Open teslamine opened 6 months ago
llamafilm
commented
6 months ago 
teslamine
commented
6 months ago Apologize.. here's the rest of the info.
My ha install seems to be accessible through the domain below... however the public key file points to a 404
llamafilm
commented
6 months ago It looks like something is wrong with your nginx config. You need 2 different domains, one for HA and the other for this addon, so that nginx can route them appropriately. So for example, your public key could be at https://alberttesla.duckdns.org/.well-known/appspecific/com.tesla.3p.public-key.pem and your Home Assistant could be at https://alberthome.duckdns.org/. The second one is optional actually, you don't have to expose HA to the world.
IanK6449
commented
6 months ago So, I am still struggling hugely with this and have the same error. My main questions are:
I appreciate any and all assistance as I have spent about a day trying to set this up so far and just cannot get it to work sorry.
llamafilm
commented
6 months ago In the latest version, I’ve simplified the config so you only need one domain. Read the updated DOCS.md, I hope that helps.
IanK6449
commented
6 months ago Thanks for your help. I'll try that but I'm 90% sure I tried it with a single domain and it failed. I'll try again and, if it fails again, I'll wait a few more versions then try again.
flogitgeek
commented
6 months ago I have uninstalled the tesla_custom component, uninstall the tesla HTTP PRoxy add-on and started all over but I also keep getting an error about fixing my public key.
I am not sure what I am doing wrong. My NGINX config is pretty basic and been running for years. PLease let me know what I can do to share but I run Home assistant 2024.3.3 Home Assistant version: 2024.3.3 Home Assistant install method: HAOS on Rpi Addon version: 2.1.1 Region: Europe but tried North America Your public domain name. myporto.duckdns.org
Thank you so much for the help and this tool!
tnolf
commented
6 months ago Thanks a lot Elliott for working on getting tesla commands work again on HA. It’s much appreciated and a lot of people like me were waiting hard for it.
After going through the steps with duckdns and nginx and my public key not beeing accessible I think my problem lies in starlink and the fact it is CGNAT. I am using nabu casa and understand it opens a tunnel to my HA instance and wonder if this could not be utilized to receive the communication from tesla on executing commands? I tried using my nabu casa domain and can access the key in the browser but when I use the url in the addon it fails with 404 and the above error to fix the publix key. Am I wrong in my assumption this should work and are there any other workarounds that come to mind?
Again, thanks a lot for your work!
llamafilm
commented
6 months ago I’ve never used Nabu casa. From my limited reading of their FAQ, it sounds like it’s meant to allow access only to HA core and the Web UI it addons using the “ingress” feature. Therefore you should be able to see the Web UI for this add on, but I don’t think it will work for the public key.
I imagine this would be impossible to use with CGNAT. Does Starlink give you an IPv6 address? If so, it might be possible to get it working that way, but I haven’t tried it.
baylanger
commented
6 months ago After going through the steps with duckdns and nginx and my public key not beeing accessible I think my problem lies in starlink and the fact it is CGNAT. I am using nabu casa ...
I thought others in a Discussion reported being able to use a Clouflare tunnel for the tesla.example.com FQDN in parallel with NC. If that doesn't work, why not just drop NC and go with Cloudflare? Anyhow in the world that can find the NC FQDN assigned to your HA instance can reach your server. Cloudflare allows to add some protection using IP address, ASN # , countries, etc. The Cloudflare HA add-on should be able to expose both your HA instance and the tesla.example.com regardless if you're behind CGNAT or not.
There's a good post here that compares NC, Cloudflare etc. https://www.reddit.com/r/homeassistant/comments/x94bmk/comment/inqpgml/
HA CF add-on community thread: https://community.home-assistant.io/t/new-add-on-cloudflared/361637
[edit] added CF add-on HA community post.
cnn888
commented
6 months ago If I used Cloudflare, can I use the SSL certificate from it or do I still have to get it via Let's Encrypt?
