So I’ve had SSL working in the past by just using DuckDNS addon with included Let’sEncrypt SSL config. This worked fine, however I noticed whenever I tried to access my Home Assistant using http over local network the ssl certificate was causing problems (browser thought it was suspicious website etc).
From what I can tell, nginx is the way to go with managing this as I can have certificates for multiple address and correctly redirect all traffic through SSL (please correct me if I’ve got this wrong). I don’t have much experience in networking and I’m running into some problems with my nginx config.
Basically, I can’t get nginx to create a legitimate ssl certificate. Below is the typical nginx log output when I try to renew/create a certificate:
[6/18/2020] [6:12:35 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[6/18/2020] [6:12:39 PM] [Nginx ] › ℹ info Testing Nginx configuration
[6/18/2020] [6:12:39 PM] [Nginx ] › ℹ info Reloading Nginx
[6/18/2020] [6:12:39 PM] [SSL ] › ℹ info Renew Complete
[6/18/2020] [6:12:39 PM] [SSL ] › ✖ error Certificate is not valid (Command failed: openssl x509 -in /etc/letsencrypt/live/npm-10/fullchain.pem -subject -noout
Can't open /etc/letsencrypt/live/npm-10/fullchain.pem for reading, No such file or directory
1996162392:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/etc/letsencrypt/live/npm-10/fullchain.pem','r')
1996162392:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:
unable to load certificate
)
From what I could find online, the most likely reason for this kind of error is a port forwarding issue. My current setup is HASSOS 4.10 running HA 0.111.3 on an rpi3 and the following addons:
- Nginx Proxy Manager
- MariaDB
- Mosquitto Broker (Haven’t got this working yet, but that’s another subject)
- Node-RED
- RPC Shutdown
- Samba Share
Below is the configs I thought might be relevant:
Nginx
log_level: debug
Network Host Ports:
HTTPS (443) Entrance = 444
HTTP (80) Entrance = 82
Web Interface (81) = 81
I’ve assumed I can’t use 443 or 80 as my ISP appears to have a block on them. To deal with this I’ve set up a port forward on my router:
I have also commented out all http settings in my configuration.yaml file as I’m assuming they aren’t needed. I also renamed the existing privkey & fullchain in my /ssl directory as I don’t believe I need them.