SSL and Home Assistant running on a Synology Docker

Hi

I’m new to Home Assistant and Linux but have been able to set up home assistant on a Synology docker. Got my self some scenes and automations running and really like it. I find automation beeing quite addictive. :slight_smile:

I have tried many different approaches to get SSL working but I think with my last attempt I’m prettey close:

  1. Used Synology to create a letsencrypt cert.
  2. Copied the cert files Synology created to the hass config folder.
  3. Forwarded port 443 to my synology 8123 in my router

added this to my configuration.yaml file

http:
  api_password: !secret http_password
# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: mydomain.duckdns.org:8123/
  ssl_certificate: chain.pem
  ssl_key: privkey.pem

Home assistant logs this error in home-assistant.log
2017-11-09 20:04:02 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data[‘http’][‘ssl_certificate’]. Got ‘chain.pem’
not a file for dictionary value @ data[‘http’][‘ssl_key’]. Got ‘privkey.pem’. (See /config/configuration.yaml, line 27). Please check the docs at https://home-assistant.io/components/http/
2017-11-09 20:04:02 ERROR (MainThread) [homeassistant.setup] Setup failed for http: Invalid config.

I tried changing permissions with:
sudo chmod 755 chain.pem
sudo chmod 755 privkey.pem

Still same error…

Any thoughts?

1 Like

OK, so I made some progress using squirtbmr’s guidance in this thread:

I checked my docker info:
and found that it has an “enviroment path variable” named config pointing to my yaml files location.

So I changed:

http:
  api_password: !secret http_password
  base_url: mydomain.duckdns.org:8123/
  ssl_certificate: /config/cert.pem
  ssl_key: /config/privkey.pem

Notice that I also changed the ssl_certificate to the cert.pem file instead of chain.pem.

Rebooting Home-Assistant, and no more errors in the log file and Home Assistant is accessible via https!

If anyone know how use to the original Synology cert files without the need to copying them to the docker folder this would improve the solution even further!

Thanks!

4 Likes

@MattiasPie thanks for posting, re step 1 I found the following useful. Cheers

1 Like

Thanks, this system allowed me to use the certificates created by Openmediavault and HASS in Docker!

Thank you

1 Like

Thought I’d reply here since this helped me getting my Home Assistant working with SSL and docker. To use the Synology certificate directly, without copying it, you have to mount the directory where the certificates are located seperately, ie.:

sudo docker run --name hass --restart=always --net=host --privileged -itd -v /volume1/homeassistant/config:/config -v /usr/syno/etc/certificate:/certificate --device /dev/ttyACM0 homeassistant/home-assistant

after that you update your configurations.yaml:

ssl_certificate: /certificate/_archive/<directory>/cert.pem
ssl_key: /certificate/_archive/<directory>/privkey.pem
7 Likes

Works great Ivo. Thanks!

With the help of @swbradshaw I was able to get HA up and running without the command line on my Synology DS218+ However, I CANNOT for the life of me figure out how to get the DuckDNS and Let’s Encrypt setup. So if anyone would be willing to assist this NOOB I would greatly appreciate it.

As an alternative, use Caddy. Three config lines and you‘re done.

Lars

Thanks @ivo, you saved me a lot of time
Can I suggest the following edit though:
ssl_certificate: /certificate/_archive/<directory>/fullchain.pem
ssl_key: /certificate/_archive/<directory>/privkey.pem

my Node-RED did not want to connect to the FQDN (e.g. https://myserver.duckdns.org) using the cert.pem
I kept on getting:
'[error] [server:Home Assistant] Home assistant connection failed with error: Connection to home assistant could not be established with config: https://myserver.duckdns.org <password redacted>'
Once I used the fullchain.pem, this started to work

Hi Ivo thank you for your solution. I’m new here and I’m not a Linux or HA expert :slight_smile: therefore I need some help from you. Can you kindly point me out how I have to change the mount command and the configuration.yaml considering that my certificates are located in /usr/syno/etc/certificate/system/default anc configuration.yaml is in /volume1/homeassistant

It’s been a long time since your question so i hope you figure out a solution by now :slight_smile: . But since I haven’t seen my solution to this dilemma that often in the forums, I share it here as a response.

I use the built in Task Scheduler in Synology to make a copy of the certificate files. Just create a new “Scheduled Task” and select “User-defined script”. Then enter something like this:

cp /usr/syno/etc/certificate/system/default/* /volume1/docker/homeassistant/config/

I let this task run daily at night and have never had any issues.