If my ha domain is ha.tedja.biz and my tesla domain is tesla.tedja.biz, do I have to make another tunnel in cloudflare for tesla.tedja.biz/callback pointing to same ip:8123?
Thank you.
baylanger
commented
6 months ago If I used Cloudflare, can I use the SSL certificate from it or do I still have to get it via Let's Encrypt?
You can probably use Cloudflare’s Origin CA but I don’t know if there’s an HA add-on to automatically download and CF Origin CA. If there’s none, better stick with letsencrypt.
If my ha domain is ha.tedja.biz and my tesla domain is tesla.tedja.biz, do I have to make another tunnel in cloudflare for tesla.tedja.biz/callback pointing to same ip:8123?
I don’t understand your question. Do you already have a Cloudflare tunnel that goes to your ha and you are asking if you need another tunnel specific for Tesla? If you go in the WiKi area, there’s one that was created hours ago that explains probably what you need. Stick with the current config in the WiKi unless you want to spend time trying something else.
cnn888
commented
6 months ago If I used Cloudflare, can I use the SSL certificate from it or do I still have to get it via Let's Encrypt?
You can probably use Cloudflare’s Origin CA but I don’t know if there’s an HA add-on to automatically download and CF Origin CA. If there’s none, better stick with letsencrypt.
If my ha domain is ha.tedja.biz and my tesla domain is tesla.tedja.biz, do I have to make another tunnel in cloudflare for tesla.tedja.biz/callback pointing to same ip:8123?
I don’t understand your question. Do you already have a Cloudflare tunnel that goes to your ha and you are asking if you need another tunnel specific for Tesla? If you go in the WiKi area, there’s one that was created hours ago that explains probably what you need. Stick with the current config in the WiKi unless you want to spend time trying something else.
I am sorry for th confusion.
I mean I already have CF tunnel up and running for my HA at ha.tedja.biz and the Tesla at tesla.tedja.biz. I have manually copied the certs into the ssl folder. But the developer web needs the redirect url which is /callback. Do I need another public hostname set up in the CF tunnel pointing to same ip as my HA?
Anyway will have a read and try the other post as you mentioned. For sure I don't want to tinker around. I just want to have it up and running as before. 😊
InnoGreenTech
commented
6 months ago Hello,
I have the same problem with public Key. I use owner domain on OVH, domotic.innogreentech.fr, and Let's Encrypt to generate certificat. It is validate by Tesla.
s6-rc: info: service s6rc-oneshot-runner: starting s6-rc: info: service s6rc-oneshot-runner successfully started s6-rc: info: service fix-attrs: starting s6-rc: info: service fix-attrs successfully started s6-rc: info: service legacy-cont-init: starting s6-rc: info: service legacy-cont-init successfully started s6-rc: info: service webui: starting s6-rc: info: service webui successfully started s6-rc: info: service legacy-services: starting s6-rc: info: service legacy-services successfully started [16:44:15] webui:INFO: Starting Flask server for Web UI... [16:44:15] werkzeug:INFO: WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
[16:44:16] FATAL: Fix public key before proceeding. s6-rc: info: service legacy-services: stopping s6-rc: info: service legacy-services successfully stopped s6-rc: info: service webui: stopping s6-rc: info: service webui successfully stopped s6-rc: info: service legacy-cont-init: stopping s6-rc: info: service legacy-cont-init successfully stopped s6-rc: info: service fix-attrs: stopping s6-rc: info: service fix-attrs successfully stopped s6-rc: info: service s6rc-oneshot-runner: stopping s6-rc: info: service s6rc-oneshot-runner successfully stopped
InnoGreenTech
commented
6 months ago It ok for me i have add a domain specially for Proxy tesla. Thanck's for your work Best regards
ryanjohnsontv
commented
6 months ago I forked this repo to serve the cert from the python server so no additional nginx config is needed. I have my reverse proxy set up outside of Home Assistant so this was the only way I could get it working: https://github.com/ryanjohnsontv/tesla-http-proxy-addon
ckvist72
commented
6 months ago It ok for me i have add a domain specially for Proxy tesla. Thanck's for your work Best regards
How did you exactly solve it. I have tryed, and think everything is OK. But i must have made a mistake. :-)
InnoGreenTech
commented
6 months ago How did you exactly solve it. I have tryed, and think everything is OK. But i must have made a mistake. :-)
I create two domain, a for NGINX Home Assistant SSL proxy, another for Tesla HTTP Proxy.
