Beginners' guide to HTTPS on HAOS

TyneBridges · July 28, 2023, 11:06am

Many Home Assistant users are keen to replace Google or Alexa for local control of smart home devices. We’re dismayed by the complexity of setting up voice access - namely the requirement for HTTPS, fundamental for a system that relies on a web interface. For those of us who are not “hardcore” - that is, who have only a surface knowledge of network security - this is a minefield.

If we only want the devices on our internal network to talk to each other and don’t need external access to HA, our minds are boggled by the idea of using an Internet domain for this. (I have one and can’t work out whether subdomains can be local while the root domain is on the Internet.) The beginner doesn’t know how to create a certificate on their HA server, or how to copy this and its relevant keys to the other devices in their house. It’s not that we’re too lazy to learn: if we look online we find contradictory instructions, none of which seem to be complete, most of which involve in-depth knowledge of SSL/TLS and DNS and/or subscribing to other services. The worst are the ones that say “this is easy” and then miss out the prerequisites! It seems it’s even more difficult for those of us running HAOS, which is limited in what it lets us install and in communicating via non-web interfaces.

Would anybody be kind enough to write us a step-by-step instruction on the following lines, to become part of Home Assistant’s documentation? (I’ve written my own intro explaining things that will be obvious to most readers but that I had to verify.)

Setting up HTTPS for local voice services

HTTPS is a widely-used security protocol that encrypts network traffic and validates a web page with “trusted” status using a certificate and a key. This is needed for voice in Home Assistant because microphone support is a “https only” feature in web browsers: this applies even if your devices (PCs, tablets or phones) are all on the same internal network. Creating this certificate and copying it to your other devices is a convoluted process, particularly on HAOS as this is designed basically as an appliance. If you don’t mind seeing frequent security warnings on your devices, you can simplify things by using a self-signed certificate.

How to set up HTTPS and create a security certificate on your HAOS server

First go to Settings | Add-ons | Add-on store and install Duck DNS add-on and the NGINX Home Assistant SSL proxy add-on on HAOS

?
x. To create your self-signed certificate…
x. When asked for a domain name, type ‘localhost’ (?)

How to copy the certificate and key to your other devices

Windows

Connect to your HAOS server using…

etc

Linux

Android

IOS

Feel free to correct inaccuracies above!

(assuming the devices only need to work while connected to the local network in the home where HA is set up).

This might take an hour or two for someone with expertise who is also a good communicator, but it would benefit a lot of people and help make Home Assistant accessible not to the masses exactly, but certainly to those of us who thought they were IT literate but are demoralised trying to join “Year of the Voice”.

Thanks for reading this far!

templeton_nash · July 28, 2023, 5:50pm

I feel your pain. It’s frustrating. However, I don’t see that accessing Assist through a web browser is the end goal. I think it’s a stop gap measure.

If you have a Nabu Casa subscription you can access your HA instance over Https very easily.

Also, of you have the Companion app you can use Assist that way. This is fairly good because you probably have easier access to you phone than to a web browser running on a PC.

Aside from using Nabu Casa or the Companion app I think eventually there will be dedicated hardware, similar to Amazon Echo or Google Home, and with a wake word, all the Https frustration will be gone.

fleskefjes · July 28, 2023, 6:11pm

Sorry to nitpick, but it’s HTTPS not HTTPs

TyneBridges · July 28, 2023, 9:46pm

Now corrected.

TyneBridges · August 3, 2023, 11:39am

Against my expectations I’ve found that my Companion app will connect to HA using voice without HTTPS - although sadly with a slower than expected response from my reasonably capable X86 host. Advice online on whether this works seems to be contradictory, so let’s hope software security “enhancements” don’t break it. Regardless of that, I still think a beginner’s guide to HTTPS would be not just useful but, for many of us, is almost vital.

marcusbrutulus · December 7, 2023, 2:22pm

I totally agree! I’ve tried at least a half dozen different “tutorials” from youtube, forums, and documentation. All of them have resulted in something not working properly.

GrumpyOldDrummer · January 13, 2024, 2:06pm

I thought it was just me. I’m not an IT professional and I’m fairly new to HA. Up to this point I have found most things understandable but this has me beaten. I have a simple installation of HAOS on a pi4. I need a handful of simple voice commands to work locally without using the internet. I worked through the tutorials OK but then I came upon the brickwall of https over the local network and can’t get past it. A detailed procedure as suggested by the OP would be very welcome indeed.

GylRon1 · January 17, 2024, 12:51pm

I guess nobody wants to make a detailed tutorial from a-z for this topic? Not everyone wants or has the luxury to cripple or pollute his HA installation due to having to try several uncomplete and contradictory instructions. Also there are a lot of people out there who want to check if all works as it should before they pay for a service as Nabu Casa. A trial month is waaaay to short for that. People have a life besides their hobby and because of that the hobby sometimes has to be put on hold for a few days/weeks. Setting up HTTPS and a certificate (+ the remaining voice settings/tests) may be a simple thing for IT people who regularly utilise this at their daytime job, but it is not for (some) hobbyists. Likely its setup is done in one hobby evening and not divided over several evenings/weeks.

GylRon1 · January 24, 2024, 4:29pm

I found a video on Youtube that explains and configures https on your homenetwork. Look at it 5x and try. I did not find the time to try it out myself yet. If you need a domain (duckdns or …) you best do that part 48 hours in front as it has to propagate to all (worldwide) dns servers.

BigBahJohn · January 25, 2024, 7:00pm

I agree that the Year of the Voice project would greatly benefit from a tutorial on how to get HTTPS capability working locally without subscriptions. I know I can use my phone for this, but I’m trying to implement the M5 Atom for voice control within the house.

I also want to recognize all the hard work that has gone into this project so far. It is amazing! Thanks for any suggestions here.