feu77 commented 6 months ago

....or misformatted. I get the following error:

2024/04/10 10:17:07 [emerg] 1#1: "server" directive is not allowed here in /etc/nginx/nginx.conf:1 nginx: [emerg] "server" directive is not allowed here in /etc/nginx/nginx.conf:1

A correct nginx config file should look like this : events { ... } http { ... server { ... } }

Could you please post a correct nginx.conf file and the docker-compose the run nginx container? Thanks in advance

iainbullock commented 6 months ago

The nginx.conf file as posted works correctly in my configuration. I don't include this in my main /etc/nginx/nginx.conf, instead put it in its own config file in /etc/nginx/conf.d (or wherever the config files for virtual servers are located on your setup).

I included the file in this repository for reference to help people setup their nginx. It's not part of the container build for this project.

Here's a cut and paste of my nginx conf directly from the shell on my docker host:

root@macmini:~/volumes/nginx/_data/conf.d# cat tesla.geekleader.co.uk.conf 

server {
    listen 80;
    listen [::]:80;
    server_name tesla.geekleader.co.uk;
    return 302 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    server_name tesla.geekleader.co.uk;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_certificate         /etc/nginx/ssl/cloudflare/cert.pem;
    ssl_certificate_key     /etc/nginx/ssl/cloudflare/key.pem;
    ssl_client_certificate /etc/nginx/ssl/cloudflare/cloudflare.crt;
    ssl_verify_client optional;

    # dhparams file
    #ssl_dhparam /data/dhparams.pem;

    proxy_buffering off;

#    root   /usr/share/nginx/tesla;
#    index  index.html index.htm;

    resolver 127.0.0.11;
    set $target __PROXYHOST__;

    # temporary Flask app for initial auth
    location / {
        proxy_pass http://192.168.21.5:8099;
    }

    # static public key for Tesla
    location /.well-known/appspecific/com.tesla.3p.public-key.pem {
        root /usr/share/nginx/tesla_http_proxy;
        try_files /com.tesla.3p.public-key.pem =404;
    }

}

feu77 commented 6 months ago

I'n new to NGINX and I struggle with all that stuff.

My NGINX Container: `services: nginx: image: nginx:1-alpine ports:

8098:80 volumes:
nginx:/usr/share/nginx/html
./nginx.conf:/etc/nginx/nginx.conf
/var/lib/docker/volumes/nginx/_data/tesla_http_proxy:/usr/share/nginx/tesla_http_proxy

volumes: nginx: external: true`

Then NGINX conf (modified by ChatGPT to get it to work; I also deleted the whole SSL stuff as I run it via Cloudflare tunnel which hadles SSL certs and terminates them before getting to NGNIX): `events {

Ereigniskonfigurationen

}

http {

HTTP-Konfigurationen

include /etc/nginx/conf.d/*.conf; # Diese Zeile inkludiert alle Konfigurationsdateien im conf.d-Verzeichnis

server {
    listen 80;
    listen [::]:80;
    server_name tesla.MYDOMAIN; # Ändere dies entsprechend deiner eigenen FQDN
   # return 302 https://$server_name$request_uri;

    # dhparams-Datei
    #ssl_dhparam /data/dhparams.pem;

    proxy_buffering off;

    resolver 127.0.0.11;
    set $target __PROXYHOST__;

    # Temporäre Flask-Anwendung für die anfängliche Authentifizierung
    location / {
        proxy_pass http://192.168.2.20:8099; # Ändere dies entsprechend des Hostnamens oder der IP-Adresse deines Docker-Hosts
    }

    # Statischer öffentlicher Schlüssel für Tesla
    location /.well-known/appspecific/com.tesla.3p.public-key.pem {
        root /usr/share/nginx/tesla_http_proxy;
        try_files /com.tesla.3p.public-key.pem =404;
    }
}

}`

With that combi I managed to get through all the points and shutting down the flask server. Now........where's the refresh token???? Where is /data/refresh_token?

feu77 commented 6 months ago

sorry for the weird formatting...

feu77 commented 6 months ago

And what proxy_ssl certificate? Where do I find it?

Damn this is complicated...

feu77 commented 6 months ago

ok, found /data/refresh_token and put /config/tesla_http_proxy/selfsigned.pem in the proxy SSL field, but I don't get authenticated in HA/tesla custom integration. Perhaps the cert file is not serviced by NGNIX due to a strange config file. I think I mess it all up.

NGINX is running, Tesla_http_proxy is running, I got through the 4 steps in the webUI, I got that com.tesla.3p.public-key.pem in NGNIX volume, I got the refresh_token. When typing the URL (tesla.MYDOMAIN.com) I get a bad gateway 502 error.

