Companion App does not connect with bad SSL certificates

I set up my Home Assistant to be available outside of local network using Cloudflare, Cloudflare add-on and Let’s Encrypt addon. Certificates are created for my external address (domain) specifically.

Every time I try to connect to a local address of Home Assistant using a web browser, I need to click “Trust” in order to connect to the address because the certificate does not correspond to the URL. Home Assistant Companion just refuses to connect at all, and there is no option to “Trust” the certificate.

This raises two questions.

  1. Is there any way to allow local IP addresses to use HTTP?
  2. Is there any way to bypass the SSL error in Home Assistant Companion CEF?

1- Using reverse proxy as nginx, you can still use home assistant local ip address without ssl and nginx will be taken care of ssl part for external connection.

2- limitation of underlying OS, nothing can be done for this.

no the app will not bypass any SSL errors, you must use a valid certificate which is not valid on a local IP address

First solution worked like a charm.

For anyone wondering:

  1. Install Nginx Proxy Manager from Home Assistant Add-On Store
  2. Configure it as in documentation
  3. In Nginx Proxy Manager Web UI, after creating a new user, go to HostsProxy Hosts → create a new host with the following configuration:
  • Domain Names: add your domain
  • Scheme: http
  • Forward Hostname: your Home Assistant local IP
  • Forward Port: 8123
  • Check Websockets Support

Then go to SSL Tab:

  • SSL CertificateRequest a new SSL Certificate
  • Check Force SSL
  • Check I Agree... at the bottom

If you want to keep your Cloudflare, click Use a DNS Challenge and configure it with your token.

  1. Edit your configuration.yaml file. Remove SSL mentions from html category and add the following:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5
  1. Reboot Home Assistant.

This steps made it possible to connect locally without SSL and externally with SSL.

Cheers!

3 Likes

Hi, I’m trying to solve the same issue with your suggesion but when putting my local ip in the domain names, nginx is getting me an error “Requested name 192.168.178.11 is an IP address. The Let’s Encrypt certificate authority will not issue certificates for a bare IP address”

what am I doing wrong?

Not what the instructions say.

Your IP goes in forward hostname. Your domain goes in domain.

I was really excited to try that, but received an “internal error” message right from the first try.
The log showed:

too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt

Which is a bit puzzling, considering I just tried it for the first time.
I’ll appreciate any insights on this!

I have a pfsense router and use HAProxy for all my certificates and forwards. Has anyone tried using HAProxy for this? I got to the point where the companion app says that I have certificate mismatch.