Without the proxy_http_version and proxy_header upgrades an the nginx subdomain setup generates socket errors on the login page. This makes that users can't login. Adding the websocket lines both to the "/" location as well as the "/api/websocket" location solves the issue.
Solution copied from: KickHackerz, mar 1 answer on https://community.home-assistant.io/t/ngnix-so-confused-doing-something-wrong/12736/3.
Before finding this guide, I ran into the Port 80 problem described in this page (likely blocked by ISP) and [posted about it in the LetsEncrypt forums](https://community.letsencrypt.org/t/help-with-standalone-certbot-failed-to-bind-to-80-using-ipv4/37701/8). While this excellent guide helped me circumvent that immediate issue, a certbot engineer suggested an alternate method for automated cert renewal that did not require manually changing port mapping every time a cert needed to be renewed.
In short, he suggested using a TLS challenge rather than HTTP, so that the Let's Encrypt CA would bind port 443 externally, and specify certbot to bind to port 8123 internally for certificate renewal. He also added that pre- and post-hooks could be passed to certbot so that HA could be stopped/started and port 8123 could be freed for cert renewal.
I have verified that this method works in a dry run on my own HA setup and modified step 8 with some suggested documentation
Owntracks for be convinced to talk the correct protocol version (Protocol Level 4; MQTT 3.1.1) by setting it manually in the configuration JSON.
I have tested this against my own Hassbian install (0.47.0).
See the ticket that added the feature here; https://github.com/owntracks/ios/issues/444
* Add network_key configuration
Network key can be set here rather than in the (difficult to find) configuration `options.xml`. It takes the same comma separated "0xNN" string syntax as previous.
* Cleanup unneeded section
Removed the options.xml information that is on longer required as per comments from @dale3h