I really need help

iainbullock commented 6 months ago

I can't spend time right now looking at this, but until I can here's a few things:

You will get a bad gateway error once the Flask server has stopped. This is normal. You should get the public key by entering https://tesla.MYDOMAIN.com/.well-known/appspecific/com.tesla.3p.public-key.pem in the browser
Can you send the HA logs for when you do this next time
You will need a new refresh_token because you can only use it once. Use iOS App Auth for Tesla (Fleet API), or delete everything in /data (tesla_http_proxy container), delete the private key from your car and start again

On Wed, 10 Apr 2024 at 14:37, feu77 @.***> wrote:

ok, found /data/refresh_token and put /config/tesla_http_proxy/selfsigned.pem in the proxy SSL field, but I don't get authenticated in HA/tels custom integration. Perhaps the cert file is not serviced by NGNIX due to a strange config file. I think I mess it all up.

NGINX is running, Tels_http_proxy is running, I got through the 4 steps in the webUI, I got that com.tesla.3p.public-key.pem in NGNIX volume, I got the refresh_token. When typing the URL (tesla.MYDOMAIN.com) I get a bad gateway 502 error.

I really need help

— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2047567616, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOOAQ64E22V33ERRTM3Y4U6ANAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBXGU3DONRRGY . You are receiving this because you commented.Message ID: @.***>

feu77 commented 6 months ago

I appreciate your help.

https://tesla.mydomain.com/.well-known/appspecific/com.tesla.3p.public-key.pem gives me the public key. Good thing.

Auth for Tesla /Fleet API....get an Invalid redirect URI error. http://tesla.MYDOMAIN.com/callback should work, it did to pass the flask thing.

feu77 commented 6 months ago

ok, Auth for Tesla worked with https instead of http in the URL, nevertheless Integration does not work:

Logger: custom_components.tesla_custom Quelle: custom_components/tesla_custom/__init__.py:217 Integration: Tesla Custom Integration ([Dokumentation](https://github.com/alandtse/tesla/wiki), [Probleme](https://github.com/alandtse/tesla/issues)) Erstmals aufgetreten: 10:08:58 (1 Vorkommnisse) Zuletzt protokolliert: 10:08:58 Unable to communicate with Tesla API: UNKNOWN_ERROR_502

The proxy URL is well https://tesla.MYDOMAIN.com ?

iainbullock commented 6 months ago

I don't think Home Assistant (HA) is connecting to the proxy. You should also check the proxy logs.

Most likely is that you have not specified the proxy URL correctly. It should be a 'local' URL which resolves to the IP address of your docker host, followed by the port number that the proxy container is listening on.

In my case it is https://macmini.local:4430

This should also match what you put in for the PROXY_HOST configuration in /data/config.sh

You might need a new refresh_token

feu77 commented 6 months ago

I fixed the auth for tesla, so I always use a new refresh token on every attempt. I corrected the proxy URL to https://rpiserverone.local:4430

After initializing the integration I get following issues: `Dieser Fehler wurde von einer benutzerdefinierten Integration verursacht

Logger: teslajsonpy.controller Quelle: custom_components/tesla_custom/config_flow.py:260 Integration: Tesla Custom Integration (Dokumentation, Probleme) Erstmals aufgetreten: 10. April 2024 um 14:20:14 (6 Vorkommnisse) Zuletzt protokolliert: 09:48:53

Unable to load custom SSL certificate from MFkwEwYH4QJ5gei++NhN 3iw1Er5sBU3u6WAZ0niCe/6d982wxzXzA== Unable to load custom SSL certificate from /config/tesla_http_proxy/selfsigned.pem`

The NGINX logs show: 2024/04/10 17:34:20 [error] 30#30: *20 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.2.20:8099/favicon.ico", host: "tesla.MYDOMAIN.com", referrer: "https://tesla.MYDOMAIN.com/.well-known/appspecific/com.tesla.3p.public-key.pem" 2024/04/11 08:02:51 [error] 30#30: *22 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET / HTTP/1.1", upstream: "http://192.168.2.20:8099/", host: "tesla.MYDOMAIN.com" 192.168.2.20 - - [11/Apr/2024:08:02:51 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15" 2024/04/11 08:08:44 [error] 30#30: *24 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET /api/1/products HTTP/1.1", upstream: "http://192.168.2.20:8099/api/1/products", host: "tesla.MYDOMAIN.com" 192.168.2.20 - - [11/Apr/2024:08:08:44 +0000] "GET /api/1/products HTTP/1.1" 502 157 "-" "TeslaApp/4.10.0" 192.168.2.20 - - [11/Apr/2024:08:08:45 +0000] "GET /api/1/products HTTP/1.1" 502 157 "-" "TeslaApp/4.10.0" 2024/04/11 08:08:45 [error] 30#30: *24 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET /api/1/products HTTP/1.1", upstream: "http://192.168.2.20:8099/api/1/products", host: "tesla.MYDOMAIN.com"

I edited the tesla.MYDOMAIN.com which is a cloudflare tunnel pointing to 192.168.2.20:8099 which is the docker host and 8099 is where NGINX is listening at.

