Another question about SSL/TLS

moacir · April 2, 2024, 3:18pm

I have my own internal DNS server at home, where my local domain name is “home.net”. My HA does not have an open connection to the Internet. Because of the “Voice” features on “Assist”, I tried to setup SSL/TLS so my browser would allow access to my microphone.

My question is: Having an HA with a single network interface, and considering the above scenario, how can I enable SSL/TLS on HA with no error messages?

For example:
My HA host name: ha.home.net
My HA IP address: 192.168.0.100/24
The HA HTTPS port number: 443

With the above information, I have created a certificate, with the canonical name “ha.home.net” and alternative name “192.168.0.100”. I loaded it on HA, on configuration file as:

http:
  server_port: 443
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

The full chain .pem certificate contains both, the server public key and the CA public key.

Everything works. However, when I go to the System > Network, I get the following error message:

Can someone explain why HA is complaining about a "local network URL?
Keep in mind that if I use https://ha.home.net everything works…

Thanks!

Demusman · April 2, 2024, 3:57pm

Delete the internet address, turn off “use automatic” for the local and add the address in there.

moacir · April 2, 2024, 4:14pm

Just funny… I have been around this for a day and would never assign the name to the local network as it says “automatic”. Shame on me!

Thank you!

ddaniel · April 2, 2024, 4:17pm

Well i use similar solution and have a ssl on local network. I’m using ha in docker but should work with other types of installations.
I bought my self a domain. There I created domain and some subdomains to use it for different containers aka addons.
I set up nginx proxy and got ssl certs. I use adguard as local dns server. In adguard I use dns rewrite option to resolve my domain to my local ip address where ha lives. i don’t update my ip address so this domain is not accessible over net as there is not ip or ip is way to old.
I my main router, this is router for local wifi not providers router, I set up dns servers to point out to my local ha ip address.
And chiriboo chiriba there you go ssl on local network.

moacir · April 2, 2024, 4:28pm

I also have my own domain, but hosted by ClouDNS. However, I have just one machine publishing its IP to my dynamic DNS. I use it to open a SSH tunnel when I want to access my home remotely.

As my goal is to be safe (encrypted data) but not to be trusted to the public, my certificates are issued via an openssl CA that I created.

Everything works ok!

ddaniel · April 2, 2024, 4:34pm

I just use nabu casa for remote access. But this is working just fine for me. I have ssl on local network, doesnt have to worry about certs as they are renewed automatically. I found an integration that allows you to access your containers aka addons using remote access over nabu casa and that is great for me.