Nginx addon some issue with certificate

Has been working and stable for some time. I use LetsEncrypt addon to update the certs, and these are saved to /ssl (I’m using home assistant OS on a Raspberry PI).

Certs updated earlier this week. But last night my public host stopped working, with a cert error.

If I query the cert from the external host, I get a weird certificate signed by Technicolor !?

C = BE, ST = Antwerp, L = Edegem, O = Technicolor

I figure that’s probably something weird between my router and homeassistant.
If I query port 443 on homeassistant I get no certificate

no peer certificate available
No client certificate CA names sent

Not really sure why nginx isn’t serving my certs, permission issue, perhaps?

-rw-r--r-- root root fullchain.pem
-rw------- root root privkey.pem

Trivial question: are you sure you restarted nginx after the certs changed?

Or maybe Port forward in in your Router changed?

I rebooted the Raspberry Pi, yeah. I’ve also tried uninstalled and reinstalling the addon

Yeah, I think that’s the ‘technocolor’ cert, which is just weird.
So to avoid that as an issue, I queried the cert from the RaspPi directly

openssl s_client -connect homeassistant.local:443

That’s where I get ‘no peer certificate is available’

Are you using DDNS? Is your public Domain pointing at the right public IP?

It is, first thing I checked. But as I say, if I connect directly to the RPI I don’t get a cert. I would expect to get my let’s encrypt cert served, it returns nothing.

nmap scan

443/tcp open  ssl/https   nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_http-server-header: nginx

openssl cert query

openssl s_client -connect
80207AFA01000000:error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:1586:SSL alert number 112
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 293 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

so all of this is being done locally, it’s not a router, or DDNS issue

Whelp, I’m an idiot and this was in fact the issue. The router had updated and lost port mapping configuration.

The reason I was confused is that I was attempting to connect locally and getting a result which suggested an nginx error. I think this is more about trusted proxies, although I thought I’d worked around it with curl

curl -H "Host: <my host name" https://<local ip>

but I must be missing something as this wasn’t working.