Closed feu77 closed 4 months ago
The nginx.conf file as posted works correctly in my configuration. I don't include this in my main /etc/nginx/nginx.conf, instead put it in its own config file in /etc/nginx/conf.d (or wherever the config files for virtual servers are located on your setup).
I included the file in this repository for reference to help people setup their nginx. It's not part of the container build for this project.
Here's a cut and paste of my nginx conf directly from the shell on my docker host:
root@macmini:~/volumes/nginx/_data/conf.d# cat tesla.geekleader.co.uk.conf
server {
listen 80;
listen [::]:80;
server_name tesla.geekleader.co.uk;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
server_name tesla.geekleader.co.uk;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
ssl_certificate /etc/nginx/ssl/cloudflare/cert.pem;
ssl_certificate_key /etc/nginx/ssl/cloudflare/key.pem;
ssl_client_certificate /etc/nginx/ssl/cloudflare/cloudflare.crt;
ssl_verify_client optional;
# dhparams file
#ssl_dhparam /data/dhparams.pem;
proxy_buffering off;
# root /usr/share/nginx/tesla;
# index index.html index.htm;
resolver 127.0.0.11;
set $target __PROXYHOST__;
# temporary Flask app for initial auth
location / {
proxy_pass http://192.168.21.5:8099;
}
# static public key for Tesla
location /.well-known/appspecific/com.tesla.3p.public-key.pem {
root /usr/share/nginx/tesla_http_proxy;
try_files /com.tesla.3p.public-key.pem =404;
}
}
I'n new to NGINX and I struggle with all that stuff.
My NGINX Container: `services: nginx: image: nginx:1-alpine ports:
volumes: nginx: external: true`
Then NGINX conf (modified by ChatGPT to get it to work; I also deleted the whole SSL stuff as I run it via Cloudflare tunnel which hadles SSL certs and terminates them before getting to NGNIX): `events {
}
http {
include /etc/nginx/conf.d/*.conf; # Diese Zeile inkludiert alle Konfigurationsdateien im conf.d-Verzeichnis
server {
listen 80;
listen [::]:80;
server_name tesla.MYDOMAIN; # Ändere dies entsprechend deiner eigenen FQDN
# return 302 https://$server_name$request_uri;
# dhparams-Datei
#ssl_dhparam /data/dhparams.pem;
proxy_buffering off;
resolver 127.0.0.11;
set $target __PROXYHOST__;
# Temporäre Flask-Anwendung für die anfängliche Authentifizierung
location / {
proxy_pass http://192.168.2.20:8099; # Ändere dies entsprechend des Hostnamens oder der IP-Adresse deines Docker-Hosts
}
# Statischer öffentlicher Schlüssel für Tesla
location /.well-known/appspecific/com.tesla.3p.public-key.pem {
root /usr/share/nginx/tesla_http_proxy;
try_files /com.tesla.3p.public-key.pem =404;
}
}
}`
With that combi I managed to get through all the points and shutting down the flask server. Now........where's the refresh token???? Where is /data/refresh_token?
sorry for the weird formatting...
And what proxy_ssl certificate? Where do I find it?
Damn this is complicated...
ok, found /data/refresh_token and put /config/tesla_http_proxy/selfsigned.pem
in the proxy SSL field, but I don't get authenticated in HA/tesla custom integration. Perhaps the cert file is not serviced by NGNIX due to a strange config file. I think I mess it all up.
NGINX is running, Tesla_http_proxy is running, I got through the 4 steps in the webUI, I got that com.tesla.3p.public-key.pem in NGNIX volume, I got the refresh_token. When typing the URL (tesla.MYDOMAIN.com) I get a bad gateway 502 error.
I really need help
I can't spend time right now looking at this, but until I can here's a few things:
You will get a bad gateway error once the Flask server has stopped. This is normal. You should get the public key by entering https://tesla.MYDOMAIN.com/.well-known/appspecific/com.tesla.3p.public-key.pem in the browser
Can you send the HA logs for when you do this next time
You will need a new refresh_token because you can only use it once. Use iOS App Auth for Tesla (Fleet API), or delete everything in /data (tesla_http_proxy container), delete the private key from your car and start again
On Wed, 10 Apr 2024 at 14:37, feu77 @.***> wrote:
ok, found /data/refresh_token and put /config/tesla_http_proxy/selfsigned.pem in the proxy SSL field, but I don't get authenticated in HA/tels custom integration. Perhaps the cert file is not serviced by NGNIX due to a strange config file. I think I mess it all up.
