{"id":466,"date":"2023-04-03T20:13:06","date_gmt":"2023-04-03T18:13:06","guid":{"rendered":"https:\/\/jbsoft.nl\/site\/?p=466"},"modified":"2023-04-03T20:39:09","modified_gmt":"2023-04-03T18:39:09","slug":"home-assistant-haproxy-letsencrypttransip","status":"publish","type":"post","link":"https:\/\/jbsoft.nl\/site\/home-assistant-haproxy-letsencrypttransip\/","title":{"rendered":"Home Assistant + `haproxy` +`LetsEncrypt`+TransIP"},"content":{"rendered":"\n

This post is about my (positive) experience with haproxy<\/code> as reverse proxy for Home Assistant. Remote access is need if youw want to access Home Assistant from outside of your home network.<\/p>\n\n\n\n

\n

As prerequisite we will also need to forward port 443<\/code>(https) in our router\/firewall to system used and make sure we have a valid DNS A\/AAAA or CNAME record set up pointing to the Public IP address that is used to forward.<\/p>\n<\/blockquote>\n\n\n\n

As I wanted to have LetsEncrypt<\/code> certificates being enrolled using a DNS Challenge<\/a>. For this I have used a Raspberry Pi 3b board with Rasbian (Debian) installed. Futher I installed<\/a> docker<\/code>, and haproxy<\/code>.<\/p>\n\n\n\n

Installing the haproxy<\/code> package is as simple as:<\/p>\n\n\n\n

sudo apt update<\/code> and sudo apt install haproxy<\/code><\/p>\n\n\n\n

\n

As prerequisite we will also need to forward port 443<\/code>(https) in our router\/firewall to system used and make sure we have a valid DNS A\/AAAA or CNAME record set up pointing to the Public IP address that is used to forward.<\/p>\n<\/blockquote>\n\n\n\n

LetsEncrypt<\/code> with DNS-01 challenge and TransIP API<\/h2>\n\n\n\n

My Internet domain are managed by TransIP<\/a>, and DNS access has API support<\/a>. In the portal you can create an API key and whitelist the IP-adresses that you want to use for DNS accesses. We use this API to enroll LetsEncrypt<\/code> certificates. Big advantage is that we can enroll wild card certificates or certificates with internal names we do not want to expose on the Internet, and we do not need to open port 80!<\/p>\n\n\n\n

For the enrollment of certificates with LetsEncrypt<\/code> via the TransIP API I used the docker image (rbongers\/certbot-dns-transip) of Roy Bongers<\/a> that has all functionality in it.<\/p>\n\n\n\n

Setting up LetsEncrypt<\/code><\/h3>\n\n\n\n

First create the folders \/etc\/letsencrypt<\/code>, \/var\/log\/letsencrypt<\/code> and \/etc\/transip<\/code>.<\/p>\n\n\n\n

Create as root<\/code> file config.php<\/code> in \/etc\/transip<\/code>. Use the link below for the template:<\/p>\n\n\n\n

https:\/\/gist.github.com\/jbouwh\/3b6042ed4ca1189e1f37d0f8ff7274e5#file-config-php-L1-L17<\/a><\/p>\n\n\n\n

You need to paste in the obtained TransIP API key and your TransIP username.<\/p>\n\n\n\n

Make sure you secure your key file with sudo chmod 400 \/etc\/transip\/config\/php<\/code> so that is read-only for root.<\/p>\n\n\n\n

To setup the certificate for the first time we create a bash script (I placed it in \/usr\/local\/sbin<\/code>):<\/p>\n\n\n\n

https:\/\/gist.github.com\/jbouwh\/3b6042ed4ca1189e1f37d0f8ff7274e5#file-certinit-bash-L1-L10<\/a><\/p>\n\n\n\n

Replace the `–cert-name` and the wild card domain (-d certname.example.com<\/code>), and replace the domain with any domain name you own. You can use the -d<\/code> parameter multiple times. For each domain a dns-challenge will be created.<\/p>\n\n\n\n