1 Like

thanks @runevad, very easy and fast solution, It works great

Hi there

I made a copy of all ssl certificates and it’s possible to reach everything over https://XXXXXXX:8132.
If i login i have following errors. I’m sure that i’m quite close. The SSL Files are copied of the Synology Letsdecrypt solution.

error1

Anyone a solution for that?

Hi there.

I had to deactivate the Multi-factor Authentication Modules and after that it worked with the solution of @runevad. No more errors like i had on the post before.

http:
# Uncomment this to add a password (recommended!)
api_password: xxxxx
# Uncomment this if you are using SSL or running in Docker etc
ssl_certificate: /config/cert.pem
ssl_key: /config/privkey.pem
base_url: xxxx:8123

Two factor authentication should not be a problem. I have been running that since the start of it and not changed anything regarding the cert files from the Synology.

However, the base url should be:

base url: https://xxx:8123 (in my case i run it through :8080)

but since you got it working I guess it’s something else?

I also disabled the old api password, it’s not needed and you can run everything with just the new login with users and tokens.

I’ve complete changed my setup, home assist no longer runs on https, it is running on http and I am offloading the encryption on the DSM for my external connections (like google assistant).
I recently procured a konnected.io device, and was recommended to not use SSL directly on home assist.
Made note of my setup here:
https://community.home-assistant.io/t/home-assistant-on-synology-dsm-docker-duckdns-lets-encrypt-reverse-proxy-firewall-zwave-node-red-mqqt/

1 Like

So I have been trying to debug this for a while and can’t seem to be able to get it up and running - any help would be much appreciated.

Essentially I am trying to get a Google Domains to Synology to Docker to Home Assistant with SSL setup. I am able to get a valid certificate but when I enter a login and password into home assistant it fails to connect.

Some of the names are changed for privacy

Domains hosted with Google - DDNS setup between synology.my.house
control.my.house CNAME to synology.my.house
Router forwards 443/80 to Synology on my local network

Reverse proxy from control.my.house 443 to localhost 8123
Synology request certificate for control.my.house

sudo docker run --name HomeAssistant --restart=always --net=host --privileged -itd -v /volume1/docker/homeassistant/config:/config -v /usr/syno/etc/certificate/_archive/[***]:/certificate --device /dev/ttyACM0 homeassistant/home-assistant:latest

*Configuration.yaml

homeassistant:
  auth_providers:
    - type: homeassistant
    - type: legacy_api_password
      api_password: !secret http_password

http:
  base_url: https://control.my.house
  ssl_certificate: /certificate/cert.pem
  ssl_key: /certificate/privkey.pem

When I access https://control.my.house the certificate is valid but when I login it tells me that Home Assistant is unable to connect.

Error doing job: SSL handshake failed
Traceback (most recent call last):
File “uvloop/sslproto.pyx”, line 500, in uvloop.loop.SSLProtocol._on_handshake_complete
File “uvloop/sslproto.pyx”, line 484, in uvloop.loop.SSLProtocol._do_handshake
File “/usr/local/lib/python3.7/ssl.py”, line 763, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:1056)

Of note,

-rwxr-xr-x 1 root root 1927 Jul 4 06:28 cert.pem
-r-------- 1 root root 1647 Jul 4 06:28 chain.pem
-rwxr-xr-x 1 root root 3574 Jul 4 06:28 fullchain.pem
-rwxr-xr-x 1 root root 1675 Jul 4 06:28 privkey.pem
-r-------- 1 root root 185 Jul 4 06:28 renew.json

This is interesting because with Chrome, Brave, Safari the browser is reporting that the certificate is valid.

Of note, when I go to http://[IP ADDRESS]:8123 it will load and I am able to login.

Any help greatly appreciated.

Just replying to my own issue in case this helps someone else - it was an issue with Web sockets

Always human error - sorry everyone

Thank you all, the quality of this thread is excellent. One question: Can someone explain me what the API_PASSWORD is, do, come from,…?

Happy New Year,
Yvan

API_Password is (or was) a way of authenticate in the HTTP URL.
If I remember correctly I used it 1-2 years ago to authenticate Alexa with Home Assistant but are now using more secure way of authentication. So I haven’t used API Password for a year or so and remember it gave deprecation warnings in the log and that’s why I worked on other solutions for authentication to be able to remove it.
More on authentication can be found: