Webhooks not working / Issue in setup using DuckDNS, Let's Encrypt, NGINX

Hello,

I am trying to setup the Netatmo integration. For my Netatmo Presence outdoor camera. It does receive the video feed localy, but receives events via webhooks, which is why a connection to the outside world is required during the setup. I have tried my best following the setup of Netatmo Integration, but it seems that I have something not setup correctly, as the webhooks do not come through and the App on the Netatmo Dev Portal gets banned on a regular basis.

So here is my setup:

  • I am using a Raspberry Pi with hass.io
  • I created a DuckDNS account with a new URL.
  • I have configured the DuckDNS URL in Home Assistant via the UI
    URL_Setup
  • I have installed the DuckDNS Add-On via the UI on the Home Assistant and configured it as follows:
lets_encrypt:
  accept_terms: true
  certfile: fullchain.pem
  keyfile: privkey.pem
token: 'sometokenstring'
domains:
  - myexternaladdress.duckdns.org
aliases: []
seconds: 300
  • I have installed the Let’s Encrypt Add-On via the UI on the Home Assistant and configured it as follows:
email: [email protected]
domains:
  - myexternaladdress.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
challenge: http
dns: {}
  • I have installed the NGINX Add-On via the UI on the Home Assistant and configured it as follows:
domain: myexternaladdress.duckdns.org
certfile: fullchain.pem
keyfile: privkey.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
  active: false
  default: nginx_proxy_default*.conf
  servers: nginx_proxy/*.conf
  • On the router, I forwarded port 80 to port 80 of the Pi.
  • I have also forwarded port 443 to port 443 of the Pi.

I can access my Home Assistant from outside via the 'myexternaladdress.duckdns.org.
So something must be working.
But the Netatmo access is still being banned after some time, as the communication via webhooks does not seem to be working as expected.

Today I have added the following lines in the configuration.yaml

http:
  ip_ban_enabled: true
  login_attempts_threshold: 5
  use_x_forwarded_for: true
  trusted_proxies: 127.0.0.1

But also here I had no luck in improving the situation.
Any help would be welcome. If I can provide further information to help debug this, I will try to to my best to provide this information. But I have no further clue…

Are you using configuration.yaml or the HA cloud link to configure the Netatmo integration?

I have included the netatmo integration via configuration.yaml

Did you check whether webhook has been banned on the Netatmo dev portal?

Yes, the dev portal always bans access after a certain time, so the communication seems broken at some point. I am guessing it’s got nothing to do directly with the netatmo integration or the dev portal, but rather in my setup trying to get the https connection running between the two.

Please read the following guide.

I appreciate your support and I am sorry to ask so basic/stupid questions. I have actually read this guide before, but was not sure if it applies to an hass.io installation running on a raspberry pi as it includes linux commands. Suggesting there is the need to connect to the home assistant server via SSH to enter the commands. I was not sure what hass.io running on a raspberry is running on and whether it is linux based…
Which was the reason why I did not follow this procedure but only used the steps described above using the home assistants GUI and the available add-ons of DuckDNS, Let’s Encrypt and NGINX.

I can try to follow these steps and report back on my luck.

I would double check the proxy config.

All the configs I made in the add-ons via the UI I posted above.

I don’t know this add-on at all, I just can tell that webhooks do work with an nginx reverse proxy.

Your external url looks weird. Try dropping the www..
Also the trusted proxy IP is wrong. It most certainly is not 127.0.0.1 but the IP or FQDN of the proxy container.

I thought as the reverse proxy is running on the same machine as the hass.io, I put there the localhost address.

Sorry for delayed feedback, I am currently not at home.
I will check when I get the chance and report back.

Nicely spotted! From what I could do from away at least the webhook registered successfully and the light is now visible in the netatmo integration.
I do not yet see the events under the development tools, but I cannot fire some to check.
Thank you. I guess I am at least one step closer!

You need to listen for netatmo_event.

