Using Let's encrypt certificate of Synology NAS

Now have a small annoyance

from inside the network I can access HASS from
http:192.168.1.238:8123

but NOT from https://xxx.duckdns.org

from outside the network I can access HASS from
https://xxx.duckdns.org

which means if I am home with WiFi or 3G I have to change the address on my smartphone browser.
How to solve this?

I think this had something to do with your router settings. On my router (Ubiquiti Edgerouter lite) I had to check the option:

Hairpin NAT
Enable hairpin NAT (also known as "NAT loopback" or "NAT reflection")

I see (very complicated to me).

I have an asus dls-55u, it should have the option but I do not see it in the configuration. Where it should be? (regarding NAT I have only one option to enable/disable it)

Looks like there is an firmware upgrade that solves the problem on this type of router. http://drivers.softpedia.com/get/Router-Switch-Access-Point/ASUS/ASUS-DSL-N55U-verC1-Router-Firmware-1073.shtml

So install the firmware update and check if the problem still exist.

Caution: I can not be held responsible for this upgrade.

I have upgrade to a 2016 firmware (latest from asus), in the description says nat loopback fixed. But I do not find the settings!!

I have a similar setup, but I’m running HASS on my Synology (without Docker). I can’t get passed the “502 Bad Gateway nginx” error (mentioned earlier in this post) when attempting to connect to HASS at “https://xxx.myds.me” in Chrome.

Ideally, I would like to connect to “https://xxx.myds.me/ha” or have a subdomain for HASS, but I’m not sure how to do that yet. For now I have to connect to the Synology web portal via “https://xxx.myds.me:5001”, since the reverse proxy I setup is re-directing “https://xxx.myds.me” (port 443) to internal port 8123. I’m not even sure if I need a reverse proxy to accomplish what I am trying to do. I was able to delete the 443 port forward on my router and I can still connect secured https to the synology web portal over port 5001… but it doesn’t seem to be possible to connect https directly over port 8123. I’m not sure how all of this works. Can someone please help! I already wasted all of yesterday trying different things. See below for details.

This stuff is working:

  1. external https connection to synology web portal (port 5001) is working (let’s encrypt certificate added through synology)
  2. external http unsecure access to home assistant is working
  3. external http unsecure access through Reverse Proxy is working (if updating Reverse Proxy to use HTTP port for source and removing ssl_certificate and ssl_key from configuration.yaml.)

Here is my setup:
Home Assistant is running on the Synology (not using Docker)

Synology control panel->Security->Certificate:
Added Let’s Encrypt Certificate for xxx.myds.me

Router:
Port 443 -> 443 on Synology

Edited Portal.mustache file according to this post.

Synology Control Panel->Application Portal->Reverse Proxy:
Source: https://xxx.myds.me (port 443)
Destination: http://localhost:8123

Cert files:
Manually copied these 2 files to same folders as configuration.yaml:
/usr/syno/etc/certificate/system/default/fullchain.pem

/usr/syno/etc/certificate/system/default/privkey.pem

NOTE: Have also tried changing permissions on these files point to them directly in the configuration.yaml file. I’m not sure what the ideal way of doing this is.

Home Assistant configuration.yaml:

http:
  api_password: !secret http_password
  ip_ban_enabled: true
  login_attempts_threshold: 5
  ssl_certificate: fullchain.pem
  ssl_key: privkey.pem

Ok, it works finally. Here are the things I changed which might have fixed it:

  1. Removed router port forward (443), then re-added.
  2. Removed Reverse proxy setting, then re-added.
  3. This is what probably, fixed it: Removed ssl_certificate and ssl_key lines from the configuration.yaml file. Note, I tried re-adding these and it actually made it to the homeassistant log-in page, but it timed out eventually and said it could not connect. I then removed these lines again and re-tested and it worked again.

Note, I am using “https://xxx.myds.me” to connect to homeassistant, so I need to use “https://xxx.myds.me:5001” to connect to the Synology web interface. It would be nice if I could use “https://xxx.myds.me/ha” to connect to home assistant instead… I remember seeing something in the location section of the nginx config file where I might be able to do this. Anyone have this working? Or how can a create a subdomain with synology’s ddns?

Just wanted to say thanks for taking the time to post this! It was exactly what I was looking for.

You’re welcome.

This post helped me a lot, but i’m still stuck on something.
When i want to go to: xxx.synology.me, i get a loading screen of HASS and then the error unable to connect.
Anyone has a fix for that?

1 Like

Did you recently updated your Synology? If so: DSM 6.2 resets your Portal.mustache again. Look at https://github.com/wilfredsmit/dsm-reverse-proxy-websocket.

I’m now running on DSM 6.1.7-15284 so normally it should be ok. Also because my other apps are working fine using nginx.

@doubleUS i don’t get it anymore. I tried everything using certificates, reverse proxy, even edited my iptables and then everything was broken. Still got the loadingscreen of homeassistant and then it says “Unable to connect”.

I saw in the logs that it says: (MainThread) [homeassistant.components.http.view] Serving /api/websocket to 192.168.0.x (auth: True)

Can you provide some help ?

EDIT

While typing this reaction i saw the github link you provided. I tried that link again and that did the magic. Finally it is working after trail and error. Thank you for sending the link!

@koenhaemels Glad you’ve got it solved!

I got everything working except Telegram.

In the error log, it says

Invalid telegram webhook http://[HA IP]:8123/api/telegram_webhooks must be https

In HA configuration, I don’t set base_url, ssl_certificate and ssl_key under the http: component.

Should I set the 3 variables under the http component?

If I added…

  base_url: !secret http_base_url
  ssl_certificate: !secret ssl_certificate
  ssl_key: !secret ssl_key

The Telegram works but the frontend stop working and gives this error…

[homeassistant.components.notify.rest] Error sending message. Response 502: Bad Gateway:

Did you managed to get it work?
Currently i don’t have any experience with telegram…

First I really want to say words of appreciation to @doubleUS and others for time spent on this and helping others. It helped me a lot.
I’d like to add my experience which works for me and could possibly help to next gens of users:

  • I have synology NAS with DSM 6.2.1-23824 Update 4 installed
  • I have HA run in docker container with use of http (no https)
  • I have lets encrypt certs in place for remote access to my synology box remotely
  • all you need to do is:
    • go to Control Panel/Application Portal/Reverse Proxy
    • create new reverse proxy:

  • dont forget replace “your” to your own name at synology.me

  • add custom heaters:


    this is needed to allow web sockets to work properly - i.e no need to change mustache files manually

  • go to External Access/Router Configuration

    • select “HTTPS, Reverse Proxy” with 443 port
    • click “Save” and allow open this in your router (I have Time Capsule and DMS does great job to auto setup port forwards)
  • you are done )

  • you dont need to do any changes in HA config for http section

  • you can access your HA as “https://your.synology.me” outside and inside your local network

  • you can continue use your fav local address of ha

6 Likes

``Super finally it worked with this simple reverse proxy thing @sergeymaysak thanks a lot ! Now if i go to my HA with https i cant get to my visual code cause it refere to my nas ip:port of vscode What do i need to set to see my setting via vscode or configurator?`

I’ve reading lots and lots of topics on this forum and I don’t get this to work. I really hope someone can give me a hint/solution.

I have the following configuration:

The problem is when I go to https://xxxx.duckdns.org it’s using the Certificate of my NAS and not the new duckdns.org certificate.

I know I’m missing something but I don’t know what. Who can point me to the right direction?

Why don’t you create a let’s encrypt certificate for duckdns.org in DSM and use the reverse proxy.