Need Help Setting HA to be HTTPS for Voice Assistant

comet424 · May 26, 2024, 12:58pm

so i trying to setup home assistant to be HTTPS i have googled… watched videos and read texts but things arent working right …

so maybe someone can help

my router is Pfsense
i port forward 192.168.0.12 port 80 and 443
i forced HA to use the WAN as it normally uses NordVPN to stay behind a VPN not exposed to WAN
i use my own dns but i setup duck dns and got a token

i installed Lets Encrypt Ngnix and Duckns and mariadbs
i setup the NGnix and installed the token and couldnt get it to work
when i did the SSL token under its own tab i get this internal error

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --work-dir "/tmp/letsencrypt-lib" --logs-dir "/tmp/letsencrypt-log" --cert-name "npm-36" --agree-tos --email "[email protected]" --domains "hass.daddys.duckdns.org" --authenticator dns-duckdns --dns-duckdns-credentials "/etc/letsencrypt/credentials/credentials-36"
Saving debug log to /tmp/letsencrypt-log/letsencrypt.log
Encountered exception during recovery: certbot.errors.PluginError: The clearing of the TXT record for domain "hass.daddys.duckdns.org" was not successful.
Request status code: 200
Request response text: KO
All nameservers failed to answer the query hass.daddys.duckdns.org. IN TXT: Server Do53:127.0.0.11@53 answered SERVFAIL
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /tmp/letsencrypt-log/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:422:12)
    at ChildProcess.emit (node:events:517:28)
    at maybeClose (node:internal/child_process:1098:16)
    at ChildProcess._handle.onexit (node:internal/child_process:303:5)
Domain Names *

and i set up the dns as

hass.mydnss.duckdns.org

so i not sure what i doing wrong to get this setup first

mcarty · May 26, 2024, 1:03pm

You dont have to forward port 80, only 443

Did you setup your token on the duckdns/lets encrypt addon?

comet424 · May 26, 2024, 1:08pm

from the one article they said i needed 80 so i get confused reading different articles wish HA just offered a Toggle Switch HTTP * or HTTPS * and then it fully did itself cut out the headaches

https://theprivatesmarthome.com/how-to/set-up-nginx-proxy-manager-in-home-assistant/

was the thing

as for the lets encrpt it add on it doesnt ask for the token just the dns address of the home assistant so i did hass.myaddress.duckdns.org

the duckdns addon asked for the token though… and then i had to change port and change a port in the pfsense as it spit out port 80 was already being used

mcarty · May 26, 2024, 1:16pm

Maybe its better to try first if duckdns/lets encrypt is working. Try disabling ngnix addon and then forward only port 8123

Remember to add your token at the config on the addon, and down:

accept_terms: true
algo: secp384r1
certfile: fullchain.pem
keyfile: privkey.pem

You will also have to add this to your configuration.yaml:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

And of course remember to restart HA

That way you will have https also local.

ngnix is only for having http local.

Edit: i am not sure if you have a subdomain or alias. I dont have one. Then you probably have to fill that too at duckdns addon.

comet424 · May 26, 2024, 1:19pm

oh i had this

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

and it shoved HA in safe mode when i rebooted didnt realize after an hour that was the issue

but ill try again

mcarty · May 26, 2024, 1:23pm

With ngnix you have to remove that and add another option. Thats why i think is better if you try first with only duckdns addon an port 8123 and check if its working.

comet424 · May 26, 2024, 1:36pm

so i added
http:
ssl_certificate: /ssl/fullchain.pem
ssl_key: /ssl/privkey.pem

i disabled nginix
i enabled lets encrypt and duckdns to boot on startup
and in pfsense i set up port forward on 8123

and i rebooted HA and it booted up into Safe mode

and if ngnix is to do http isnt homeassistant already http so why u need it then?

mcarty · May 26, 2024, 1:38pm

It should work. Check the logs and look for a clue of why is starting in safe mode.

comet424 · May 26, 2024, 1:40pm

Logger: homeassistant.components.hassio.handler
Source: components/hassio/handler.py:518
integration: Home Assistant Supervisor (documentation, issues)
First occurred: 9:34:20 AM (1 occurrences)
Last logged: 9:34:20 AM

