i want to be able to access my home assistant from anywhere using a custom dns name like myhome.example.com instead of 1234567890abcdef.ui.nabu.casa where example.com is my domain i can manage the DNS records for.
on the implementation side i thought about sth like this: you would create e new DNS CNAME for myhome.example.com pointing to 1234567890abcdef.ui.nabu.casa and in the nabu casa backend add the extra domain name myhome.example.com. then the letsencrypt certbot can issue a certificate to 1234567890abcdef.ui.nabu.casa and myhome.example.com.
this way you can have you own custom domain name, remember it more easily and are able so send someone in your home an easy to remember address to setup in their device
i already contacted nabu casa support bu they told me that a boomark in my browser and a single setup to the devices i want to track (phones) is enough so i should go with that - but i think it would be a very nice addition to the nabu casa cloud to be accessible via n “nice” domain name like myhome.example.com
Greetings and thanks for bringing HA to life!
EDIT: sorry for the “dot” in the domain names, but “new users are only allowed to put 2 links in a post”
EDIT2: changed the links to code blocks
yeah thought about it but i dont want to set up a reverse proxy and have to update the components and pay a cloud provider for an instance but instead pay nabu casa for doing exactly that in a secure and professional manner
I don’t pay anyone (I do pay Nabu Casa subscription to support devs, but I don’t actually use it) and I also don’t do any maintenance work except for updating (which is one line of code) once in a while and if you use one of the reverse proxy add-ons you also don’t need to do this.
The problem is that their service would need a TLS certificate and private key for your domain name. Or adding your domain name to their cert, but now that makes issuing that cert much more difficult as their CA has to validate ownership of the name. This is intentionally difficult (to keep you, for example, from creating a cert for amazon.com). So what you want them to do is impractical. As others suggested, you could (also) do this yourself. It’s pretty easy if you can forward a port on your router and use the duckdns add-on.
yes, thats correct, but i primarily use nabu casa to stop punching a hole in my router and forward traffic to HA, so that would not “fix” my issue with that, sadly…
thats correct for your example with amazon because i do not own that domain and can change its config. letsencrypt / certbot checks whether the domain is connected to correct IP address which would be the case in this scenario because i configured my domain to point to nabu casa, which i cant to for amazon, thats the basic concept of letsencrypt, short lived certs for domains that are checked when the certificate is issued (eg. check if myhome.example.com points to the server that is requesting that cert). so i dont think its that big of a deal.
I certainly understand how Let’s Encrypt works; I use it myself standalone with my own Docker-based configuration. Let’s Encrypt requires you to prove ownership, or at least control, over the domain that they issue a certificate for. Usually this is either by manipulating the DNS by inserting a TXT record, or by installing some unique token in a file that your web server would return. The problem is that Nabu Casa would have to do all of this on your behalf, and that’s going to be “hard.” You have two approaches to this problem:
You run certbot for your domain. You generate a private key and get a certificate issued. You now need to somehow securely convey the private key material and certificate to Nabu Casa for your domain. They now need to set up another “virtual host” instance for your cert and private key. I can’t imagine them building a platform that would require this manual intervention… especially since every 60-90 days you need to convey the new certificate for your domain to them.
Nabu Casa runs certbot for your domain. They need to somehow either have access to dynamically manipulate your domain to fiddle with a TXT record as part of domain control verification. Or, more practically, use the HTTP-based “cookie” approach to serve up the right verification token. If they decided to support foreign domain certificates, likely they’d have to use the separate “virtual host” approach to avoid bloating their common certificate with a bunch of other domain names. So you’d be special, again.
And while I’ve not looked because I don’t use their proxy service, they likely use a wildcard certificate, rather than exploding the number of Subject Alternate Name (SAN) records in the certificate with each user.
All in all, this is just impractical for them to do for your $5 a month.
I run another Home Assistant implementation at a community library that I volunteer at, and we use “Home Assistant Supervised” there with the Duck DNS add-on. That handles issuing the certificate for your domain, as well as running an nginx proxy in a container. All you need to do is forward the port on your router and install a CNAME record in your other domain pointing to the Duck DNS specific dynamic A record.
Or if you don’t want to screw with your local Home Assistant, you could spin up a virtual instance somewhere with just an nginx configured to act as a reverse proxy to forward HTTPS requests to Nabu Casa’s customer-specific DNS name.
it was not my intention to indicate that you do not know how certbot / letsencrypt works, i’m sorry if that came out the wrong way.
I’ve looked at the certificate issued by nabu casa and part of the code on github (although i’m not perfectly sure this is the code that is renewing the certs for cloud access) before i posted this suggestion.
the only work that would be needed IMHO is to supply an extra domain (which i would have to manually specify once in the nabu casa backend) to the letsencrypt request, so that the cert sent by the proxy at nabu casa is also valid for the “custom” domain.
because i think it is not that much work to add this extra functionality i posted this issue.
i currently use HA locally with duckdns and i would like to switch to HA cloud to stop forwarding ports to my internal net. i’m aware there are other solutions but i thought maybe other users find this quite useful and easy to use too so i decided to post this as a feature request.
if you guys and the guys at nabu casa think this is a bad idea i will think about setting up my own solution based on the suggestions you gave here.
anyway: thank you for your replies and suggestions, very welcome to get so much constructive responses on my post!
