Has been working and stable for some time. I use LetsEncrypt addon to update the certs, and these are saved to /ssl (I’m using home assistant OS on a Raspberry PI).
Certs updated earlier this week. But last night my public host stopped working, with a cert error.
If I query the cert from the external host, I get a weird certificate signed by Technicolor !?
C = BE, ST = Antwerp, L = Edegem, O = Technicolor
I figure that’s probably something weird between my router and homeassistant.
If I query port 443 on homeassistant I get no certificate
no peer certificate available
No client certificate CA names sent
Not really sure why nginx isn’t serving my certs, permission issue, perhaps?
It is, first thing I checked. But as I say, if I connect directly to the RPI I don’t get a cert. I would expect to get my let’s encrypt cert served, it returns nothing.
nmap scan
443/tcp open ssl/https nginx
|_http-title: 400 The plain HTTP request was sent to HTTPS port
|_http-server-header: nginx
openssl cert query
openssl s_client -connect 192.168.86.69:443
CONNECTED(00000003)
80207AFA01000000:error:0A000458:SSL routines:ssl3_read_bytes:tlsv1 unrecognized name:ssl/record/rec_layer_s3.c:1586:SSL alert number 112
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
so all of this is being done locally, it’s not a router, or DDNS issue
Whelp, I’m an idiot and this was in fact the issue. The router had updated and lost port mapping configuration.
The reason I was confused is that I was attempting to connect locally and getting a result which suggested an nginx error. I think this is more about trusted proxies, although I thought I’d worked around it with curl
curl -H "Host: <my host name" https://<local ip>
but I must be missing something as this wasn’t working.