My nas and Hass machines share a domain and ssl certificate. On hass I use the nginx ssl proxy add-on to use this certificate. I use letsencrypt to renew the cert on my nas device and I copy it to Hass periodically in a script.
Recently I couldn’t login to hass because the certificate had expired. The nas had the new certificate so I was confused why Hass didn’t have the new one. After investigation, it turned out that the new, unexpired certificate was available on Hass and to the nginx addon but that nginx hadn’t noticed it changed and was using the old one. A simple restart of the nginx addon fixed the problem.
So I would like to add a command to restart this add-on to my script that copies over the new certificate to Hass. The script has ssh access to Hass. Is there a command I can do on the hass ssh cli to force an nginx addon restart?
I found out that the “terminal & ssh” addon that is providing the ssh server dumps me into that add-ons container so this is why I can’t use docker. However they have provided access to the ha cli tools. Using those tools I can restart the nginx addon with: ha addons restart core_nginx_proxy
However this only works when I run it directly in a shell. I created a script and attempted to run it in a Cron job and it doesn’t work. It also doesn’t work if I attempt to run it as a remote ssh execution e.g.
ssh root@<myhost> -p 5863 /root/restartProxy.sh Unexpected server response
time="2022-12-19T06:10:56-08:00" level=error msg="Unexpected server response"
I can run the script directly without an issue so it has something to do with running it indirectly.
If I add --api-key <your key> it works. I was able to figure this out by setting --log-level debug. In the direct execution you can see the API key and in the indirect execution it was showing as blank.
This method of restarting began to fail after a recent hass update. Apparently the api token changes after updates! So I now regenerate the API token and store it as a file on hass file system daily using a cron job. Then I reference this file that has the token on the remote machine when executing the update.
Glad it works. I migrated my ssl reverse proxy to my router which allows it to be used for a lot more than just HA. The router runs pfsense and the reverse proxy is called “HAProxy”. It fully integrates with lets encrypt pfsense plugin and also supports pretty much anything I can imagine from a front-end and back-end perspective. Highly recommended.