NGINX is running, Tels_http_proxy is running, I got through the 4 steps in the webUI, I got that com.tesla.3p.public-key.pem in NGNIX volume, I got the refresh_token. When typing the URL (tesla.MYDOMAIN.com) I get a bad gateway 502 error.
I really need help
— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2047567616, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOOAQ64E22V33ERRTM3Y4U6ANAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBXGU3DONRRGY . You are receiving this because you commented.Message ID: @.***>
I appreciate your help.
https://tesla.mydomain.com/.well-known/appspecific/com.tesla.3p.public-key.pem gives me the public key. Good thing.
Auth for Tesla /Fleet API....get an Invalid redirect URI error. http://tesla.MYDOMAIN.com/callback should work, it did to pass the flask thing.
ok, Auth for Tesla worked with https instead of http in the URL, nevertheless Integration does not work:
Logger: custom_components.tesla_custom Quelle: custom_components/tesla_custom/__init__.py:217 Integration: Tesla Custom Integration ([Dokumentation](https://github.com/alandtse/tesla/wiki), [Probleme](https://github.com/alandtse/tesla/issues)) Erstmals aufgetreten: 10:08:58 (1 Vorkommnisse) Zuletzt protokolliert: 10:08:58 Unable to communicate with Tesla API: UNKNOWN_ERROR_502
The proxy URL is well https://tesla.MYDOMAIN.com ?
I don't think Home Assistant (HA) is connecting to the proxy. You should also check the proxy logs.
Most likely is that you have not specified the proxy URL correctly. It should be a 'local' URL which resolves to the IP address of your docker host, followed by the port number that the proxy container is listening on.
In my case it is https://macmini.local:4430
This should also match what you put in for the PROXY_HOST configuration in /data/config.sh
You might need a new refresh_token
I fixed the auth for tesla, so I always use a new refresh token on every attempt. I corrected the proxy URL to https://rpiserverone.local:4430
After initializing the integration I get following issues: `Dieser Fehler wurde von einer benutzerdefinierten Integration verursacht
Logger: teslajsonpy.controller Quelle: custom_components/tesla_custom/config_flow.py:260 Integration: Tesla Custom Integration (Dokumentation, Probleme) Erstmals aufgetreten: 10. April 2024 um 14:20:14 (6 Vorkommnisse) Zuletzt protokolliert: 09:48:53
Unable to load custom SSL certificate from MFkwEwYH4QJ5gei++NhN 3iw1Er5sBU3u6WAZ0niCe/6d982wxzXzA== Unable to load custom SSL certificate from /config/tesla_http_proxy/selfsigned.pem`
The NGINX logs show:
2024/04/10 17:34:20 [error] 30#30: *20 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.2.20:8099/favicon.ico", host: "tesla.MYDOMAIN.com", referrer: "https://tesla.MYDOMAIN.com/.well-known/appspecific/com.tesla.3p.public-key.pem" 2024/04/11 08:02:51 [error] 30#30: *22 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET / HTTP/1.1", upstream: "http://192.168.2.20:8099/", host: "tesla.MYDOMAIN.com" 192.168.2.20 - - [11/Apr/2024:08:02:51 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15" 2024/04/11 08:08:44 [error] 30#30: *24 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET /api/1/products HTTP/1.1", upstream: "http://192.168.2.20:8099/api/1/products", host: "tesla.MYDOMAIN.com" 192.168.2.20 - - [11/Apr/2024:08:08:44 +0000] "GET /api/1/products HTTP/1.1" 502 157 "-" "TeslaApp/4.10.0" 192.168.2.20 - - [11/Apr/2024:08:08:45 +0000] "GET /api/1/products HTTP/1.1" 502 157 "-" "TeslaApp/4.10.0" 2024/04/11 08:08:45 [error] 30#30: *24 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET /api/1/products HTTP/1.1", upstream: "http://192.168.2.20:8099/api/1/products", host: "tesla.MYDOMAIN.com"
I edited the tesla.MYDOMAIN.com which is a cloudflare tunnel pointing to 192.168.2.20:8099 which is the docker host and 8099 is where NGINX is listening at.
Q: Is it /config/tesla_http_proxy/selfsigned.pem
as written that I need to enter in the Proxy SSL certificate field?