elektrinis
commented
5 months ago I have the issue as well. I'm using HAOS and cloudflare tunnel as I'm behind CGNAT.
Excerpt from log:
[13:50:55] webui:INFO: Starting Flask server for Web UI...
[13:50:55] werkzeug:INFO: WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
* Running on all addresses (0.0.0.0)
* Running on http://127.0.0.1:8099
* Running on http://172.30.33.4:8099
[13:50:55] werkzeug:INFO: Press CTRL+C to quit
[13:50:57] INFO: Found existing keypair
[13:50:57] INFO: Testing public key...
HTTP/2 404
date: Tue, 16 Apr 2024 10:50:57 GMT
content-type: text/plain; charset=utf-8
content-length: 14
referrer-policy: no-referrer
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qDgLr6IUANfqO6BSLlW9FdYyL24CFo%2FbPaGMeZDNhBkAUn0Qzn1AW%2BK%2ByyZnDkAKi%2BmeqRMPm8W11CT21uZqbd8UBeUo31d4GMgReOFdzFGuPLjVjbf%2ACDtp6tW2bFVyfg%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 87539e0edfca1c36-FRA
alt-svc: h3=":443"; ma=86400
[13:50:57] FATAL: Fix public key before proceeding.I have configured the domain to point to my internal HA IP and port 4430. What else should I do?
IanK6449
commented
5 months ago I think you need to use port 443 rather than 4430. Port 443 works for me at least. Also, make sure your ISP isn't blocking inbound port 443 connections. That was the source of my issues for a couple of weeks until I finally worked out that was the problem. You may need to use a different network to your LAN to test this as an external machine trying to validate your public key will be attempting to connect from outside your LAN.
elektrinis
commented
5 months ago my ISP is blocking everything, that's why I'm using cloudflare tunnel. Changed port to 433 - no difference....
IanK6449
commented
5 months ago Apologies, I forgot your opening sentence re cloudflare and port 4430. Not sure I can help sorry but it does sound like that port isn't available for an external connection. You've tried port checker to ensure it's open etc right?
zapccu
commented
5 months ago I added a hint to the Cloudflare documentation (see https://github.com/llamafilm/tesla-http-proxy-addon/wiki/Cloudflare-Argo-Tunnel). When you get that error "FATAL: Fix public key before proceeding" please check if your internet access router is using DNS rebind protection. If this is active, add the internal domain name of your Homeassistant instance (in the doc homeassistant-internal.example.com) as an exception to the DNS rebind protection configuration (rebinding must be allowed). Resolving this internal name from you Homeassistant network must work. Otherwise the public key cannot be retrieved. A simple check is:
nslookup homeassistant-internal.example.com
=> Should return the internal IP of your Homeassistant instance.
Nakatomi2010
commented
5 months ago I have a self-hosted NGINX server in front of my Home Assistant server.
To get this to work, I had to set my internal DNS tesla.example.com DNS entry to be the local Home Assistant IP, and the external tesla.example.com entry to my external IP.