Make sure the script is executable chmod +x certinit.bash<\/code>.<\/p>\n\n\n\n

Now run certinit.bash<\/code> . It will download the image and start a docker for the set-up. This is interactive, you will be asked some questions like your email adress.<\/p>\n\n\n\n

root@docker01:\/usr\/local\/sbin# certinit.bash\nUnable to find image 'rbongers\/certbot-dns-transip:latest' locally\nlatest: Pulling from rbongers\/certbot-dns-transip\n330ad28688ae: Pull complete\n882df4fa64e9: Pull complete\n07e271639575: Pull complete\n2d60c5e17079: Pull complete\nf54b294a6f71: Pull complete\n6f27ea6ab430: Pull complete\n0c8c5a3cd6a8: Pull complete\n6436ec8cd157: Pull complete\n350482e0cef8: Pull complete\nfcb8169b6442: Pull complete\nba9658959877: Pull complete\nb9d5ffb589b1: Pull complete\na368f8fc57ed: Pull complete\nDigest: sha256:faec7bc102edf00237041fbce8030249fb55f300da76b637660384c353043bff\nStatus: Downloaded newer image for rbongers\/certbot-dns-transip:latest\nSaving debug log to \/var\/log\/letsencrypt\/letsencrypt.log\nPlugins selected: Authenticator manual, Installer None\nEnter email address (used for urgent renewal and security notices)\n (Enter 'c' to cancel): user@example.com<\/strong> (your email adres)\n\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nPlease read the Terms of Service at\nhttps:\/\/letsencrypt.org\/documents\/LE-SA-v1.3-September-21-2022.pdf. You must\nagree in order to register with the ACME server. Do you agree?\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(Y)es\/(N)o: Y<\/strong>\n\n\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\nWould you be willing, once your first certificate is successfully issued, to\nshare your email address with the Electronic Frontier Foundation, a founding\npartner of the Let's Encrypt project and the non-profit organization that\ndevelops Certbot? We'd like to send you email about our work encrypting the web,\nEFF news, campaigns, and ways to support digital freedom.\n- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -\n(Y)es\/(N)o: N<\/strong>\n\nAccount registered.\nRequesting a certificate for xxxxxx <\/strong>and yyyyy<\/strong>\nPerforming the following challenges:\ndns-01 challenge for xxxxx<\/strong>\ndns-01 challenge for yyyyy<\/strong>\nRunning manual-auth-hook command: \/opt\/certbot-dns-transip\/auth-hook\nOutput from manual-auth-hook command auth-hook:\n[2023-03-31 08:32:03.596791] INFO: Creating TXT record for _acme-challenge with challenge 'FfGM5VPKWKkwR-6ggUhlpoZlQ5-vPGK-JIy25tekb_E' [] []\n[2023-03-31 08:32:06.782752] INFO: Waiting until nameservers (ns0.transip.net, ns1.transip.nl, ns2.transip.eu) are up-to-date [] []\n[2023-03-31 08:32:08.625219] INFO: All nameservers are updated! [] []\n\nRunning manual-auth-hook command: \/opt\/certbot-dns-transip\/auth-hook\nOutput from manual-auth-hook command auth-hook:\n[2023-03-31 08:32:09.659195] INFO: Creating TXT record for _acme-challenge with challenge 'lP_hQVRODhVCiglLiNSZvNky9voGChnTyo407N_xRU4' [] []\n[2023-03-31 08:32:12.628115] INFO: Waiting until nameservers (ns0.transip.net, ns1.transip.nl, ns2.transip.eu) are up-to-date [] []\n[2023-03-31 08:32:13.659641] INFO: All nameservers are updated! [] []\n\nWaiting for verification...\nCleaning up challenges\nRunning manual-cleanup-hook command: \/opt\/certbot-dns-transip\/cleanup-hook\nOutput from manual-cleanup-hook command cleanup-hook:\n[2023-03-31 08:32:16.459605] INFO: Cleaning up record _acme-challenge with value 'FfGM5VPKWKkwR-6ggUhlpoZlQ5-vPGK-JIy25tekb_E' [] []\n\nRunning manual-cleanup-hook command: \/opt\/certbot-dns-transip\/cleanup-hook\nOutput from manual-cleanup-hook command cleanup-hook:\n[2023-03-31 08:32:20.031682] INFO: Cleaning up record _acme-challenge with value 'lP_hQVRODhVCiglLiNSZvNky9voGChnTyo407N_xRU4' [] []\n\n\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n   \/etc\/letsencrypt\/live\/xxxxxx<\/strong>\/fullchain.pem\n   Your key file has been saved at:\n   \/etc\/letsencrypt\/live\/xxxxxx<\/strong>\/privkey.pem\n   Your certificate will expire on 202x-mm-ss<\/strong>. To obtain a new or\n   tweaked version of this certificate in the future, simply run\n   certbot again. To non-interactively renew *all* of your\n   certificates, run \"certbot renew\"\n - If you like Certbot, please consider supporting our work by:\n\n   Donating to ISRG \/ Let's Encrypt:   https:\/\/letsencrypt.org\/donate\n   Donating to EFF:                    https:\/\/eff.org\/donate-le\n<\/code><\/pre>\n\n\n\n