I don’t think HA is finding selfsigned.pem. Check its there at / config/tesla_http_proxy/selfsigned.pem (relative to the HA container root)
If not check the volume: section of docker-compose.yaml is correct for your setup
I’m not sure you nginx is working right either but let’s fix selfsigned .pem error first
On Fri, 12 Apr 2024 at 09:03, feu77 @.***> wrote:
I fixed the auth for tesla, so I always use a new refresh token on every attempt. I corrected the proxy URL to https://rpiserverone.local:4430 http://url
After initializing the integration I get following issues: `Dieser Fehler wurde von einer benutzerdefinierten Integration verursacht
Logger: teslajsonpy.controller Quelle: custom_components/tesla_custom/config_flow.py:260 Integration: Tesla Custom Integration (Dokumentation, Probleme) Erstmals aufgetreten: 10. April 2024 um 14:20:14 (6 Vorkommnisse) Zuletzt protokolliert: 09:48:53
Unable to load custom SSL certificate from MFkwEwYH4QJ5gei++NhN 3iw1Er5sBU3u6WAZ0niCe/6d982wxzXzA== Unable to load custom SSL certificate from /config/tesla_http_proxy/selfsigned.pem`
The NGINX logs show: 2024/04/10 17:34:20 [error] 30#30: 20 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.vectorsigma.cc, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.2.20:8099/favicon.ico", host: " tesla.MYDOMAIN.com", referrer: " https://tesla.MYDOMAIN.com/.well-known/appspecific/com.tesla.3p.public-key.pem" 2024/04/11 08:02:51 [error] 30#30: 22 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET / HTTP/1.1", upstream: " http://192.168.2.20:8099/", host: "tesla.MYDOMAIN.com" 192.168.2.20 - - [11/Apr/2024:08:02:51 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15" 2024/04/11 08:08:44 [error] 30#30: 24 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET /api/1/products HTTP/1.1", upstream: " http://192.168.2.20:8099/api/1/products", host: "tesla.MYDOMAIN.com" 192.168.2.20 - - [11/Apr/2024:08:08:44 +0000] "GET /api/1/products HTTP/1.1" 502 157 "-" "TeslaApp/4.10.0" 192.168.2.20 - - [11/Apr/2024:08:08:45 +0000] "GET /api/1/products HTTP/1.1" 502 157 "-" "TeslaApp/4.10.0" 2024/04/11 08:08:45 [error] 30#30: 24 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET /api/1/products HTTP/1.1", upstream: " http://192.168.2.20:8099/api/1/products", host: "tesla.MYDOMAIN.com"
I edited the tesla.MYDOMAIN.com which is a cloudflare tunnel pointing to 192.168.2.20:8099 which is the docker host and 8099 is where NGINX is listening at.
Q: Is it /config/tesla_http_proxy/selfsigned.pem as written that I need to enter in the Proxy SSL certificate field?
— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2051229989, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOIZGCFJZCIREXKRQITY46INPAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJRGIZDSOJYHE . You are receiving this because you commented.Message ID: @.***>
There is no file named selfsigned.pem in (Volume of HomeAssistant) /config/tesla_http_proxy/
You will need to change the volumes section of docker-compose.yml to reflect the setup of your HA docker. Or copy /data/cert.pem there and rename it to self signed.pem
On Fri, 12 Apr 2024 at 10:32, feu77 @.***> wrote:
There is no file named selfsigned.pem in (Volume of HomeAssistant) /config/tesla_http_proxy/
— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2051396909, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOKMIQYEW4MTBVJL74TY46S3HAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJRGM4TMOJQHE . You are receiving this because you commented.Message ID: @.***>
If you refer to tesla_http_proxy docker-compose, here's the volumes section of my docker-compose:
volumes:
- tesla_http_proxy:/data
# Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
- type: bind
source: /var/lib/docker/volumes/nginx/_data/tesla_http_proxy
target: /share/nginx
# Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
- type: bind
source: /var/lib/docker/volumes/homeassistant/_data/tesla_http_proxy
target: /share/homeassistant
It should be correct, the path exists:
pi@RPi4ServerONE:~/docker-apps $ sudo ls -l /var/lib/docker/volumes/homeassistant/_data/ total 2188588 ... drwxr-xr-x 2 root root 4096 Apr 9 16:06 tesla_http_proxy
same for NGINX Volume: pi@RPi4ServerONE:~/docker-apps $ sudo ls -l /var/lib/docker/volumes/nginx/_data/ total 16 ... drwxr-xr-x 2 root root 4096 Apr 10 15:33 tesla_http_proxy
That looks ok to me. Do you have cert.pem in /data (proxy container). If so you could copy it into /var/lib/docker/volumes/homeassistant/_data/tesla_http_proxy and rename it to self signed.pem