Q: Is it /config/tesla_http_proxy/selfsigned.pem as written that I need to enter in the Proxy SSL certificate field?

iainbullock commented 6 months ago

I don’t think HA is finding selfsigned.pem. Check its there at / config/tesla_http_proxy/selfsigned.pem (relative to the HA container root)

If not check the volume: section of docker-compose.yaml is correct for your setup

I’m not sure you nginx is working right either but let’s fix selfsigned .pem error first

On Fri, 12 Apr 2024 at 09:03, feu77 @.***> wrote:

I fixed the auth for tesla, so I always use a new refresh token on every attempt. I corrected the proxy URL to https://rpiserverone.local:4430 http://url

After initializing the integration I get following issues: `Dieser Fehler wurde von einer benutzerdefinierten Integration verursacht

Logger: teslajsonpy.controller Quelle: custom_components/tesla_custom/config_flow.py:260 Integration: Tesla Custom Integration (Dokumentation, Probleme) Erstmals aufgetreten: 10. April 2024 um 14:20:14 (6 Vorkommnisse) Zuletzt protokolliert: 09:48:53

Unable to load custom SSL certificate from MFkwEwYH4QJ5gei++NhN 3iw1Er5sBU3u6WAZ0niCe/6d982wxzXzA== Unable to load custom SSL certificate from /config/tesla_http_proxy/selfsigned.pem`

The NGINX logs show: 2024/04/10 17:34:20 [error] 30#30: 20 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.vectorsigma.cc, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.2.20:8099/favicon.ico", host: " tesla.MYDOMAIN.com", referrer: " https://tesla.MYDOMAIN.com/.well-known/appspecific/com.tesla.3p.public-key.pem" 2024/04/11 08:02:51 [error] 30#30: 22 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET / HTTP/1.1", upstream: " http://192.168.2.20:8099/", host: "tesla.MYDOMAIN.com" 192.168.2.20 - - [11/Apr/2024:08:02:51 +0000] "GET / HTTP/1.1" 502 157 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.4 Safari/605.1.15" 2024/04/11 08:08:44 [error] 30#30: 24 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET /api/1/products HTTP/1.1", upstream: " http://192.168.2.20:8099/api/1/products", host: "tesla.MYDOMAIN.com" 192.168.2.20 - - [11/Apr/2024:08:08:44 +0000] "GET /api/1/products HTTP/1.1" 502 157 "-" "TeslaApp/4.10.0" 192.168.2.20 - - [11/Apr/2024:08:08:45 +0000] "GET /api/1/products HTTP/1.1" 502 157 "-" "TeslaApp/4.10.0" 2024/04/11 08:08:45 [error] 30#30: 24 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 192.168.2.20, server: tesla.MYDOMAIN.com, request: "GET /api/1/products HTTP/1.1", upstream: " http://192.168.2.20:8099/api/1/products", host: "tesla.MYDOMAIN.com"

I edited the tesla.MYDOMAIN.com which is a cloudflare tunnel pointing to 192.168.2.20:8099 which is the docker host and 8099 is where NGINX is listening at.

Q: Is it /config/tesla_http_proxy/selfsigned.pem as written that I need to enter in the Proxy SSL certificate field?

— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2051229989, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOIZGCFJZCIREXKRQITY46INPAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJRGIZDSOJYHE . You are receiving this because you commented.Message ID: @.***>

feu77 commented 6 months ago

There is no file named selfsigned.pem in (Volume of HomeAssistant) /config/tesla_http_proxy/

iainbullock commented 6 months ago

You will need to change the volumes section of docker-compose.yml to reflect the setup of your HA docker. Or copy /data/cert.pem there and rename it to self signed.pem

On Fri, 12 Apr 2024 at 10:32, feu77 @.***> wrote:

There is no file named selfsigned.pem in (Volume of HomeAssistant) /config/tesla_http_proxy/

— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2051396909, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOKMIQYEW4MTBVJL74TY46S3HAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJRGM4TMOJQHE . You are receiving this because you commented.Message ID: @.***>

feu77 commented 6 months ago

If you refer to tesla_http_proxy docker-compose, here's the volumes section of my docker-compose:

volumes:
  - tesla_http_proxy:/data
  # Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
  - type: bind
    source: /var/lib/docker/volumes/nginx/_data/tesla_http_proxy
    target: /share/nginx
  # Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
  - type: bind
    source: /var/lib/docker/volumes/homeassistant/_data/tesla_http_proxy
    target: /share/homeassistant

It should be correct, the path exists:

pi@RPi4ServerONE:~/docker-apps $ sudo ls -l /var/lib/docker/volumes/homeassistant/_data/ total 2188588 ... drwxr-xr-x 2 root root 4096 Apr 9 16:06 tesla_http_proxy

same for NGINX Volume: pi@RPi4ServerONE:~/docker-apps $ sudo ls -l /var/lib/docker/volumes/nginx/_data/ total 16 ... drwxr-xr-x 2 root root 4096 Apr 10 15:33 tesla_http_proxy

iainbullock commented 6 months ago

That looks ok to me. Do you have cert.pem in /data (proxy container). If so you could copy it into /var/lib/docker/volumes/homeassistant/_data/tesla_http_proxy and rename it to self signed.pem

