I’ve been running an OH4 installation (Openhabian) on a Pi4 quite successfully. After recurring problems with the KNX bridge I decided to re-setup everything.
So after freshly flashing the SD-Card with Openhabian and restoring the backup with everything working fine, I set up the Nginx reverse proxy like before.
But now, when I try to connect to my installation via SSL, I always get ERR_CERT_AUTHORITY_INVALID in my browser, and the OpenHAB app also doesn’t connect with the remote server. I tried the following:
searching on the web intensely, including here - if I overlooked a thread, I’m happy to receive a hint
reinstalling everything again like described above
successfully renewing the certificate using certbot
successfully testing Nginx
and still it doesn’t work! All other connections (unencrypted HTTP, SSH-Sessions…) work just fine!
Certbot says:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains:
https://[mydomain]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[mydomain]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[mydomain]/privkey.pem
Your certificate will expire on 2024-06-01. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again with the "certonly" option. To non-interactively
renew *all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
and the output for
nginx -t
is just
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
Hi,
So, assuming you have already actually looked in the location and see the files and confirmed that the path you specified in nginx.conf is exactly right?
and assuming you have checked the permissions on the directory you have those files in and insured that the user that is running nginx has at least read permissions to that directory and containing files?
Then you need to check to be sure you did not forget to comment out (put “#” in front of the default path for cert location) that is used for the other entry’s like the self-signed certs when you uncommented the path for the lets encrypt path. Nginx will take the first path it sees for cert location.
The other question is what browser are you using to access the URL?
And obviously restart the box to insure nginx read the updated configuration is also a good idea.
I have seen times when just restarting the nginx service alone did not pick up all my changes.
It would be helpful if you looked at the cert being served from NGINX in your browser, so in chrome this would be the warning in the URL bar, where you click “Site Is not Secure” → “Certificate is not valid” and then report the info printed there.
Actually, the setup of nginx has been happening completely automated - I used the tool openhabian-conf for the setup, and last time it worked just fine. But I took a look into the config and saw, that the paths and files should be correct… Restart doesn’t change anything. Thank you anyway for your time and help
what you posted shows you are using the self signed certificate so it does not appear you have uncommented the lets encrypt path in the correct conf file. And still have the path for the self signed certificate active. can you post the section of your niginx conf file relevant to your listening port (obviously *** out any sensitive info
Or you are not pointing at the nginx instance and are resolving to your openhab install.
Either way your browser is complaining about the fact it can not find a Root Certificate Authority named openhab.org. in his cert store.
And you are NOT presenting your lets encrypt certificate to the browser to secure the https connection.
That brings me a little closer to a solution. However, in the openhab-related part (which is included via
include /etc/nginx/sites-enabled/*;
in the nginx.conf, I cannot find any references to other certificates than the correct ones. Seems like I’m overlooking something important. This is the file:
##################################
# openHABian NGINX Configuration #
##################################
## Forward proxy
## Configure <server>:8888 as a manual (forward) proxy in your browser
## Access any local device in a *remote* (Tailscale VPN) location by target IP
server {
# listen 8888;
location / {
#VPN resolver 100.100.100.100; # use default Tailscale nameserver
# proxy_pass https://$http_host$request_uri;
proxy_pass http://$http_host$uri$is_args$args;
}
}
## Redirection
server {
if ($host = [my.domain]) {
return 301 https://$host$request_uri;
} # managed by Certbot
# listen 80;
server_name [my.domain];
return 301 https://$server_name$request_uri;
}
## Reverse Proxy to openHAB
server {
# listen 80;
listen 443 ssl;
server_name [my.domain];
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
# Cross-Origin Resource Sharing.
add_header 'Access-Control-Allow-Origin' '*' always; # make sure that also a 400 response works
add_header 'Access-Control-Allow_Credentials' 'true' always;
add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;
## Secure Certificate Locations
ssl_certificate /etc/letsencrypt/live/[my.domain]/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/[my.domain]/privkey.pem; # managed by Certbot
location / {
proxy_pass http://localhost:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 3600;
proxy_set_header Authorization "";
## Password Protection
auth_basic "Username and Password Required";
auth_basic_user_file /etc/nginx/.htpasswd;
}
## Let's Encrypt webroot location
location /.well-known/acme-challenge/ {
root /var/www/[my.domain];
}
}
# vim: filetype=conf
just taking a quick glance at what you posted I would think that nginx would not start correctly since you have a server block defined but you have commented out the listen port.
## Redirection
server {
if ($host = [my.domain]) {
return 301 https://$host$request_uri;
} # managed by Certbot
# listen 80;
server_name [my.domain];
return 301 https://$server_name$request_uri;
}
That should be throwing an error and preventing nginx from running.
Are you sure you posted the actual nginx.conf that you have active?
Are you also sure your nginx service is running ?
keep in mind nginx will process any and all conf files that are located in the site-enable folder or conf.d when running as a service
NGINX configures the server when it starts up based on configuration files. The location of the default setup is /etc/nginx/sites-enabled/default . To allow NGINX to proxy openHAB, you need to change this file (make a backup of it in a different folder first).
Okay I found the solution, actually it was my fault, so a layer 8 problem
In my firewall (on a Fritz Box) I forwarded to port 8443 instead of 443, which lead to redirecting the https-traffic to the OpenHAB interface that is meant for local area acces (i.e. from the LAN). That is also the reason why only OpenHAB’s self-signed certificate has been “seen” from the outside and not my Letsencrypt-certificate.
I forwarded my external port to 443 of my OpenHAB-instance - and everything works fine now. Thank you all very much for your time and great help!