On Fri, 12 Apr 2024 at 11:35, feu77 @.***> wrote:
If you refer to tesla_http_proxy docker-compose, here's the volumes section of my docker-compose:
volumes:
- tesla_http_proxy:/data
Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
- type: bind source: /var/lib/docker/volumes/nginx/_data/tesla_http_proxy target: /share/nginx
Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
- type: bind source: /var/lib/docker/volumes/homeassistant/_data/tesla_http_proxy target: /share/homeassistant
It should be correct, the path exists:
@.***:~/docker-apps $ sudo ls -l /var/lib/docker/volumes/homeassistant/_data/ total 2188588 ... drwxr-xr-x 2 root root 4096 Apr 9 16:06 tesla_http_proxy
same for NGINX Volume: @.***:~/docker-apps $ sudo ls -l /var/lib/docker/volumes/nginx/_data/ total 16 ... drwxr-xr-x 2 root root 4096 Apr 10 15:33 tesla_http_proxy
— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2051503283, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOMLX5JTO5UFF4YV3ILY462FRAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJRGUYDGMRYGM . You are receiving this because you commented.Message ID: @.***>
ok I copied the file which now exists in Homeassistant volume /config/tesla_http_proxy/selfsigned.pem
RPi4ServerONE:/config/tesla_http_proxy# ls -l total 4 -rw-r--r-- 1 root root 834 Apr 10 14:39 selfsigned.pem
Now I get this error when initiating Integration
`Logger: homeassistant.config_entries Quelle: config_entries.py:575 Erstmals aufgetreten: 10. April 2024 um 14:20:30 (10 Vorkommnisse) Zuletzt protokolliert: 13:01:16
Config entry '*edited*.com' for tesla_custom integration could not authenticate
Config entry '*edited*.com' for tesla_custom integration could not authenticate
`
Hopefully thats fixed the selfsigned.pem problem. What logs are you getting from the proxy container?
On Fri, 12 Apr 2024 at 12:06, feu77 @.***> wrote:
ok I copied the file which now exists in Homeassistant volume /config/tesla_http_proxy/selfsigned.pem
RPi4ServerONE:/config/tesla_http_proxy# ls -l total 4 -rw-r--r-- 1 root root 834 Apr 10 14:39 selfsigned.pem
Now I get this error when initiating Integration
`Logger: homeassistant.config_entries Quelle: config_entries.py:575 Erstmals aufgetreten: 10. April 2024 um 14:20:30 (10 Vorkommnisse) Zuletzt protokolliert: 13:01:16
Config entry 'edited.com' for tesla_custom integration could not authenticate Config entry 'edited.com' for tesla_custom integration could not authenticate
`
— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2051548800, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOJTP4NDT5VVB6EVCV3Y4652VAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJRGU2DQOBQGA . You are receiving this because you commented.Message ID: @.***>
Starting Tesla HTTP Proxy
Do not listen on a network interface without adding client authentication. Unauthorized clients may be used to create excessive traffic from your IP address to Tesla's servers, which Tesla may respond to by rate limiting or blocking your connections. 2024-04-10T12:39:45Z [debug] Creating proxy 2024-04-10T12:39:45Z [info ] Listening on 0.0.0.0:443 2024/04/12 07:38:05 http: TLS handshake error from 192.168.2.121:49328: remote error: tls: bad certificate 2024-04-12T07:38:10Z [info ] Received GET request for / 2024-04-12T07:38:10Z [error] Returning error Forbidden 2024-04-12T07:38:10Z [info ] Received GET request for /favicon.ico 2024-04-12T07:38:10Z [error] Returning error Forbidden 2024/04/12 07:44:40 http: TLS handshake error from 172.17.0.1:55208: remote error: tls: bad certificate 2024/04/12 10:55:21 http: TLS handshake error from 172.17.0.1:60786: remote error: tls: bad certificate
Something is wrong with selfsigned.conf. Let's try using curl. Change directory to wherever /data is mapped to on your docker host. Run this replacing macmini.home with your local server name.
export TESLA_AUTH_TOKEN='cat access_token'
curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://macmini.home:4430/api/1/vehicles"
Let me know what is returned and the corresponding proxy logs are
'cat access_token' is backticks not single quotes. Also the access_token is probably expired so you'll have to cut a paste a new one into the file from Auth for Tesla. Note it's a Fleet API access_token not a refresh_token
I might not be able to respond further today so have a go at getting this working
I'm struggling to start the container.