On Fri, 12 Apr 2024 at 11:35, feu77 @.***> wrote:

If you refer to tesla_http_proxy docker-compose, here's the volumes section of my docker-compose:

volumes:

tesla_http_proxy:/data
Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start

type: bind source: /var/lib/docker/volumes/nginx/_data/tesla_http_proxy target: /share/nginx
Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start

type: bind source: /var/lib/docker/volumes/homeassistant/_data/tesla_http_proxy target: /share/homeassistant

It should be correct, the path exists:

@.***:~/docker-apps $ sudo ls -l /var/lib/docker/volumes/homeassistant/_data/ total 2188588 ... drwxr-xr-x 2 root root 4096 Apr 9 16:06 tesla_http_proxy

same for NGINX Volume: @.***:~/docker-apps $ sudo ls -l /var/lib/docker/volumes/nginx/_data/ total 16 ... drwxr-xr-x 2 root root 4096 Apr 10 15:33 tesla_http_proxy

— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2051503283, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOMLX5JTO5UFF4YV3ILY462FRAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJRGUYDGMRYGM . You are receiving this because you commented.Message ID: @.***>

feu77 commented 6 months ago

ok I copied the file which now exists in Homeassistant volume /config/tesla_http_proxy/selfsigned.pem

RPi4ServerONE:/config/tesla_http_proxy# ls -l total 4 -rw-r--r-- 1 root root 834 Apr 10 14:39 selfsigned.pem

Now I get this error when initiating Integration

`Logger: homeassistant.config_entries Quelle: config_entries.py:575 Erstmals aufgetreten: 10. April 2024 um 14:20:30 (10 Vorkommnisse) Zuletzt protokolliert: 13:01:16

Config entry '*edited*.com' for tesla_custom integration could not authenticate
Config entry '*edited*.com' for tesla_custom integration could not authenticate

`

iainbullock commented 6 months ago

Hopefully thats fixed the selfsigned.pem problem. What logs are you getting from the proxy container?

On Fri, 12 Apr 2024 at 12:06, feu77 @.***> wrote:

ok I copied the file which now exists in Homeassistant volume /config/tesla_http_proxy/selfsigned.pem

RPi4ServerONE:/config/tesla_http_proxy# ls -l total 4 -rw-r--r-- 1 root root 834 Apr 10 14:39 selfsigned.pem

Now I get this error when initiating Integration

`Logger: homeassistant.config_entries Quelle: config_entries.py:575 Erstmals aufgetreten: 10. April 2024 um 14:20:30 (10 Vorkommnisse) Zuletzt protokolliert: 13:01:16

Config entry 'edited.com' for tesla_custom integration could not authenticate Config entry 'edited.com' for tesla_custom integration could not authenticate

`

— Reply to this email directly, view it on GitHub https://github.com/iainbullock/tesla-http-proxy-docker/issues/38#issuecomment-2051548800, or unsubscribe https://github.com/notifications/unsubscribe-auth/AODIAOJTP4NDT5VVB6EVCV3Y4652VAVCNFSM6AAAAABGAFBEXOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJRGU2DQOBQGA . You are receiving this because you commented.Message ID: @.***>

feu77 commented 6 months ago

Starting Tesla HTTP Proxy

Do not listen on a network interface without adding client authentication. Unauthorized clients may be used to create excessive traffic from your IP address to Tesla's servers, which Tesla may respond to by rate limiting or blocking your connections. 2024-04-10T12:39:45Z [debug] Creating proxy 2024-04-10T12:39:45Z [info ] Listening on 0.0.0.0:443 2024/04/12 07:38:05 http: TLS handshake error from 192.168.2.121:49328: remote error: tls: bad certificate 2024-04-12T07:38:10Z [info ] Received GET request for / 2024-04-12T07:38:10Z [error] Returning error Forbidden 2024-04-12T07:38:10Z [info ] Received GET request for /favicon.ico 2024-04-12T07:38:10Z [error] Returning error Forbidden 2024/04/12 07:44:40 http: TLS handshake error from 172.17.0.1:55208: remote error: tls: bad certificate 2024/04/12 10:55:21 http: TLS handshake error from 172.17.0.1:60786: remote error: tls: bad certificate

iainbullock commented 6 months ago

Something is wrong with selfsigned.conf. Let's try using curl. Change directory to wherever /data is mapped to on your docker host. Run this replacing macmini.home with your local server name.

export TESLA_AUTH_TOKEN='cat access_token'

curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://macmini.home:4430/api/1/vehicles"

Let me know what is returned and the corresponding proxy logs are

iainbullock commented 6 months ago

'cat access_token' is backticks not single quotes. Also the access_token is probably expired so you'll have to cut a paste a new one into the file from Auth for Tesla. Note it's a Fleet API access_token not a refresh_token

I might not be able to respond further today so have a go at getting this working

tux43 commented 6 months ago

I'm struggling to start the container.

