I have another question:
Should this set up automatically renew the certificates from Letsencrypt periodically?
If not then how do I renew? Do I just re-create the container occasionally?
the container renews certificates automatically. If you check the logs on restart it goes throuhgh the auto-renewal sequence.
sorry, i dont understan the question.
the container gets the certificate(s) for the domains you’ve specified.
Sorry, I’ll try to be clearer
When I try to connect to HA everything using ‘mydomain-hass.duckdns.org’ goes smooth
However, when I try to connect to my Mosquitto MQTT broker from outside my network using mydomain-mqtt.duckdns.org I fail to do so, I’m linking my default config file to clarify more
And in addition to the startup sequence of checking, there is a cronjob running
8 2 * * * /app/le-renew.sh >> /config/log/letsencrypt/letsencrypt.log 2>&1
So it’ll renew even if you have it running forever without restarting it.
this is not correct.
you have a mydomain.duckdns.org that goes to the blank server page.
then you should then have for these server blocks for instance:
I’m feeling pretty stupid now, but I better share, in case anyone else has this issue, and doesn’t think twice.
I had a similar issue after the re-install, and noticed it was due to an IP ban. I’m guessing it could have been the same issue; i didn’t even check.
oh… really?
all that hassle and it was ipban? well you found the problem.
it usually turns out like that. I think it’s sometimes nature to overcomplicate things
The thing is when I come to create a sub domain containing dots, duckdns (for instance) doesn’t allow it
Can you please elaborate on how you created the sub-domains ?
exactly per my example.
you registerd a mydomain in duckdns.
so your duckdns is for exaple ohad.duckdns.org
so your hass instance would for instance be
hass.ohad.duckdns.org
mqtt would be
mqtt.ohad.duckdns.org
so in the docker compose in sub domains you 'd add
sudbdomains: hass, mqtt, etc, etc
1 Like
Ok, getting there… I’ve made the changes you suggested (I’m new to the whole sub-domain concept, my bad)
And I can get to a HASS using a domain similar in convention to what you wrote
My issue still being the MQTT broker. Should I define anything in mosquitto.conf as far as the proxy is concerned ?
I dont think so, but I cant really tell. I dont access the broker from outside.
Why do you need to access it?
Mainly for Owntracks
I just got it working ! Thanks so much @juan11perez for all the hard work done on this and generally for answering and being a kind human being, here’s my config for others’ reference :
In mosquitto.conf (Mosquitto MQTT broker configuration)
port 1883
protocol mqtt
...
listener 1884
protocol websockets
Additionally, you should map the container port 1884 to external port 1884
In NGINX default conf
server {
server_name mqtt.obenita.duckdns.org;
listen 443 ssl;
location / {
proxy_pass http://10.0.0.9:1884/; # The server you want to redirect to
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
The configuration in OwnTracks would be then :
- Host name - mqtt.yourdomain.duckdns.org
- TLS enabled
- Websockets enabled, port is 443 (NGINX port)
- Authentication - depends on what was previously configured
Thanks @rbray89 for the guidance in one of your replies to this post
2 Likes
Glad you got it working.
Im not sure If im completely wrong, but I didnt think you needed to expose mqtt to the outside for owntracks.
I dont use the owntracs mobile app, but I do use the hass owntracks component in conjunction with a custom component someone developed to use life360.
So effectively the life360 app on the phone uses the owntracks mqtt component to talk to hass.
I’ve been using it for about a year without exposing mqtt externally.
Im far from an expert so my explanation may not be entirely accurate, but i definitely dont have mqtt esposed and life360 is using it.
1 Like
Fxxxing unbelievable. I spent awful time trying to fix this issue. Recently I moved my HA from RPi to unRAID. I added a new config file for HA in nginx/proxy-confs folder but that didn’t work. I changed that file so many times but after following your version of default.conf (nginx/site-confs) this issue was resolved right away.
I still don’t understand why Linuxserver docker looks for sub-subdomain.subdomain.duckdns.org. Earlier when I used LetsEncrypt/Nginx on RPi, I used subdomain.duckdns.org and it worked with no issues.
I have one suggestion for you. Please move instructions to Github where it’s easy to read. It was a bit confusing to read with different formatting.
Once again, thanks for sharing this guide.
1 Like
Glad it helped you. I’ll have a look at github.
Hey, anyone got the config from the original post working with auth_basic enabled ? It seems to work fine until I hit up against an api interface call.
E.g. going to the Developer-Tools Events page or the Dev-Info page results in a failed api call and a 401 error message showing up in Chrome Dev Tools.
GET https://ha.[mydomain].com/api/events 401 (Unauthorized) fetch-with-auth.js:8
If I turn off nginx authentication then all works as expected. I have tried the suggestion from [Turbulence ahead - fasten your seatbelt] but it made no difference. I’m on HA 0.78.3 for what it is worth.
anyone done this recently that can help me out i think im close just need to the configuration right ive currently got my HA accessable from duckdns and the container running
I have nginx with Let’s Encrypt running on a VM and it works nicely. But I’d like to move that over to docker or switch to Traefik. Any reasons why I should stick with nginx? It seems a lot of people prefer Traefik.
I don’t know what Traefik involves, but I assume it has something similar to server blocks? Is this the “lablels” values in a docker-compose file? What do I do if I want to setup a reverse proxy for something that isn’t in a docker container? Is it just possible to add something like foo.example.com and point to ip:1234?