Short story, I get an error when visiting my site: SSL_ERROR_UNRECOGNIZED_NAME_ALERT
Full story below.
I have HAOS running on proxmox VM. I have multiple web services on the server, so I’m using nginx proxy manager to forward web requests to my ha.domain.com. I have a proper static external IP address and all my websites work well. Except for HA.
I’ve configured HA to work on port 433:
I’m using Let’s encrypt add-on to generate the keys and it finishes without errors:
[17:04:55] INFO: Selected http verification
[17:04:55] INFO: Detecting existing certificate type for ha.****.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[17:04:57] INFO: Existing certificate using 'ecdsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
When I visit HA via internal IP, I get an expected certificate error, which I ignore (“accept risk”) and GUI loads. I open up certificate details on Firefox and I see that the certificate is being provided, the domain is correct, it’s verified by Let’s Encrypt and that it is valid for 3 months.
But when I visit my ha.domain.com, I get an error SSL_ERROR_UNRECOGNIZED_NAME_ALERT
On certificate information, Firefox says “Verified by: Not specified”. As if no certificate is passed.
On my nginx proxy manager I’ve set to forward to HTTPS and to port 433. NPM can supply its own certificate, but I’ve set that to off. To be clear, if I enable NPM certificate, the site loads properly. But I need proper certificate on the server itself due to other reasons, Tesla fleet integration being one of them.
Reverse proxy is usually set up for HA to accept internal and external HTTPS connections made the an URL and then forward those connections on the secure internal network as HTTP connections.
You are using HTTPS on both sides of the reverse proxy. Why?
If there is no special feature the reverse proxy provide, then forward port 443 on your router directly to the HA port.
I can’t forward port 443 on router, because I have other services on this port. That’s why I’m using nginx proxy manager.
I don’t need NPM to provide the certificate, I want it to pass the certificate from HA.
Note that I have several websites that provide their own certificates and NPM cert is switched off (it is not providing a certificate on top) and this works well. I don’t understand why the same thing does not work with HA.
My guess is that the HTTPS is failing between the reverse proxy and HA.
Your reverse proxy needs the right root and intermediary certificates to be able to follow the entire certificate chain to a trusted CA.
Bad news: what you want simply won’t work. You can’t stack stuff like that. You must have a SINGLE HTTP reverse proxy (e.g. NginX) exposed to the internet via TCP port 443 and 80 forwarding, and that proxy must handle multiple independent domains (external or internal) proxying each domain to an internal port 80 service. Otherwise, LetsEncrypt ACME will not be able to issue certificates properly. Whatever else you have serving on those forwarded TCP ports will have to be put behind the single proxy.
If you don’t like this, you will have to keep HA internal, roll your own CA certificate authority and manually deploy + yearly renew server certs / CA cert across your home machines. (This is what I do.)