My docker-compose-yml file looks like this


volumes:
  tesla_http_proxy:
    external: true

services:   
  tesla_http_proxy:
    container_name: tesla_http_proxy
    image: "iainbullock/tesla_http_proxy:latest"

    environment:
      - TZ='Australia/Adelaide'
      - CLIENT_ID='2afb8fexxxxxxx020186a5'
      - CLIENT_SECRET='ta-xxxxxxBA!TF'
      - DOMAIN='tesla.domainname.com' # Public FQDN 
      - PROXY_HOST='freo.domainname.com # Local hostname (not IP) of this docker host
      - REGION='Europe, Middle East, Africa' # Change to match your region

    stdin_open: true
    tty: true         

    entrypoint: "/app/run.sh"
    working_dir: /app

    volumes:
      - tesla_http_proxy:/config
      # Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
      - type: bind
        source: /var/lib/docker/volumes/tesla_http_proxy/_data
        target: /config/nginx/htdocs
      # Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
      - type: bind
        source: /var/lib/docker/volumes/home-assistant_mariadb-data/_data
        target: /config/tesla_http_proxy

    network_mode: bridge
    ports:
      - 4430:443
      - 8099:8099 

        #restart: no
    #restart: unless-stopped

The /data/config.sh

CLIENT_SECRET='taxxxxxXBA!TF'
DOMAIN='tesla.domainname.com' # Public FQDN
PROXY_HOST='freo.domainname.com' # Local hostname (not IP) of this docker host
REGION='Europe' # Change to match your region
OPTIONS_COMPLETE=1

When it starts it says the /data/config.sh file is not set!

Attaching to tesla_http_proxy
tesla_http_proxy    | Configuration options not set in /data/config.sh, exiting
tesla_http_proxy exited with code 0

iainbullock commented 6 months ago

I'm struggling to start the container.

My docker-compose-yml file looks like this


volumes:
  tesla_http_proxy:
    external: true

services:   
  tesla_http_proxy:
    container_name: tesla_http_proxy
    image: "iainbullock/tesla_http_proxy:latest"

    environment:
      - TZ='Australia/Adelaide'
      - CLIENT_ID='2afb8fexxxxxxx020186a5'
      - CLIENT_SECRET='ta-xxxxxxBA!TF'
      - DOMAIN='tesla.domainname.com' # Public FQDN 
      - PROXY_HOST='freo.domainname.com # Local hostname (not IP) of this docker host
      - REGION='Europe, Middle East, Africa' # Change to match your region

    stdin_open: true
    tty: true         

    entrypoint: "/app/run.sh"
    working_dir: /app

    volumes:
      - tesla_http_proxy:/config
      # Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
      - type: bind
        source: /var/lib/docker/volumes/tesla_http_proxy/_data
        target: /config/nginx/htdocs
      # Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
      - type: bind
        source: /var/lib/docker/volumes/home-assistant_mariadb-data/_data
        target: /config/tesla_http_proxy

    network_mode: bridge
    ports:
      - 4430:443
      - 8099:8099 

        #restart: no
    #restart: unless-stopped

The /data/config.sh

CLIENT_SECRET='taxxxxxXBA!TF'
DOMAIN='tesla.domainname.com' # Public FQDN
PROXY_HOST='freo.domainname.com' # Local hostname (not IP) of this docker host
REGION='Europe' # Change to match your region
OPTIONS_COMPLETE=1

When it starts it says the /data/config.sh file is not set!

Attaching to tesla_http_proxy
tesla_http_proxy    | Configuration options not set in /data/config.sh, exiting
tesla_http_proxy exited with code 0

Moving to a new issue https://github.com/iainbullock/tesla-http-proxy-docker/issues/39

feu77 commented 5 months ago

Something is wrong with selfsigned.conf. Let's try using curl. Change directory to wherever /data is mapped to on your docker host. Run this replacing macmini.home with your local server name.

export TESLA_AUTH_TOKEN='cat access_token'

curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://macmini.home:4430/api/1/vehicles"

Let me know what is returned and the corresponding proxy logs are

Sorry, things are not clear for me: I guess /data is the directory of tesla_http_proxy container. The export command posted as stated did not return an answer. After installing curl in the container and putting in my hostname, I get a "could not resolve" error I used https://192.168.2.20, https://rpi4serverone.local and https://rpi4serverone.home each time with port 4430 and api/1/vehicles Do I have to replace TESLA_AUTH_TOKEN with an access token in export... and curl...?