My docker-compose-yml file looks like this
volumes:
tesla_http_proxy:
external: true
services:
tesla_http_proxy:
container_name: tesla_http_proxy
image: "iainbullock/tesla_http_proxy:latest"
environment:
- TZ='Australia/Adelaide'
- CLIENT_ID='2afb8fexxxxxxx020186a5'
- CLIENT_SECRET='ta-xxxxxxBA!TF'
- DOMAIN='tesla.domainname.com' # Public FQDN
- PROXY_HOST='freo.domainname.com # Local hostname (not IP) of this docker host
- REGION='Europe, Middle East, Africa' # Change to match your region
stdin_open: true
tty: true
entrypoint: "/app/run.sh"
working_dir: /app
volumes:
- tesla_http_proxy:/config
# Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
- type: bind
source: /var/lib/docker/volumes/tesla_http_proxy/_data
target: /config/nginx/htdocs
# Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
- type: bind
source: /var/lib/docker/volumes/home-assistant_mariadb-data/_data
target: /config/tesla_http_proxy
network_mode: bridge
ports:
- 4430:443
- 8099:8099
#restart: no
#restart: unless-stopped
The /data/config.sh
CLIENT_SECRET='taxxxxxXBA!TF'
DOMAIN='tesla.domainname.com' # Public FQDN
PROXY_HOST='freo.domainname.com' # Local hostname (not IP) of this docker host
REGION='Europe' # Change to match your region
OPTIONS_COMPLETE=1
When it starts it says the /data/config.sh file is not set!
Attaching to tesla_http_proxy
tesla_http_proxy | Configuration options not set in /data/config.sh, exiting
tesla_http_proxy exited with code 0
I'm struggling to start the container.
My docker-compose-yml file looks like this
volumes: tesla_http_proxy: external: true services: tesla_http_proxy: container_name: tesla_http_proxy image: "iainbullock/tesla_http_proxy:latest" environment: - TZ='Australia/Adelaide' - CLIENT_ID='2afb8fexxxxxxx020186a5' - CLIENT_SECRET='ta-xxxxxxBA!TF' - DOMAIN='tesla.domainname.com' # Public FQDN - PROXY_HOST='freo.domainname.com # Local hostname (not IP) of this docker host - REGION='Europe, Middle East, Africa' # Change to match your region stdin_open: true tty: true entrypoint: "/app/run.sh" working_dir: /app volumes: - tesla_http_proxy:/config # Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start - type: bind source: /var/lib/docker/volumes/tesla_http_proxy/_data target: /config/nginx/htdocs # Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start - type: bind source: /var/lib/docker/volumes/home-assistant_mariadb-data/_data target: /config/tesla_http_proxy network_mode: bridge ports: - 4430:443 - 8099:8099 #restart: no #restart: unless-stopped
The /data/config.sh
CLIENT_SECRET='taxxxxxXBA!TF' DOMAIN='tesla.domainname.com' # Public FQDN PROXY_HOST='freo.domainname.com' # Local hostname (not IP) of this docker host REGION='Europe' # Change to match your region OPTIONS_COMPLETE=1
When it starts it says the /data/config.sh file is not set!
Attaching to tesla_http_proxy tesla_http_proxy | Configuration options not set in /data/config.sh, exiting tesla_http_proxy exited with code 0
Moving to a new issue https://github.com/iainbullock/tesla-http-proxy-docker/issues/39
Something is wrong with selfsigned.conf. Let's try using curl. Change directory to wherever /data is mapped to on your docker host. Run this replacing macmini.home with your local server name.
export TESLA_AUTH_TOKEN='cat access_token'
curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://macmini.home:4430/api/1/vehicles"
Let me know what is returned and the corresponding proxy logs are
Sorry, things are not clear for me: I guess /data is the directory of tesla_http_proxy container. The export command posted as stated did not return an answer. After installing curl in the container and putting in my hostname, I get a "could not resolve" error I used https://192.168.2.20, https://rpi4serverone.local and https://rpi4serverone.home each time with port 4430 and api/1/vehicles Do I have to replace TESLA_AUTH_TOKEN with an access token in export... and curl...?
