Certificate for SSL/TLS via domain ownership

system · May 18, 2020, 1:26pm

If your Home Assistant instance is only accessible from your local network you can still protect the communication between your browsers and the frontend with SSL/TLS. You can use Self-sign certificate but your browser will present a warning and some https-only features might not work.

This guide is aimed at users of Home Assistant Core.

Requirement for this guide

Your Home Assistant instance is not exposed to the internet.
You control a public domain name. The domain doesn’t have to point to a site. A domain controlled by a trusted friend will do. (A friend you trust not to MITM you)
Your home router supports custom DNS entries.

Run certbot

mkdir certbot
cd certbot
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo ./certbot-auto --manual certonly --preferred-challenges dns -d "mydomain.com" --email [email protected]

For Rasbian systems or if you have certbot-auto issues - try these commands instead:

sudo apt-get install certbot
sudo certbot --manual certonly --preferred-challenges dns -d "mydomain.com" --email [email protected]

Agree to Terms of Service
Choose whether to share your email with Electronic Frontier Foundation.
Agree to your IP being logged

You will get the following text:

Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:
deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue

Deploy the value to TXT field using your domain registrar.
Go to a site that queries domain record. For example this one and look if it sees your brand new TXT field (Don’t forget to enter the full domain: _acme-challenge.mydomain.com)
Press Enter at certbot prompt.

Make mydomain.com point to your Home Assistant instance

If your router uses DNSMasq (for example DDWRT) add the following line to DNSMasq options:

address=/mydomain.com/<hass IP>

Edit your Home Assistant configuration to use your certificates

The http section must contain the full path to the needed files.

http:
ssl_certificate: /etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/mydomain.com/privkey.pem

Make sure the files are accessible by the user that runs Home Assistant.

FPMilan · November 21, 2021, 9:50pm

The wget install option does not work anymore. You can install it on a HA OS install with
apk add certbot

hanneshier · May 13, 2023, 5:49pm

This can be much simplified in 2023 with the Nginx Proxy Manager AddOn. It Supports to generate an SSL certificate via Domain Ownership for a lot of DNS Providers. So you can skip all manual the certbot and DNS stuff, the important step is just to redirect the local DNS as mentioned in the post:

ddaniel · May 13, 2023, 9:16pm

You can use adguard dns rewrite to point your domain to your local ip address. And as mention above use nginx and letsencrypt for cert.