When entering in a browser: https://192.168.2.20:4430 I get a security warning and {"response":null,"error":"client did not provide an OAuth token","error_description":""}

iainbullock commented 5 months ago

Sorry the previous post from someone else was off topic and I lost track of where we'd got up to (I am supporting a few people at the same time). I've moved theirs to another topic.

I recommend you should start again with a clean container and let's try to do it one step at a time. If you agree, please do the following:

Delete the private key (if you got that far) from your car - use the car screen Controls->Locks menu
Delete everything in the proxy container /data directory (you might move config.sh somewhere else for future reference)
Let me know the path on your docker host to where the docker volumes are located, e.g. on my system it is /var/lib/docker/volumes
On the docker host run ls -al /var/lib/docker/volumes, let me know what you get
Let me have your latest docker-compose.yml
If you are prepared to share your FQDN for the proxy it would also help, as the nginx setup is often the cause of various issues. I don't see a security issue in doing this, as it is eventually used for tesla accessing your public key. Mine is at https;//tesla.geekleader.co.uk

Thanks

iainbullock commented 5 months ago

@feu77 Just catch up on open issues. Did you resolve yours / can I close this one?

feu77 commented 5 months ago

Hey, please let it open. I didn‘t have the time (and curiously the old method still works). I will get into it this week!! Thank you very much!

feu77 commented 5 months ago

Ok, here we go...with lots of problems all the way down following your and smartmotion.life blog...

Well...

First I deleted every container (nginx and tesla_http_proxy) It took me 2 hours getting nginx to run (don't ask me why...) it took me several attempts to get tesla_http_proxy container to run (docker-compose doesn't want "restart: no"... ) I got the flask running...generated OAuth token, the clicking on 2nd button: error message....

Could it be that I didn't delete the private key on the vehicle from the first attemps 3 weeks ago? How do I delete it? I didn't find anything on developer.tesla.com nor on the tesla app...

iainbullock commented 5 months ago

You delete the private key from the screen in your car - menu item Locks

feu77 commented 5 months ago

Ok, I cleared teh key.

Generate OAuth, clicking Test public key endpoint - > getting NGINX 404 Error.

feu77 commented 5 months ago

After clicking 3.

feu77 commented 5 months ago

There are files in the tesla_http_proxy, homeassistant container and in the nginx container.

Why the hell isn't it working? BTW, I got further last time, because I could terminate the flask thing...

feu77 commented 5 months ago

sorry, me again....

I started from the very beginning...identified 2 errors (in smart motion blog) (one semicolon missing in'server_name tesla.yourdomain.com; ' in the tesla_nginx.conf file and a double volumes declaration in docker-compose). So I got through the flask thing.

Starting the integration, error in the HA logs 'Unable to load custom SSL certificate from /config/tesla_http_proxy/selfsigned.pem' The file exists: pi@RPi4ServerONE:/config/tesla_http_proxy $ ls -l total 4 -rw-r--r-- 1 root root 830 May 3 17:24 selfsigned.pem

and the tesla_nginx.conf: server { listen 80; listen [::]:80; server_name tesla.domain.com; # Change to match your own FQDN root /config/nginx/htdocs;

static public key for Tesla

location /.well-known/appspecific/ {
    try_files /com.tesla.3p.public-key.pem =404;
}
    # temporary Flask app for initial auth
location / {
    proxy_pass http://192.168.2.20:8099; # Change to hostname or IP of your Docker host
}

}

the last lines from tesla_http_proxy container: Do not listen on a network interface without adding client authentication. Unauthorized clients may be used to create excessive traffic from your IP address to Tesla's servers, which Tesla may respond to by rate limiting or blocking your connections. 2024-05-03T15:42:46Z [debug] Creating proxy 2024-05-03T15:42:46Z [info ] Listening on 0.0.0.0:443

Seems there is a blocking somewhere....

iainbullock commented 5 months ago

Are there no further messages in the proxy logs?

Try connecting to the proxy from the docker host using curl and report what (if any) response you get and proxy logs:

cd /var/lib/docker/volumes/tesla_http_proxy/_data

export TESLA_AUTH_TOKEN='cat access_token'

ping -c 1 RPi4ServerONE

curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://RPi4ServerONE:4430/api/1/vehicles"

The access token is likely expired by now but never mind we are only trying to make a connection to the proxy at this stage

If you are prepared to share your FQDN for the proxy it would also help, as the nginx setup is often the cause of various issues. I don't see a security issue in doing this, as it is used by tesla to access your public key. The private key is the one you need to keep private! Mine is at https://tesla.geekleader.co.uk/.well-known/appspecific/com.tesla.3p.public-key.pem

feu77 commented 5 months ago

That's what I get:

BTW my FQDN is https://tesla.vectorsigma.cc

pi@RPi4ServerONE:~/docker-apps $ sudo su root@RPi4ServerONE:/home/pi/docker-apps# cd /var/lib/docker/volumes/tesla_http_proxy/_data root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# export TESLA_AUTH_TOKEN='cat access_token' root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# ping -c 1 RPi4ServerONE PING RPi4ServerONE (127.0.1.1) 56(84) bytes of data. 64 bytes from RPi4ServerONE (127.0.1.1): icmp_seq=1 ttl=64 time=0.097 ms

