I am thoroughly flummoxed. I’m trying to get HA to run over HTTPS and and be able to use a domain that I own (last_name.casa) so that on my LAN I can get to ‘ha.last_name.casa’ or other services like 'frigate.last_name.casa). I’m running all of this presently on unRAID but may migrate HA and Frigate to dedicated hardware.
What I’ve researched so far
I’ve read numerous posts online, HA forum, the HA Docs > Remote Access > Let’s Encrypt/DuckDNS debacle and beyond. I’ve tried Wolfgang’s Nginx Proxy Manager (DNS-01) configuration. I’ve tried IBRACORP’s walk through for reverse proxy, I’ve tried DuckDNS and Let’s Encrypt add-on. I cannot get this working.
What is working so far
I have my own domain (last_name.casa)
I have set up Cloudflare and updated my DNS providers to Cloudflare
I have set up DNSSEC between Cloudflare and my domain name
I’ve copied those files to /ssl within HA instance (VM on unRaid)
I’ve set up Nginx Proxy Manager (unraid) and validated my Cloudflare certificates and created my Proxy Host pointing to the static address of my HA server (192.168.1.30), using the https scheme, port 8123, enable Web Socket support, enforcing SSL and HTTPS.
I even tried forwarding port 443 in my router to the NGINX Proxy Manager Server and all permutations of the unRaid docker instance for 443
I added my domain name in PfSense excluded re-binding attack domains
All of this amounted to Error 522 from Cloudflare. Host down. When I click the URL within rpm it first shows the URL it’s trying to get to (ha.last_name.casa) and then it quickly switches to the nginx server.
I shifted strategies and tried the Let’s Encrypt add-on within Home Assistant and met absolute failure. I set up my domains (last_name.casa, *.last_name.casa). I gave it my e-mail address. I put in the path to the fullchain.pem (/ssl or /ssl/fullchain.pem and even fullchain.pem, same for privkey). I put in the dns provider (field 1: dns-cloudflare, field 2: cloudflare global API).
Blockquote
Failed to save add-on configuration, Invalid dict for option 'dns' in Let's Encrypt (core_letsencrypt). Got {'domains': ['*.last_name.casa'], 'email': '[email protected]', 'keyfile': '/ssl/privkey.pem', 'certfile': '/ssl/fullchain.pem', 'challenge': 'dns', 'dns': 'dns-cloudflare global_key_api_string_redacted'}
Edit 12/11/2023 @ 10 pm ET
Then I shifted strategies again and tried Nabu Casa Home Connect to try and get this thing running on HTTPS and that doesn’t work either. So none of these things seem to be working to allow me to get frigate-card up and running.
I’m utterly lost at this point. I want to be able to run HA over https so I can use hass-frigate-card and to shore up my security services. Please advise
Ever try Cloudflare Tunnels? I registered a public DNS name, like you did, and route all my hosts through a Cloudflare tunnel. Now I can access HA (and all my other services) securely via HTTPS both inside, and from outside, my home network.
Check it out… tons of YouTube videos to get you started.
Thank you. Cloudflare tunnel is on my horizon but I cannot explore it fully until 60 days have passed. They won’t let me until then. I guess I can do more research on it.
For HA at this time I only want to be able to access it via the LAN. How do you manage authentication via Cloudflare tunnel? Like do you go to a browser and do: ha.domain.name and go right into your HA instance or is there authentication required as well beyond the HA authentication?
I use Tailscale at the router level (pfsense) to traverse by subnet but only when I’m traveling away from home. I leave it off otherwise.
They won’t let you? That’s odd… it’s a free service.
To access my services I just use the public domain names even from inside my network (https://ha.myname.net)… The traffic goes out of my local network and routes right back through the cloudflare tunnel to my internal network but that’s fine by me… If I ever have any issues, then I just temporarily use the local DNS name or IP to access the services.
I do it like this: DNS entry at my domain provider pointing ha.mydomain.com to my ip. Nginx forwarding requests to ha.mydomain.com to my home assistant instance. Certbot for Let’s encrypt. Fail2Ban on Nginx. IP banlist enabled on home assistant.
Do you need to let Cloudflare terminate SSL to use tunnel? I’ve searching about using Cloudflare but don’t want to let them decrypt my traffic. But per what I’ve seen so far, they do need to do deep inspection for all their services.
I don’t care too much about them decrypting the traffic because the only thing it’s going to be used for is local HTTPS so I can use hass-frigate-card. This HACS integration requires https to use 2-way audio for PoE cameras and I need that working for my doorbell camera.
I tried Nabu Casa HomeConnect, thinking that because they say it will run the server securely and all this other marketing jazz that it would solve the issue. Thank God for a 31 day free trial. It does not solve this particular issue. It just creates a remote tunnel through their servers, unless I’m missing some added configuration that I can now force my HA to run over https ?
Curious! Oddly enough, when I went back in recently the option was there. Maybe it’s a default setting until they see enough verification and activity to ensure that nothing malicious is going on.