Home Assistant Let's Encypt failing

Help
1

I'm trying to enable https on my Home Assistant server using the Let's Encrypt addon. The certbot fails to make a connection to port 80, but when I manually try to connect to it during the authentication process I first get a 404 status, but after a while a 200 status message comes available for a short time (ACME client standalone challenge solver).

The Let's Debug page shows an All OK status for my server.

Why is the log showing a 404 error, although i can reach port 80 on the server manually?

My domain is:

http://homeassistant.aclicteur.be/

It produced this output:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[18:47:57] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for homeassistant.aclicteur.be
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: homeassistant.aclicteur.be
  Type:   unauthorized
  Detail: 178.119.81.60: Invalid response from http://homeassistant.aclicteur.be/.well-known/acme-challenge/P3I3RfPFcW-y7m10K0fDdSC2V-1BTgCRvtmWEtF_-_0: 404
Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
2

Hi @arnocl, and welcome to the LE community forum :slight_smile:

Let's have a look at the nginx config.
nginx -T

4 Likes
3

I can't seem to find the config in Home Assistant, nginx command is not found through ssh. In Home Assistant I configured Let's Encrypt to use port 5080, during authentication I can reach this port manually without issues.

I acces Home Assistant trough a reverse proxy on my NAS, this is the config for this proxy:

# configuration file /etc/nginx/sites-enabled/server.ReverseProxy.conf:

server {
    listen 80;
    listen [::]:80;

    server_name homeassistant.aclicteur.be ;

    if ( $host !~ "(^homeassistant.aclicteur.be$)" ) { return 404; }

    proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

    location / {

        proxy_connect_timeout 60;

        proxy_read_timeout 60;

        proxy_send_timeout 60;

        proxy_intercept_errors on;

        proxy_http_version 1.1;

        proxy_set_header        Host            $http_host;

        proxy_set_header        X-Real-IP            $remote_addr;

        proxy_set_header        X-Forwarded-For            $proxy_add_x_forwarde                                                                                                             d_for;

        proxy_set_header        X-Forwarded-Proto            $scheme;

        proxy_pass http://192.168.1.131:5080;

    }

    location ^~ /.well-known/acme-challenge {
        root /var/lib/letsencrypt;
        default_type text/plain;
    }

    error_page 403 404 500 502 503 504 /dsm_error_page;

    location /dsm_error_page {
        internal;
        root /usr/syno/share/nginx;
        rewrite (.*) /error.html break;
        allow all;
    }

}
4

Then that is where you should get and use the TLS cert [in the proxy].
Why?
Because it is rather difficult to proxy HTTPS without a cert.

4 Likes
5

Thanks, I included the domain in Let's Encypt in the proxy server, but now I get a 403 error. I enabled the necessary http entries in Home Assistant, but I am wondering if I am forgetting something? Do I need additional trusted proxies? Do I have to link to the ssl certificate and key in Home Assistant to enable https traffic? They now reside in my NAS, do I have to upload them to my Home Assistant server?

# Home Assistant configuration:
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.0/24

Home Assistant HTTP integration

1 Like
6

HTTPS is more complicated than HTTP.
The proxy should have a certificate for the FQDN being proxied.

4 Likes
7

It has, all subdomains as well as the top level domain have certificates in my NAS. Other devices are perfectly accessible through https with the reverse proxy from the NAS, only Home Assistant gives an error.
I already had a gut feeling https was a bit more complicated...

8

If the proxy already has the cert, then you don't need one [for the Internet clients] on the Home Assistant system.

You can simply proxy the incoming HTTPS requests to HTTP://Your-HomeAssistant.

If you need to secure the internal clients, then that is a different problem.

4 Likes
9

Thanks for your help. I manage to access Home Assistant using http as the reverse proxy protocol, https keeps giving a 403 error. Guess I just have to be happy with what I can get working.

1 Like
10

For some reason, it now works... Thanks for your help

1 Like
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.