--- RPi4ServerONE ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.097/0.097/0.097/0.000 ms root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://RPi4ServerONE:4430/api/1/vehicles" curl: (60) SSL: certificate subject name 'RPi4ServerONE.local' does not match target host name 'RPi4ServerONE' More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

feu77 commented 5 months ago

Q: Do I need to write 'rpi4serverone.local' or without suffix .local? I always used without .local

iainbullock commented 5 months ago

Let's check out your config.sh to answer that:

cat /var/lib/docker/volumes/tesla_http_proxy/_data/config.sh

feu77 commented 5 months ago

config.sh is empty

iainbullock commented 5 months ago

Interesting. It looks as though it had sometihng in it when you sent this screenshot:

feu77 commented 5 months ago

I didn't alter it...

feu77 commented 5 months ago

Is that this step? I

iainbullock commented 5 months ago

I didn't alter it...

In this image config.sh is zero bytes, in the previous one it's 414 bytes

iainbullock commented 5 months ago

Is that this step? I

I'll have to study the blog, I didn't write it!

iainbullock commented 5 months ago

That's what I get:

BTW my FQDN is https://tesla.vectorsigma.cc

pi@RPi4ServerONE:~/docker-apps $ sudo su root@RPi4ServerONE:/home/pi/docker-apps# cd /var/lib/docker/volumes/tesla_http_proxy/_data root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# export TESLA_AUTH_TOKEN='cat access_token' root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# ping -c 1 RPi4ServerONE PING RPi4ServerONE (127.0.1.1) 56(84) bytes of data. 64 bytes from RPi4ServerONE (127.0.1.1): icmp_seq=1 ttl=64 time=0.097 ms

--- RPi4ServerONE ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.097/0.097/0.097/0.000 ms root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://RPi4ServerONE:4430/api/1/vehicles" curl: (60) SSL: certificate subject name 'RPi4ServerONE.local' does not match target host name 'RPi4ServerONE' More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

I can download a public key from https://tesla.vectorsigma.cc/.well-known/appspecific/com.tesla.3p.public-key.pem so that part is working

iainbullock commented 5 months ago

OK I read the blog in more detail around the section you mentioned above @tux43 has done a great job here.

Your config.sh must have got wiped somewhow. Please recreate it and paste it here. Coud you also paste your docker-compose.yml.

As I said before your public key is accessible so that's good - that is what doesn't work for most people. I think you are nearly there, just need to sort out your selfsigned.pem

feu77 commented 5 months ago

!/bin/ash

Enter values for your particular configuration here

CLIENT_ID='xxxxxxxxxxx' CLIENT_SECRET='ta-secret.xxxxxxxxxxxxx' DOMAIN='tesla.vectorsigma.cc' # Public FQDN PROXY_HOST='RPi4ServerONE' # Local hostname (not IP) of this docker host REGION='Europe, Middle East, Africa' # Change to match your region

Change this to OPTIONS_COMPLETE=1 when ready to run

OPTIONS_COMPLETE=1

feu77 commented 5 months ago

version: '3'

volumes:
  tesla_http_proxy:
    external: true

services:   
  tesla_http_proxy:
    container_name: tesla_http_proxy
    image: "iainbullock/tesla_http_proxy:latest"

    environment:
      - TZ='Europe/Berlin'
      - CLIENT_ID='xxxxxxx'
      - CLIENT_SECRET='ta-secret.xxxxxxxxx'
      - DOMAIN='tesla.vectorsigma.cc' # Public FQDN 
      - PROXY_HOST='rpiserverone.local' # Local hostname (not IP) of this docker host
      - REGION='Europe, Middle East, Africa' # Change to match your region

    stdin_open: true
    tty: true         

    entrypoint: "/app/run.sh"
    working_dir: /app

    volumes:
      - tesla_http_proxy:/data
      # Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
      - type: bind
        source: /config/nginx/htdocs # Refer to step 2.1
        target: /share/nginx #Do not modify
      # Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
      - type: bind
        source: /config/tesla_http_proxy #Refer to step 5.1
        target: /share/home-assistant #Do not modify
      - /data/config.sh:/data/config.sh 

    network_mode: bridge
    ports:
      - 4430:443
      - 8099:8099

iainbullock commented 5 months ago

Can you make PROXY_HOST the same in both docker-compose.yml and config.sh. I suggest you use RPi4ServerONE as when you pinged it before it resolved ok.