I had to, briefly, change my port forwards away from the external NGINX box to the one built into Home Assistant so that I could add tesla.example.com as an extra thing for the certificate, but once that was done, I changed the port forwards back, and got it working as desired.
mrbrdo
commented
5 months ago I had the same error, but in my case the problem was that the /share/nginx_proxy/nginx_tesla.conf was not created. I had to manually create this file and copy the correct contents, only then it started to work.
zapccu
commented
5 months ago The error message means, that the public key cannot be downloaded. This could be caused by a missing/wrong DNS entry, a missing/wrong nginx config, ... It must be possible to download the key with this url from the local network:
https://mydomain/.well-known/appspecific/com.tesla.3p.public-key.pem
If this doesn't work, Tesla integration won't work.
JHPembs
commented
4 months ago @InnoGreenTech can you expand on the below on what you did. You created another domain but where did you configure them. I have the same issue and haven't been able to resolve for over 24 hours.. thanks
How did you exactly solve it. I have tryed, and think everything is OK. But i must have made a mistake. :-)
I create two domain, a for NGINX Home Assistant SSL proxy, another for Tesla HTTP Proxy.
JHPembs
commented
4 months ago What i have done: dns set up with duck dns - working. Router ports forward 443, 8123 and checked with "can you see me" I have the proxy set up and configured. I can login to tesla from the proxy and get the 404 call back (docs say expected so all good).
the proxy config page i have under network: 443 and 443/tcp
however proxy just stops with the error as per this discussion: FATAL: Fix public key before proceeding.
i am completely stuck now ;-( Any help would be greatfully received!! Thankyou
log [14:13:40] webui:INFO: Starting Flask server for Web UI... [14:13:40] werkzeug:INFO: WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
[14:13:45] FATAL: Fix public key before proceeding. s6-rc: info: service legacy-services: stopping s6-rc: info: service legacy-services successfully stopped s6-rc: info: service webui: stopping s6-rc: info: service webui successfully stopped s6-rc: info: service legacy-cont-init: stopping s6-rc: info: service legacy-cont-init successfully stopped s6-rc: info: service fix-attrs: stopping s6-rc: info: service fix-attrs successfully stopped s6-rc: info: service s6rc-oneshot-runner: stopping s6-rc: info: service s6rc-oneshot-runner successfully stopped
IanK6449
commented
4 months ago Is your server on port 443 definitely accessible externally? I ran into that problem and it was due to my ISP blocking inbound port 443. Once they unblocked it for me everything worked as expected.
JHPembs
commented
4 months ago Is your server on port 443 definitely accessible externally? I ran into that problem and it was due to my ISP blocking inbound port 443. Once they unblocked it for me everything worked as expected.
Thanks for the response. I can access homeassistant via the duckdns externally on port 443 so that should be good.
i have a few questions: Looking in homeassistant i can't find any nginx config files. only the main configuartion.yaml. I am wondering if the tesla proxy add on has not installed a file or just that im looking in the wrong place; do you have any nginx entries/ files installed?
do i also need to open port 8099? I cant see any reference to this in the docs yet in the log there is references to it below: but no domain just ip's. In earlier comments people reference needing 2 domains but later says only 1 needed.. the more i try to get it working the more lost i feel lol
Running on all addresses (0.0.0.0) Running on http://127.0.0.1:8099/ Running on http://172.30.33.3:8099/
On the configuration tab of the tesla proxy its references port 4430 does that need to be opened?
Thanks
Boogmeister
commented
4 months ago Just do exactly what the guides say to do.
And it will just work.
Don't skip steps. Delete everything and start from scratch.
mrbrdo
commented
4 months ago I had the same error, but in my case the problem was that the
/share/nginx_proxy/nginx_tesla.confwas not created. I had to manually create this file and copy the correct contents, only then it started to work.