Found incompatible HTTP option 'server_host'. Watchdog feature disabled

2024-05-26 09:28:19.775 ERROR (MainThread) [homeassistant.config] Invalid config for 'http' at configuration.yaml, line 88: not a file for dictionary value 'http->ssl_certificate', got '/ssl/fullchain.pem', please check the docs at https://www.home-assistant.io/integrations/http
Invalid config for 'http' at configuration.yaml, line 89: not a file for dictionary value 'http->ssl_key', got '/ssl/privkey.pem', please check the docs at https://www.home-assistant.io/integrations/http

mcarty · May 26, 2024, 1:51pm

The way it worked for me is with this option

homeassistant:
  external_url: https://yourdomain.duckdns.org:8123/

https://www.home-assistant.io/integrations/homeassistant/

If you put your ip address manually here: https://www.duckdns.org/ , can you ping it?

comet424 · May 26, 2024, 1:53pm

waiting for HA to boot up again the Console is booted but the Gui takes forever now
i set the base url so i cant change anything…

now do i do that pinging from the terminal inside HA

mcarty · May 26, 2024, 1:54pm

base_url was deprecated, sorry, thats why i deleted my post.

comet424 · May 26, 2024, 1:56pm

ah ok go figure so i have to wait till gui lets me back in

as for pinging no i cant least not on the VPN side on my desktop ill have to wait for terminal on the home assistant

C:\Users\mike>ping www.duckdns.org

Pinging appservers-duckdns-prod-1630339571.ca-central-1.elb.amazonaws.com [3.97.220.86] with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

comet424 · May 26, 2024, 1:58pm

no it wont let me ping out terminal either

➜  ~ ping www.duckdns.org 
PING www.duckdns.org (3.97.220.86): 56 data bytes
^C
--- www.duckdns.org ping statistics ---
48 packets transmitted, 0 packets received, 100% packet loss
➜  ~

comet424 · May 26, 2024, 2:02pm

guess ill try to work on configuring why i not getting internet ill do rebooting etc… and get back when i get that part working

comet424 · May 26, 2024, 5:51pm

@mcarty so i got it to ping finallly… and mydoman.duckdns.org from terminal had to play around and force home assistant to go out my VPN and in through the WAN and then i could get it to ping… i did try the lets encrypt and duckdns but no certificate yet… and my external_url: https://daddys.duckdns.org:8123/
is set too
what should i try now… since i got it to ping

comet424 · May 26, 2024, 6:00pm

i tried the ngnix i think that worked… it created a SSL cert
going to try that http: and the 2 ssl see if it goes back into safe mode

comet424 · May 26, 2024, 6:34pm

https still doesnt work still get this error

2024-05-26 14:20:51.425 ERROR (MainThread) [homeassistant.config] Invalid config for 'http' at configuration.yaml, line 91: not a file for dictionary value 'http->ssl_certificate', got '/ssl/fullchain.pem', please check the docs at https://www.home-assistant.io/integrations/http
Invalid config for 'http' at configuration.yaml, line 92: not a file for dictionary value 'http->ssl_key', got '/ssl/privkey.pem', please check the docs at https://www.home-assistant.io/integrations/http

what i did was the ngix under the SsL offered download package it had the files and i extracted and copied it to the SSL folder when i \\homeassistant to get to samba shares… as the lets encrypt didnt do anything… to create the files…

so i copied it but it gave errors

the http i set up is

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.0.1
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

and i still in safe mode

comet424 · May 26, 2024, 8:08pm

so i cant get it to work get this HTTPS
always in safe mode
and the lets encrtyp the error log is


Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[16:05:11] INFO: Selected http verification
[16:05:12] INFO: Detecting existing certificate type for *****.duckdns.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[16:05:12] INFO: No certificate found - using 'ecdsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *****.duckdns.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: *******.duckdns.org
  Type:   unauthorized
  Detail: **********: Invalid response from http://******.duckdns.org/.well-known/acme-challenge/SyZD8ta8I78YB7lb7giKMUWjS7gFWDxOcYYPc9FgBnc: 500

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

mcarty · May 26, 2024, 8:39pm

Using ngnix you have to remove the last two lines.

This is how mine is:

http:
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Oh, and dont put there your ip. Just what i posted.