Then delete everything except config.sh in /var/lib/docker/volumes/tesla_http_proxy/_data Delete the private key from your car Restart the container Repeat section 6 from the blog

Test using curl from the host: cd /var/lib/docker/volumes/tesla_http_proxy/_data export TESLA_AUTH_TOKEN='cat access_token' curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://rpi4serverone:4430/api/1/vehicles"

If this works proceed with section 7 of the blog

I probably can't respond now until tomorrow. Good luck

feu77 commented 5 months ago

I'm sure the proxy host was rpi4serverone in both, but after it didn't work I was playing around and forgot to delete it in docker-compose...

So I do what you told me:

root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# export TESLA_AUTH_TOKEN='cat access_token' root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data# curl --cacert cert.pem --header "Authorization: Bearer $TESLA_AUTH_TOKEN" "https://rpi4serverone:4430/api/1/vehicles" curl: (60) SSL: certificate subject name 'RPi4ServerONE.local' does not match target host name 'rpi4serverone' More details here: https://curl.se/docs/sslcerts.html

I don't know where this rpi4serverone.local comes from. I checked docker-compose and config.sh...

iainbullock commented 5 months ago

I wouldn't have expcted the .local to be on the end if you had started again with PROXY_HOST set to RPi4ServerONE

Please try this on the host: cd /var/lib/docker/volumes/tesla_http_proxy/_data ls -al openssl x509 -noout -text -in cert.pem

feu77 commented 5 months ago

root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data#  ls -al
total 24
drwxr-xr-x 4 root root 4096 May  4 19:05 .
drwx-----x 3 root root 4096 May  4 19:05 ..
-rw-r--r-- 1 root root  834 May  4 19:05 cert.pem
-rwxr-xr-x 1 root root    0 May  4 19:05 config.sh
drwx------ 4 root root 4096 May  4 19:05 gnugpg
-rw------- 1 root root  384 May  4 19:05 key.pem
drwx------ 2 root root 4096 May  4 19:05 password-store
root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data#  openssl x509 -noout -text -in cert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            51:38:76:2a:e2:69:8b:21:16:c3:1b:46:db:9b:ce:97:4e:8b:44:39
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = RPi4ServerONE.local
        Validity
            Not Before: May  4 17:05:25 2024 GMT
            Not After : May  2 17:05:25 2034 GMT
        Subject: CN = RPi4ServerONE.local
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (521 bit)
                pub:
                    04:01:04:53:91:7b:60:05:16:81:fa:f4:80:e9:21:
                    81:50:7f:4d:49:cf:10:43:a8:c1:5b:fc:2a:ce:74:
                    bf:f5:84:03:84:42:fb:58:d4:16:45:c0:48:60:81:
                    5c:74:2a:8e:7a:83:d5:a6:40:e2:09:be:89:1b:be:
                    04:dd:a7:e1:6d:37:5a:00:f6:06:ec:99:ee:00:38:
                    13:7d:d4:95:e4:ea:60:ce:57:72:f2:c4:ad:57:00:
                    85:48:14:43:c4:3d:44:dd:41:a9:58:79:b8:a3:16:
                    63:bb:84:1f:75:10:55:f6:b9:85:c4:9f:1d:dd:93:
                    0f:8e:8a:81:48:4c:f5:23:6f:b0:73:2d:21
                ASN1 OID: secp521r1
                NIST CURVE: P-521
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                AE:BF:DB:6C:33:D3:3F:60:BC:BB:96:61:C8:35:38:98:69:21:45:EA
            X509v3 Authority Key Identifier: 
                keyid:AE:BF:DB:6C:33:D3:3F:60:BC:BB:96:61:C8:35:38:98:69:21:45:EA

            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Agreement, Certificate Sign
    Signature Algorithm: ecdsa-with-SHA256
         30:81:87:02:41:6d:fc:d1:cd:71:4c:b1:db:9f:29:6a:1d:d7:
         4e:2e:7a:83:5d:65:06:5a:b7:a4:50:b0:c2:b2:4e:3f:da:5a:
         a5:b1:23:4b:4a:19:ac:1c:ff:40:05:33:cc:9f:cc:ae:39:84:
         38:b4:b5:92:9c:cc:cf:1f:8f:e7:f5:10:a2:58:59:51:02:42:
         01:95:a0:70:d5:82:82:e9:e4:93:b1:db:54:31:f4:ba:a6:0d:
         f9:a7:4b:d2:a3:aa:13:a4:7b:97:a2:5c:5e:8f:ae:7c:d5:ff:
         9c:02:3a:5c:5a:2c:fc:5c:ae:67:4d:c0:e1:05:be:78:be:39:
         67:84:e2:36:2f:af:cd:ef:73:f4:2a:f9
root@RPi4ServerONE:/var/lib/docker/volumes/tesla_http_proxy/_data#

iainbullock / tesla-http-proxy-docker

Example nginx.conf file is incomplete.... #38

Ereigniskonfigurationen

HTTP-Konfigurationen

Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start

Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start

static public key for Tesla

!/bin/ash

Enter values for your particular configuration here

Change this to OPTIONS_COMPLETE=1 when ready to run