When entering in a browser: https://192.168.2.20:4430 I get a security warning and {"response":null,"error":"client did not provide an OAuth token","error_description":""}
Sorry the previous post from someone else was off topic and I lost track of where we'd got up to (I am supporting a few people at the same time). I've moved theirs to another topic.
I recommend you should start again with a clean container and let's try to do it one step at a time. If you agree, please do the following:
Thanks
@feu77 Just catch up on open issues. Did you resolve yours / can I close this one?
Hey, please let it open. I didn‘t have the time (and curiously the old method still works). I will get into it this week!! Thank you very much!
Ok, here we go...with lots of problems all the way down following your and smartmotion.life blog...
Well...
First I deleted every container (nginx and tesla_http_proxy) It took me 2 hours getting nginx to run (don't ask me why...) it took me several attempts to get tesla_http_proxy container to run (docker-compose doesn't want "restart: no"... ) I got the flask running...generated OAuth token, the clicking on 2nd button: error message....
Could it be that I didn't delete the private key on the vehicle from the first attemps 3 weeks ago? How do I delete it? I didn't find anything on developer.tesla.com nor on the tesla app...
You delete the private key from the screen in your car - menu item Locks
Ok, I cleared teh key.
Generate OAuth, clicking Test public key endpoint - > getting NGINX 404 Error.
After clicking 3.
There are files in the tesla_http_proxy, homeassistant container and in the nginx container.
Why the hell isn't it working? BTW, I got further last time, because I could terminate the flask thing...
sorry, me again....
I started from the very beginning...identified 2 errors (in smart motion blog) (one semicolon missing in'server_name tesla.yourdomain.com; ' in the tesla_nginx.conf file and a double volumes declaration in docker-compose). So I got through the flask thing.
Starting the integration, error in the HA logs 'Unable to load custom SSL certificate from /config/tesla_http_proxy/selfsigned.pem' The file exists: pi@RPi4ServerONE:/config/tesla_http_proxy $ ls -l total 4 -rw-r--r-- 1 root root 830 May 3 17:24 selfsigned.pem
and the tesla_nginx.conf: server { listen 80; listen [::]:80; server_name tesla.domain.com; # Change to match your own FQDN root /config/nginx/htdocs;
location /.well-known/appspecific/ {
try_files /com.tesla.3p.public-key.pem =404;
}
# temporary Flask app for initial auth
location / {
proxy_pass http://192.168.2.20:8099; # Change to hostname or IP of your Docker host
}
}
the last lines from tesla_http_proxy container: Do not listen on a network interface without adding client authentication. Unauthorized clients may be used to create excessive traffic from your IP address to Tesla's servers, which Tesla may respond to by rate limiting or blocking your connections. 2024-05-03T15:42:46Z [debug] Creating proxy 2024-05-03T15:42:46Z [info ] Listening on 0.0.0.0:443
Seems there is a blocking somewhere....
Are there no further messages in the proxy logs?
Try connecting to the proxy from the docker host using curl and report what (if any) response you get and proxy logs:
cd /var/lib/docker/volumes/tesla_http_proxy/_data
export TESLA_AUTH_TOKEN='cat access_token'
ping -c 1 RPi4ServerONE
curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://RPi4ServerONE:4430/api/1/vehicles"
The access token is likely expired by now but never mind we are only trying to make a connection to the proxy at this stage
If you are prepared to share your FQDN for the proxy it would also help, as the nginx setup is often the cause of various issues. I don't see a security issue in doing this, as it is used by tesla to access your public key. The private key is the one you need to keep private! Mine is at https://tesla.geekleader.co.uk/.well-known/appspecific/com.tesla.3p.public-key.pem
That's what I get:
BTW my FQDN is https://tesla.vectorsigma.cc
pi@RPi4ServerONE:~/docker-apps $ sudo su root@RPi4ServerONE:/home/pi/docker-apps# cd /var/lib/docker/volumes/tesla_http_proxy/_data root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# export TESLA_AUTH_TOKEN='cat access_token' root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# ping -c 1 RPi4ServerONE PING RPi4ServerONE (127.0.1.1) 56(84) bytes of data. 64 bytes from RPi4ServerONE (127.0.1.1): icmp_seq=1 ttl=64 time=0.097 ms
--- RPi4ServerONE ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.097/0.097/0.097/0.000 ms root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://RPi4ServerONE:4430/api/1/vehicles" curl: (60) SSL: certificate subject name 'RPi4ServerONE.local' does not match target host name 'RPi4ServerONE' More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Q: Do I need to write 'rpi4serverone.local' or without suffix .local? I always used without .local
Let's check out your config.sh to answer that:
cat /var/lib/docker/volumes/tesla_http_proxy/_data/config.sh
config.sh is empty
Interesting. It looks as though it had sometihng in it when you sent this screenshot:
I didn't alter it...
