HomeAssistant in a VM with External service app for Traefik access with SSL certificate

[marrbacca]

Let me explain my current situation.
I have a TrueNas Scale installed on a computer. I have configured Cloudflare certificate and have a number of Apps running with Traefik for proxy using Ingress to be able to access those apps with SSL - all of that works perfectly.

I installed HomeAssistant in a VM using this excellent tutorial from HA community: https://community.home-assistant.io...n-freenas-without-iocage-or-docker/133738/127 (selected this method, as it allows on using HA supervisor and plug ins)
Home Assistant is working very well, and I can access it using VM IP address.

I would like to be able to access Home Assistant VM using domain name instead of IP.

I have installed the External Service app, set it up with an External Service IP pointing to VM IP, and enabled ingress with my domain and "/" path, with Cloudflare certificate.
It seemed to work, when I accessed: ha.domain.com it showed HomeAssistant logo, but after a while it ended with an error.
I checked the Developer tools on the website and noticed 2 things:
* Some of the requests ended with NET::ERR_FAILED for network connectivity (manifest.json and wss://ha.domain.com websocket requests)
* More strangely, some of the requests ends with NET::ERR_CERT_AUTHORITY_INVALID,

I investigated the second issue more, as it seemed a little strange, and force refreshing few times url ha.domain.com/lovelace DID show the incorrect certificate error, browser showing local traefik certificate being used instead of the Cloudflare one.

Has anyone encounter such strange behaviour? Is there a way to fix it, so that certificate is always used and there's no network errors?

 

[soleous]

Hello,

For your reverse proxy issues, do you have trusted_proxies in your configuration on HA (https://www.home-assistant.io/integrations/http/)? I also enable use_x_forwarded_for.

Also, do you have a certificate on the HA? it could be chain-related between reverse proxy and HA.

Although unrelated I wanted to make a couple of comments on your breakdown.

That thread appears to be for truenas core not scale, although I haven't read it all, I don't see the need or point. There are cow/kvm files available for home assistant OS, so I would suggest using them for SCALE as SCALE uses KVM.

Personally, I don't like the HAOS so I do a clean install on Debian, which is supported (https://www.home-assistant.io/more-info/unsupported/os/). Even for core, I'd take the Debian approach. I don't think this is related to your problems but wanted to point this out encase it is or to save some wired and wonderful issues in the future.

 

[truecharts]

Let me explain my current situation.
I have a TrueNas Scale installed on a computer. I have configured Cloudflare certificate and have a number of Apps running with Traefik for proxy using Ingress to be able to access those apps with SSL - all of that works perfectly.

I installed HomeAssistant in a VM using this excellent tutorial from HA community: https://community.home-assistant.io...n-freenas-without-iocage-or-docker/133738/127 (selected this method, as it allows on using HA supervisor and plug ins)
Home Assistant is working very well, and I can access it using VM IP address.

I would like to be able to access Home Assistant VM using domain name instead of IP.

I have installed the External Service app, set it up with an External Service IP pointing to VM IP, and enabled ingress with my domain and "/" path, with Cloudflare certificate.
It seemed to work, when I accessed: ha.domain.com it showed HomeAssistant logo, but after a while it ended with an error.
I checked the Developer tools on the website and noticed 2 things:
* Some of the requests ended with NET::ERR_FAILED for network connectivity (manifest.json and wss://ha.domain.com websocket requests)
* More strangely, some of the requests ends with NET::ERR_CERT_AUTHORITY_INVALID,

I investigated the second issue more, as it seemed a little strange, and force refreshing few times url ha.domain.com/lovelace DID show the incorrect certificate error, browser showing local traefik certificate being used instead of the Cloudflare one.

Has anyone encounter such strange behaviour? Is there a way to fix it, so that certificate is always used and there's no network errors?

It's important to note that External-Service App is one of our, which is kinda important to mention, as we have our own support channels.
It's still a bit of a "hit or miss" App, so your merrits with your specific usecase might vary.

 

[marrbacca]

Thanks for all your replies!
@truecharts - true, the External-Service app is one of yours, the problem here is that there's a lot of interconnecting things so I wanted to try community support first on whole TrueNas before going into TrueCharts support channels.
To be fair I'm not sure whether the issue it External-Service, Traefik, VM with HomeAssistant, networking(?)...

@soleous

do you have trusted_proxies in your configuration on HA (https://www.home-assistant.io/integrations/http/)? I also enable use_x_forwarded_for.

I do have both. My configuration.yml file with http config below (maybe I'm missing some trusted_proxies?...)

Code:

http:
  base_url: "https://ha.domain.com"
  server_port: 8123
  use_x_forwarded_for: true
  trusted_proxies:
    - 0.0.0.0/0
    - 127.0.0.1
    - 192.168.1.1 // Gateway
    - 192.168.1.101 // IP fo HA VM
    - 192.168.1.100 // IP of TrueNas host

Also, do you have a certificate on the HA? it could be chain-related between reverse proxy and HA.

That I do not have. How would I set up certificate from Traefik in the HA? Based on the return codes it looks like it's only traefik returning certificates - correct cloudflare OR incorrect internal traefik one.