@JHPembs @Boogmeister as I said above, in my case the nginx config was not created. So it can happen. The file is in the share folder (accessible outside the container) so you should see it if it's there. For reference, here are the contents of the file:
server {
server_name YOUR_DOMAIN;
ssl_certificate /ssl/fullchain.pem;
ssl_certificate_key /ssl/privkey.pem;
# dhparams file
ssl_dhparam /data/dhparams.pem;
listen 443 ssl http2;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
return 404;
}
# static public key for Tesla
location /.well-known/appspecific/com.tesla.3p.public-key.pem {
root /share/tesla;
try_files /com.tesla.3p.public-key.pem =404;
}
location = /favicon.ico {
log_not_found off;
}
location = /robots.txt {
log_not_found off;
}
}
ballonchef
commented
2 months ago I use cloudflare and followed the instructions. I still struggle to access homeassisant-internal.myfdqn.com. nslookup homeassistant-internal.example.com does not work.
I receive following error in cloudflare add-on:
2024-08-05T16:28:23Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp: lookup homeassistant-internal.myfdqn.com on 127.0.0.11:53: no such host" connIndex=0 event=1 ingressRule=1 originService=https://homeassistant-internal.myfdqn.com 2024-08-05T16:28:23Z ERR Request failed error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: dial tcp: lookup homeassistant-internal.myfdqn.com on 127.0.0.11:53: no such host" connIndex=0 dest=https://tesla.myfdqn.com/.well-known/appspecific/com.tesla.3p.public-key.pem event=0 ip=198.41.192.107 type=http
and Tesla HTTP Proxy states:
`HTTP/2 502
curl: (22) The requested URL returned error: 502 Warning: Problem : HTTP error. Will retry in 512 seconds. 5 retries left. date: Mon, 05 Aug 2024 16:28:23 GMT
content-type: text/plain; charset=UTF-8
content-length: 15
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=*code deleted*"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
x-frame-options: SAMEORIGIN
referrer-policy: same-origin
cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
expires: Thu, 01 Jan 1970 00:00:01 GMT
server: cloudflare
cf-ray: 8ae828f95f6c2c1c-FRA
alt-svc: h3=":443"; ma=86400`
The NGINX Add-on does not bring up any error messages. Any ideas what my problem could be?
ballonchef
commented
1 month ago I finally made it! :) using the description of GerbenPapo in https://github.com/llamafilm/tesla-http-proxy-addon/discussions/115#discussioncomment-10095447 I manually change the cloudflare tunnel to redirect to the public key directly. So, I don't need homeassistant-internal to work and the errors I had above do not appear anymore. Tesla access from HA works now.
JeandreRoux
commented
1 month ago I finally made it! :) using the description of GerbenPapo in https://github.com/llamafilm/tesla-http-proxy-addon/discussions/115#discussioncomment-10095447 I manually change the cloudflare tunnel to redirect to the public key directly. So, I don't need homeassistant-internal to work and the errors I had above do not appear anymore. Tesla access from HA works now.
I am having the exact same issue as you using the CloudFlare Tunnel. The links you posted for the solution don't work for me. What do you mean by redirecting the CloudFlare Tunnel to the public key directly?
Would really appreciate your help on this!
JeandreRoux
commented
1 month ago I found the comment you were referring to, trying to make it work now.
Describe the bug I follow all the steps through homeassistant addons but i run into this issue that i cannot get past:
[09:29:33] ERROR: Fix public key before proceeding.
Environment (please complete the following information):
[09:29:32] INFO: Testing public key... HTTP/2 404 server: nginx date: Thu, 21 Mar 2024 16:29:33 GMT content-type: text/plain; charset=utf-8 content-length: 14 referrer-policy: no-referrer x-content-type-options: nosniff x-frame-options: SAMEORIGIN strict-transport-security: max-age=31536000; includeSubDomains
[09:29:33] ERROR: Fix public key before proceeding. s6-rc: info: service legacy-services: stopping s6-rc: info: service legacy-services successfully stopped s6-rc: info: service legacy-cont-init: stopping s6-rc: info: service legacy-cont-init successfully stopped s6-rc: info: service fix-attrs: stopping s6-rc: info: service fix-attrs successfully stopped s6-rc: info: service s6rc-oneshot-runner: stopping s6-rc: info: service s6rc-oneshot-runner successfully stopped