Okay, being back home. I do not yet get any netatmo_events in Home Assistant.
I guess the correction of the external URL in the Home Assistant settings allowed the webhook registration to be successfull. I have copied in the log I am now getting.

2020-10-18 19:46:06 INFO (MainThread) [homeassistant.components.netatmo.config_flow] Successfully authenticated
2020-10-18 19:46:07 INFO (MainThread) [homeassistant.components.netatmo] Register Netatmo webhook: https://myexternaladdress.duckdns.org/api/webhook/'somehexstring'
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.data_handler] Data class HomeData added
2020-10-18 19:46:07 WARNING (MainThread) [homeassistant.components.light] Platform netatmo not ready yet. Retrying in 30 seconds.
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.data_handler] No weather station available
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.data_handler] Data class WeatherStationData added
2020-10-18 19:46:07 WARNING (MainThread) [homeassistant.components.http.forwarded] Received X-Forwarded-For header from untrusted proxy 172.30.33.3, headers not processed
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.webhook] Got webhook data: {'user_id': 'someotherhexvalues', 'user': {'id': 'someotherhexvalues', 'email': '[email protected]'}, 'push_type': 'webhook_activation'}
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.webhook] None: {'user_id': 'someotherhexvalues', 'user': {'id': 'someotherhexvalues', 'email': '[email protected]'}, 'push_type': 'webhook_activation'}
2020-10-18 19:46:07 INFO (MainThread) [homeassistant.components.netatmo.data_handler] Netatmo webhook successfully registered
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.data_handler] No weather station available
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.data_handler] Data class HomeCoachData added
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.data_handler] Data class CameraData added
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.camera] Adding camera 70:ee:50:27:c5:10 Haustür
2020-10-18 19:46:07 DEBUG (MainThread) [homeassistant.components.netatmo.netatmo_entity_base] New client camera.netatmo_haustur
2020-10-18 19:46:37 DEBUG (MainThread) [homeassistant.components.netatmo.light] Adding camera light 70:ee:50:27:c5:10 Haustür
2020-10-18 19:46:37 DEBUG (MainThread) [homeassistant.components.netatmo.netatmo_entity_base] New client light.netatmo_haustur

I got rid of the untrusted proxy warning. It seems to be the internal IP address hass.io uses for add-ons. so this must be the IP for my reverse proxy, which I have added to the configuration.yaml. However no further changes.

According to your logs you are obviously receiving webhook events.

At least the registration seemed to be working.


netatmo_events however is not listed in the developer tools.
And trying to listen to netatmo_event or netatmo_human is unsuccessful.
At least it does not receive any events, even though I am in front of the camera triggering a notification on the Netatmo app on my smartphone.

If you’re receiving the event about the registration being successful and the webhook is not being banned by Netatmo afterwards, I don’t see why you shouldn’t receive events when listening for them.

{'user_id': 'someotherhexvalues', 'user': {'id': 'someotherhexvalues', 'email': '[email protected]'}, 'push_type': 'webhook_activation'}

This is proof that the registration has been successful and the first actual webhook event.

You can listen for netatmo_event down in the events panel:

Yes I know, but neither is the the netatmo_event listed under the available events, nor is it recording it, when listening to it. Any idea what to look for, when monitoring the network traffic?
I am thinking about monitoring a snippet using wireshark to then analyse if any communication of that webhook/netatmo_event is visible on my local network.

A data recording on my router was not very helpful to me at least. I was able to find out that the camera contacted netatmo, when a person was detected, but I couldn’t make sense about content as it is probably all secured. The same is for the communication towards the home assistant. Me personally couldn’t make sense of the content send to it. So I have no idea, if the event was send by the netatmo dev app and if it was received by home assistant.
I only see within home assistant, that no event is shown. The webhook seems to be registered correctly now. The dev app is not banning it anymore.

Is there by any chance an idea left… I don’t know what to check…