That thread appears to be for truenas core not scale, although I haven't read it all, I don't see the need or point. There are cow/kvm files available for home assistant OS, so I would suggest using them for SCALE as SCALE uses KVM.

This is TrueNas Scale, and I have installed HA using cow files in the VM in Truenas.

Personally, I don't like the HAOS so I do a clean install on Debian,

Sure thing. I went with HAOS because I don't really need a fuill control linux machine - this VM will serve only HA purposes and nothing else. Of course, it might be, that HAOS image is causing issues and Debian with HA would not - I might check it out later.

 

[truecharts]

To be clear: our support is also open community support and not just limited to our staff ;-)

But good luck to you figuring this out! :)

 

[soleous]

@marrbacca regarding trusted_proxies. I wouldn't recommend 0.0.0.0/0 and you shouldn't need localhost, gateway, or itself. However, as you are using 0.0.0.0/0 that is all networks, so for testing that eliminates this being an issue.

I don't use Traefik or Cloudflare certificates but do use Nginx. You may need to look at proxy configuration on the header side like upgrade and connection. Sorry, I cannot be of more use here, it will be specific Trafik configuration.

Regarding certificate, try lets-encrypt on home assistant.

 

[marrbacca]

Hello
FYI - I have found the problem.
When I created CSR and certificate on the Truenas I only created it for *.ha.domain.com and not ha.domain.com - and this seemed to cause all the issues.
When I created certificate for main domain and set it up in the External-service app it started showing correct certificate for all request, and HA started working.

@soleous - thank you very much for the responses - I will adjust the trusted proxies, I had all of them added as I thought those might've been the cause of the issue.

 

[th3fallen]

@marrdid you ever get this working?? I'm having a really hard time with it atm

 

[marrbacca]

@marrdid you ever get this working?? I'm having a really hard time with it atm

Yes, as said - my problem was that *.ha.domain.com wildcard certificate was not correctly served on main domain ha.domain.com.
Creating new certificate for main domain solved the issue and External Service app with HA installed in VM is correctly accessible under domain.

 

[th3fallen]

what did you end up setting as your allowed proxies?

 

[marrbacca]

I haven't got yet into restricting the access - this is a very test machine, so my http config still looks like this:

Code:

http:
  base_url: "https://ha.domain.com"
  server_port: 8123
  use_x_forwarded_for: true
  trusted_proxies:
    - 0.0.0.0/0
    - 127.0.0.1
    - 192.168.1.1
    - 192.168.1.101
    - 192.168.1.100

My External-Service app configuration:

 

[th3fallen]

how wild, mines configured identically and yet I always get a gateway timeout on https://ha.th3fallen.com

 

[marrbacca]

This is quite strange. Are you able to access the HA using IP?
You can try confirming whether you can see your ha domain correctly (something like:

but otherwise unfortunately I'm not sure what might be wrong. You might be better trying TrueCharts discord, or maybe creating new post here...

 

[th3fallen]

yep i see it there just fine...

really wild issue, thanks for your help none the less!

 

[pommster]

Resurrecting this thread... @th3fallen did you get this sorted out? I am running in to the same issue trying to set up Apache on a Ubuntu VM. I am getting gateway timeout issue too. I thought maybe because at first Apache was only listening on IPv6, so corrected that, but I still not having any luck.

 

[pommster]

Resurrecting this thread... @th3fallen did you get this sorted out? I am running in to the same issue trying to set up Apache on a Ubuntu VM. I am getting gateway timeout issue too. I thought maybe because at first Apache was only listening on IPv6, so corrected that, but I still not having any luck.

Okay, Ihave fixed it. I am running OPNsense as my router/firewall. Looked at the firewall logs and I could see traffic to my VM from TrueNAS IP address with a random source port as expected. I had the thought that the gateway timeout was the reply from the web server timing out, so I set up a firewall rule - a NAT outbound rule -

Interface: LAN
Source: TrueNAS server address
Destination Port: web server TLS port

That seems to have brought the web server up and available to the internet. Tested by switching off the rule and got the gateway timeout again.

So worth a try if you are using OPNsense or pfSense as router.

 

[r_tn]

@th3fallen @marrbacca
I am stuck at the same exact spot and I have tried many times over. I even read your post like 100 times but still not going anywhere. Can either of you please help me guide? Thanks

 

[NightEncoder]

@th3fallen @marrbacca
I am stuck at the same exact spot and I have tried many times over. I even read your post like 100 times but still not going anywhere. Can either of you please help me guide? Thanks

responding just on the off chance anyone else finds this thread, if your trying to do this and having issues of bad gateway, you likely need to setup a network bridge before it will work, something to do with vm's not being able to access apps on truenas scale, without a network bridge it doesn't seem to work and you end up with a 502 network error

 

[NightEncoder]

responding just on the off chance anyone else finds this thread, if your trying to do this and having issues of bad gateway, you likely need to setup a network bridge before it will work, something to do with vm's not being able to access apps on truenas scale, without a network bridge it doesn't seem to work and you end up with a 502 network error

Follow up if your receiving a 400 error or 404 its one of the two, it'll most likely be your trusted proxies in home assistant configuration.yaml