Your certificate will be created \/etc\/letsencrypt\/live\/{certname}<\/code>.<\/p>\n\n\n\n
Set up auto enrollment<\/h3>\n\n\n\n
We want to auto renew the certificate and update haproxy<\/code> to use the new certificate. The haproxy<\/code> certificate will placed at \/etc\/haproxy\/cert.pem<\/code>. To enroll I made a bash script certrenew.bash<\/code>:<\/p>\n\n\n\n
https:\/\/gist.github.com\/jbouwh\/3b6042ed4ca1189e1f37d0f8ff7274e5#file-certrenew-bash-L1-L68<\/a><\/p>\n\n\n\n
Make sure you adjust the basecert<\/code> parameter in the script. and place it as certrenew<\/code> in \/usr\/local\/bin\/sbin<\/code> and make it executable with sudo chmod + x \/etc\/local\/sbin\/certrenew<\/code>.<\/p>\n\n\n\n
We need to run certrenew<\/code> a first time to make sure the haproxy<\/code> cert is created.<\/p>\n\n\n\n
To make sure it runs every day somewhere between 11pm and midnight we create a cronfile (`\/etc\/cron.d\/certrenew`) for it (see link).<\/p>\n\n\n\n
https:\/\/gist.github.com\/jbouwh\/3b6042ed4ca1189e1f37d0f8ff7274e5#file-certrenew-cron-L1-L9<\/a>.<\/p>\n\n\n\n
\n
Restart cron sudo systemctl restart cron<\/code><\/p>\n<\/blockquote>\n\n\n\n
When the script executes, it will check if the certificate will be expired within 30 days, in that case a new certificate is requested. If the process was successful it will update the certificate and restart haproxy<\/code> with the new certificate.<\/p>\n\n\n\n
Now we are all set, make sure you check the logs to see the whole setup is working correctly.<\/p>\n\n\n\n
Set up haproxy<\/code><\/h2>\n\n\n\n
As a last step now can set up haproxy<\/code> (\/etc\/haproxy\/haproxy.cfg<\/code>) using the new certificate. <\/p>\n\n\n\n
You can use https:\/\/gist.github.com\/jbouwh\/3b6042ed4ca1189e1f37d0f8ff7274e5#file-haproxy-cfg-L1-L61<\/a> as a template for your configuration. You need to change the DNS names and internal IP-address of your backend. In my case I used a Raspberry PI with a SD card and switched off logging to ensure the SD card lasts longer. If you have an SSD attached you can change the logging .<\/p>\n\n\n\n
Make sure you also install \/etc\/haproxy\/dhparam.pem<\/code> (see the comment at the last line of the config file on how to obtain it).<\/p>\n\n\n\n
In the example config I have enabled the stats page at https:\/\/{your_domain_name}\/stats<\/code>. You can use this page to see the stats. acl network_allowed_src src<\/code> is used to secure that the page is only accessible from internal IP adresses. Make sure you fill in the correct IP-ranges that should have access.<\/p>\n\n\n\n
If you are ready you can test the config file with:<\/p>\n\n\n\n
haproxy -f \/etc\/haproxy\/haproxy.cfg -c<\/code><\/span><\/p>\n\n\n\n
If that is okay, you are all set. Restart haproxy<\/code> to load the new config using: sudo systemctl restart haproxy<\/code>.<\/p>\n\n\n\n
Now you can access Home Assistant from out side. Make sure to set up two-factor-authentication <\/a>to secure the access to your network.<\/p>\n","protected":false},"excerpt":{"rendered":"
This post is about my (positive) experience with haproxy as reverse proxy for Home Assistant. Remote access is need if youw want to access Home Assistant from outside of your home network. As prerequisite we will also need to forward port 443(https) in our router\/firewall to system used and make sure we have a valid … Continue reading “Home Assistant + `haproxy` +`LetsEncrypt`+TransIP”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,5],"tags":[],"class_list":["post-466","post","type-post","status-publish","format-standard","hentry","category-docker","category-home-assistant"],"_links":{"self":[{"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/posts\/466","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/comments?post=466"}],"version-history":[{"count":2,"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/posts\/466\/revisions"}],"predecessor-version":[{"id":468,"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/posts\/466\/revisions\/468"}],"wp:attachment":[{"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/media?parent=466"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/categories?post=466"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jbsoft.nl\/site\/wp-json\/wp\/v2\/tags?post=466"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}