Is that this step? I
I didn't alter it...
In this image config.sh is zero bytes, in the previous one it's 414 bytes
Is that this step? I
I'll have to study the blog, I didn't write it!
That's what I get:
BTW my FQDN is https://tesla.vectorsigma.cc
pi@RPi4ServerONE:~/docker-apps $ sudo su root@RPi4ServerONE:/home/pi/docker-apps# cd /var/lib/docker/volumes/tesla_http_proxy/_data root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# export TESLA_AUTH_TOKEN='cat access_token' root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# ping -c 1 RPi4ServerONE PING RPi4ServerONE (127.0.1.1) 56(84) bytes of data. 64 bytes from RPi4ServerONE (127.0.1.1): icmp_seq=1 ttl=64 time=0.097 ms
--- RPi4ServerONE ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.097/0.097/0.097/0.000 ms root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://RPi4ServerONE:4430/api/1/vehicles" curl: (60) SSL: certificate subject name 'RPi4ServerONE.local' does not match target host name 'RPi4ServerONE' More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
I can download a public key from https://tesla.vectorsigma.cc/.well-known/appspecific/com.tesla.3p.public-key.pem so that part is working
OK I read the blog in more detail around the section you mentioned above @tux43 has done a great job here.
Your config.sh must have got wiped somewhow. Please recreate it and paste it here. Coud you also paste your docker-compose.yml.
As I said before your public key is accessible so that's good - that is what doesn't work for most people. I think you are nearly there, just need to sort out your selfsigned.pem
CLIENT_ID='xxxxxxxxxxx' CLIENT_SECRET='ta-secret.xxxxxxxxxxxxx' DOMAIN='tesla.vectorsigma.cc' # Public FQDN PROXY_HOST='RPi4ServerONE' # Local hostname (not IP) of this docker host REGION='Europe, Middle East, Africa' # Change to match your region
OPTIONS_COMPLETE=1
version: '3'
volumes:
tesla_http_proxy:
external: true
services:
tesla_http_proxy:
container_name: tesla_http_proxy
image: "iainbullock/tesla_http_proxy:latest"
environment:
- TZ='Europe/Berlin'
- CLIENT_ID='xxxxxxx'
- CLIENT_SECRET='ta-secret.xxxxxxxxx'
- DOMAIN='tesla.vectorsigma.cc' # Public FQDN
- PROXY_HOST='rpiserverone.local' # Local hostname (not IP) of this docker host
- REGION='Europe, Middle East, Africa' # Change to match your region
stdin_open: true
tty: true
entrypoint: "/app/run.sh"
working_dir: /app
volumes:
- tesla_http_proxy:/data
# Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
- type: bind
source: /config/nginx/htdocs # Refer to step 2.1
target: /share/nginx #Do not modify
# Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
- type: bind
source: /config/tesla_http_proxy #Refer to step 5.1
target: /share/home-assistant #Do not modify
- /data/config.sh:/data/config.sh
network_mode: bridge
ports:
- 4430:443
- 8099:8099
Can you make PROXY_HOST the same in both docker-compose.yml and config.sh. I suggest you use RPi4ServerONE as when you pinged it before it resolved ok.
Then delete everything except config.sh in /var/lib/docker/volumes/tesla_http_proxy/_data Delete the private key from your car Restart the container Repeat section 6 from the blog
Test using curl from the host: cd /var/lib/docker/volumes/tesla_http_proxy/_data export TESLA_AUTH_TOKEN='cat access_token' curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://rpi4serverone:4430/api/1/vehicles"
If this works proceed with section 7 of the blog
I probably can't respond now until tomorrow. Good luck
I'm sure the proxy host was rpi4serverone in both, but after it didn't work I was playing around and forgot to delete it in docker-compose...
