant/docker host. Otherwise, if I were hosting the reverse proxy internally, I would just port forward ports 80/443 on my router/firewall to my reverse proxy.

The reverse proxy handles ALL of the SSL stuff. Home assistant doesn’t know and doesn’t care that access externally requires SSL.

78

Still trying to figure it out. I would rather go the reverse proxy route with SSL. Looks like I’ve hit some limit with Let’s Encrypt though now lol. Guess I’m stuck VPN’ing it :frowning:

There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see Rate Limits - Let's Encrypt

79

I don’t think it’s a limitation of let’s encrypt. Your configuration looks wrong.

Remember that each container is it’s own entity. They know nothing of each other. You are trying to map a port on your docker host to one inside the let’s encrypt container but let’s encrypt container isn’t listening on that port. Your home assistant port means nothing to let’s encrypt. It can’t authorize because your docker internal port isn’t listening to anything.

Docker map 80 to 80 and 443 to 443. Get your certs.

Then reverse proxy the port 443 to your home assistant IP and port.

1 Like
80

Ok so here is what I just tried.

in pfSense. Port Foward ports 80 & 443 to the Docker instance (192.168.30.6)
in Docker run:

docker create
–cap-add=NET_ADMIN
–name=letsencrypt
-v /letsencrypt/config:/config
-e PGID=1000 -e PUID=1000
-e [email protected]
-e URL=XXXX.duckdns.org
-e VALIDATION=http
-p 80:80 -p 443:443
-e TZ=America/Chicago
linuxserver/letsencrypt

It compiled and is running. (looks like I tried this before but forgot to move the corresponding rules in pfSense above my default block rules).

So now I can hit https://xxxx.duckdns.org but I get a default “this page is being setup”.

I am trying to figure this part out now. Is this done in the router?

2 Likes