Regarding SSL when running HASS.io on the same Ubuntu server in Docker, need expert opinions

I’ll try to keep this clear. I have taught myself everything I know at this point, so there is probably error in my setup.

Question: The question is at the end of this post and may require context to answer.

Environment:

  • Ubuntu 16.04, Webmin / Virtualmin
    It is a home based real world NS and LAMP server serving my websites and a few others on a static business connection, all sites sharing the same IP.

  • HASS.io, 0.95.4 in Docker on that same server.

Practices:

  • Sites in Webmin and Virtualmin are created through the Virtualmin web interface. While the main site is www.domain.com for any given virtual server, all of the sub-domains (i.e. http://subdomain.domain.com) are created through Virtualmin.

  • Let’s Encrypt is an option in the Virtualmin interface for each site. As long as 443 points from pfSense to my server, grabbing a certificate works. That’s how I’ve been setting up certificates for each site and subdomain.

  • I created a sub-domain through Virtuamin (hassio.domain.com) to make HA easy to access.

  • Virtualmin creates a .conf file for the site, but I followed the instructions (Apache Proxy) in the HA docs and overwrote the .conf file.

  • When requesting SSL through Letsencrypt in Virtualmin, two files are created in the virtual server root. One is ssl.cert and the other is ssl.key.

  • To setup SSL in HASS.io, I manually created the /ssl/fullchain.pem and /ssl/privkey.pem files as root, then I copied and pasted the contents of ssl.key and ssl.cert files that were created in the virtual server root folder into those files, respectively.

(Lets encrypt through HASS.io as an Add-on requires the use of port 80, which I could never get working because Apache is “in the way.”)

It is my assumption now that I can simply set all of my options to SSL in any add-on, etc., when given the chance, and it will just work.

Problems

  • A few add-ons fail to load through ingress, yielding 502 Bad Gateway. Not all of them, but only a few. And those all load if I use the port in the url.
  • Those that won’t load have one thing in common in docker. They all have the network set to host while the ones that work are set to hassio. Changing this doesn’t seem to have a positive effect.
  • The error I see in the system log is consistent with each failing add-on:
19-07-09 17:35:07 ERROR (MainThread) [hassio.api.ingress] Ingress error: Cannot connect to host 172.30.32.1:64435 ssl:None [Host is unreachable]
  • I can ping 172.30.32.1 so I know it’s there, and I can access the add-on with the URL.
  • The only red flag in the error message is ssl:None, which makes me question whether or not I’ve set things up correctly.

Question:

  • Is the problem in fact related to SSL?
  • Is my setup method the reason this is happening, and if so, do I need to explicitly configure Docker to handle traffic on 443 since I used Letsencrypt outside of HASS.io?
  • In your opinion, am I doing things the hard way, not knowing that there’s a better way to set this up?

If you made it this far, thank you!

i have a similar problem like you, i created ssl certificates with certbot-auto and manually copied files to hass.io ssl folder and hass.io cant access it.
When i try to do it with duckdns or just letsencrypt addon they cant operate because port 80 is in use (apache2).
Anyone have any ideas?

Can you temporarily repurpose port 80 to get Letsencrypt add-on to configure and then re-enable 80 for apache?

I wasn’t able to do that because I serve some websites and actually at the time I had a crap router that was annoying to deal with. That’s changed, but I still haven’t tried the Letsencrypt add-on in HASS.io.

Are you running HASS.io under ubuntu or are you running it on a Pi3?

Yeah I am running docker hassio on ubuntu Linux.
So I managed to solve it like this:
First i remapped 80 i 443 ports that apache was using to 8082 and 444, then I set dns resolver to google dns inside resolv.conf.d/tail file.
After that I started Duckdns addon and renewal process of certificate finished successfully.
But thx for idea man.

Yeah…my system is actually a public name server so I don’t use duckdns so my config is a bit different.

After these changes I mentioned LetsEncrypt addon without Duckdns worked aswell