So I do what you told me:
root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# export TESLA_AUTH_TOKEN='cat access_token' root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://rpi4serverone:4430/api/1/vehicles" curl: (60) SSL: certificate subject name 'RPi4ServerONE.local' does not match target host name 'rpi4serverone' More details here: https://curl.se/docs/sslcerts.html
I don't know where this rpi4serverone.local comes from. I checked docker-compose and config.sh...
I wouldn't have expcted the .local to be on the end if you had started again with PROXY_HOST set to RPi4ServerONE
Please try this on the host: cd /var/lib/docker/volumes/tesla_http_proxy/_data ls -al openssl x509 -noout -text -in cert.pem
root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# ls -al
total 24
drwxr-xr-x 4 root root 4096 May 4 19:05 .
drwx-----x 3 root root 4096 May 4 19:05 ..
-rw-r--r-- 1 root root 834 May 4 19:05 cert.pem
-rwxr-xr-x 1 root root 0 May 4 19:05 config.sh
drwx------ 4 root root 4096 May 4 19:05 gnugpg
-rw------- 1 root root 384 May 4 19:05 key.pem
drwx------ 2 root root 4096 May 4 19:05 password-store
root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# openssl x509 -noout -text -in cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
51:38:76:2a:e2:69:8b:21:16:c3:1b:46:db:9b:ce:97:4e:8b:44:39
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN = RPi4ServerONE.local
Validity
Not Before: May 4 17:05:25 2024 GMT
Not After : May 2 17:05:25 2034 GMT
Subject: CN = RPi4ServerONE.local
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (521 bit)
pub:
04:01:04:53:91:7b:60:05:16:81:fa:f4:80:e9:21:
81:50:7f:4d:49:cf:10:43:a8:c1:5b:fc:2a:ce:74:
bf:f5:84:03:84:42:fb:58:d4:16:45:c0:48:60:81:
5c:74:2a:8e:7a:83:d5:a6:40:e2:09:be:89:1b:be:
04:dd:a7:e1:6d:37:5a:00:f6:06:ec:99:ee:00:38:
13:7d:d4:95:e4:ea:60:ce:57:72:f2:c4:ad:57:00:
85:48:14:43:c4:3d:44:dd:41:a9:58:79:b8:a3:16:
63:bb:84:1f:75:10:55:f6:b9:85:c4:9f:1d:dd:93:
0f:8e:8a:81:48:4c:f5:23:6f:b0:73:2d:21
ASN1 OID: secp521r1
NIST CURVE: P-521
X509v3 extensions:
X509v3 Subject Key Identifier:
AE:BF:DB:6C:33:D3:3F:60:BC:BB:96:61:C8:35:38:98:69:21:45:EA
X509v3 Authority Key Identifier:
keyid:AE:BF:DB:6C:33:D3:3F:60:BC:BB:96:61:C8:35:38:98:69:21:45:EA
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Agreement, Certificate Sign
Signature Algorithm: ecdsa-with-SHA256
30:81:87:02:41:6d:fc:d1:cd:71:4c:b1:db:9f:29:6a:1d:d7:
4e:2e:7a:83:5d:65:06:5a:b7:a4:50:b0:c2:b2:4e:3f:da:5a:
a5:b1:23:4b:4a:19:ac:1c:ff:40:05:33:cc:9f:cc:ae:39:84:
38:b4:b5:92:9c:cc:cf:1f:8f:e7:f5:10:a2:58:59:51:02:42:
01:95:a0:70:d5:82:82:e9:e4:93:b1:db:54:31:f4:ba:a6:0d:
f9:a7:4b:d2:a3:aa:13:a4:7b:97:a2:5c:5e:8f:ae:7c:d5:ff:
9c:02:3a:5c:5a:2c:fc:5c:ae:67:4d:c0:e1:05:be:78:be:39:
67:84:e2:36:2f:af:cd:ef:73:f4:2a:f9
root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data#
....or misformatted. I get the following error:
2024/04/10 10:17:07 [emerg] 1#1: "server" directive is not allowed here in /etc/nginx/nginx.conf:1 nginx: [emerg] "server" directive is not allowed here in /etc/nginx/nginx.conf:1
A correct nginx config file should look like this : events { ... } http { ... server { ... } }
Could you please post a correct nginx.conf file and the docker-compose the run nginx container? Thanks in advance