Tesla HTTP Proxy with Traefik

[Olen]

I just spent the better of two days getting this to work, and I'll just summarize my findings here.
Some of these might be added as PRs, some might just be FYIs and I hope someone finds them useful.

Access lists

First of all - you need to ensure there is IP access between the Tesla servers and your server.

• In Europe, Tesla currently uses AWS and the EU-WEST-1 region. In the US, I believe they use US-WEST-2. You can find a list of the IP-addresses for these regions here: https://ip-ranges.amazonaws.com/ip-ranges.json
• There is no reason to believe they will never change the regions or cloud provider, but these are what they currently use. These addresses need to be able to connect to your server to get the com.tesla.3p.public-key.pem file. You can probably limit the firewall opening to a subset of the addresses for now, but the nature of these kind of apps is that they can float around, so the tighter the policy, the more chance of something not working.
• You also need to open the firewall for https-traffic from Teslas own IP-addresses. Currently there are 3 ranges:
  • 199.120.32.0/20
  • 199.120.48.0/21
  • 199.120.56.0/23
• Again, these can probably change in the future, and you might not need to open for all of the ranges. YMMV.

In addition to this, Tesla also blocks access to/from certain providers. At least DigitalOcean is known to be blocked by Tesla. This means that you probably will not be able to host the Proxy at DO. It could be the same with other providers.

Tesla accounts

Make sure the account you use is set up as a primary account. If you use a different account, you need to be physically close to the car when you want to give yourself access as you must verify the connection with a key card. Using a primary account avoids this.

There is currently no way to remove an app from Teslas developer portal, so if you need to switch accounts, you probably also need to change the public domain name and use a different FQDN for the new account.

Troubleshooting

At least for me, the biggest problem (after I got my access lists sorted out) was the "Register Partner Account" step.

It helped a lot when I accessed the Docker container and added a few lines for more debugging:
After each

    if req.status_code >= 400:

I added a:

        logger.error(req.text)                                                 

So they end up as

    if req.status_code >= 400:                                                     
        logger.error("HTTP %s: %s", req.status_code, req.reason)                         
        logger.error(req.text)                                                 
        return redirect(f"/?error={req.status_code}", code=302)        

The req.text gives much more useful info about what is wrong than just the status_code
For instance, it will tell you if the problem is that Tesla is unable to access your certificate, or if the domain is already registered with another Tesla account etc.
I'm going to add a few PRs for this so it might get added as default.

Traefik

With Traefik, you can use the same domain for both the proxy host and the public address.

I used most of the docker-compose config as-is from this repo, but here are a few modifcations:

    environment:
      DOMAIN: 'tesla-proxy.mydomain.com' # Public FQDN 
      PROXY_HOST: 'tesla-proxy.mydomain.com' # Local hostname (not IP) of this docker host

(The same must be added to /data/config.sh)

    volumes:
      - /local/path/tesla_proxy/data:/data
      # Webserver root for the $DOMAIN virtual server. Change the path according to your webserver setup. Path must exist or this container won't start
      - type: bind
        source: /local/path/tesla_proxy/web
        target: /share/nginx
      # Path to tesla_http_proxy directory inside /config on Home Assistant instance. Change according to your HA setup. Path must exist or this container won't start
      - type: bind
        source: /local/path/tesla_proxy/ha-config
        target: /share/home-assistant

Since Traefik handles the SSL certificate and give you a real cert, there is not really any reason to care about the private cert in HA, but the config in HA requires a valid path, so you still need that last path.

The Traefik labels can be set as following:

    labels:
      (...)
      traefik.http.routers.TESLA_HTTP_PROXY.entrypoints: websecure
      traefik.http.routers.TESLA_HTTP_PROXY.tls.certresolver: myresolver
      traefik.http.routers.TESLA_HTTP_PROXY.rule: Host(`tesla-proxy.mydomain.com`)
      traefik.http.routers.TESLA_HTTP_PROXY.service: TESLA_HTTP_PROXY
      traefik.http.services.TESLA_HTTP_PROXY.loadbalancer.server.port: 8099

After the initial setup, all you need to do is remove the last line and add the following instead:

      traefik.http.services.TESLA_HTTP_PROXY.loadbalancer.server.port: 443
      traefik.http.services.TESLA_HTTP_PROXY.loadbalancer.server.scheme: https

For the NGINX-server to serve the single certificate file, I have the following:

  nginx_proxy_tesla:
    image: nginx:stable-alpine
    restart: unless-stopped
    volumes:
      - /local/path/tesla_proxy/web:/var/www/html
      - /local/path/tesla_proxy/nginx:/etc/nginx/
    labels:
      traefik.http.routers.NGINX_PROXY_TESLA.entrypoints: websecure
      traefik.http.routers.NGINX_PROXY_TESLA.tls.certresolver: myresolver
      traefik.http.routers.NGINX_PROXY_TESLA.rule: Host(`tesla-proxy.mydomain.com`) && PathPrefix(`/.well-known`)

This makes sure only requests for .well-known are handled by this container, while all other requests to the same domain is handled by the other container.

After starting the containers, you just need to add a few lines to the default nginx-config (located in /local/path/tesla_proxy/nginx/conf.d/default.conf under the server { section somewhere:

    # static public key for Tesla
    location /.well-known/appspecific/com.tesla.3p.public-key.pem {
        root /var/www/html;
        try_files /com.tesla.3p.public-key.pem =404;
    }

Make sure your domain tesla-proxy.mydomain.com points to the right IP-address, and that any access lists, port-forwards etc. are open for the mentioned ip-ranges.
And you should be good to go.

HomeAssistant

When you configure HA, remember that you must use slightly different values from what the container tells you.

• Proxy URL: https://tesla-proxy.mydomain.com
  • Dont worry about the port, Traefik handles that
• SSL certificate: /config/somewhere/selfsigned.pem
  • As mentioned, since Traefik makes sure you have a valid certificate for https anyway, you should not really need the self signed cert., but the integration requires it, so it must be accessible. Just copy the file somewhere where HA can read it and give it the right path in the config.

Migration

For me, the migration in HA was very easy. I just added a new entry to the Tesla Custom Integration, selected the fleet API, and with the proper Refresh Token and SSL Certificate path added, the new entry showed up. I then removed the old entry from the HA config, and all the entity_ids etc. were nicely converted, so all my automations and dashboards etc. was working fine after the migration.

All in all, it was a bumpy road. Mostly because it took me a long time to get the access lists right, and because I wanted to use a specuial developer account first, instead of my own main account. Once that was sorted, it was mostly trial and error to get the files in the right place and understanding how these things are connected.

A few things I would consider

• Since we currently need at least two containers (one to serve the single certificate file and one for the rest), maybe it would be even easier if the flask app and the proxy app also was running in different containers. I don't know how may times I have deleted /data/access_token and restarted the container to try again. So to be able to keep the flask-app running while the proxy is also up would be a nice feature.
• Alternatively it should be quite easy to allow both the flask app and the proxy app to serve the certificate file by the .well-known path. That way, we could avoid the extra container just to serve up that single file.
• The ssl-cert-path should be optional in the HA configuration. I realize that this is not the right place to request that, but a PR would probably be welcome.

[iainbullock]

Excellent work well done.

I appreciate your detailed write up here which will no doubt help others who have the same setup

[r151809]

I totally agree that @Olen 's discussion was helpfull. Thank you :)

Adding the prints helped me to identify my issue related to 400 response. I'll open another thread for it, as different root cause :)