I am trying to get rid of the error when I try to access a browser page from within the HA companion app. Specifically, trying I’ve put the new Music Assistant in a web page view, and while I can see it on my computer, and my wall tablet, I can’t see it on my phone. I get the error:

Unable to load iframes pointing at websites using http.

Curious why it works with Fully Kisok on a wall tablet, and works in the sidebar of my phone.

Anyway, I am running HA using HAOS. I am a noip.com user the purposes of DDNS. I have a domain, finefam.ddns.me. They also provide a free SSL certificate which I have. Once I created a CSR, I was provided with 6 files as in the picture attached:

SSL809×153 20.7 KB

I note from the HA support page, I should be adding this to the HTTP section of configuration.yaml.

  ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
  ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem

So at this point, I don’t know which of the 6 files in the attached picture correspond to the files required in the config file. I’m suspecting those files for my DDNS are not the correct files for HTTPS.

Can I ask for some hand-holding please? FYI, I have no opened ports, I use HA Cloud when out of my network, and also have a VPN on my Synology router that I use only occasionally.

Current HTTP entry is as follows:

http:
  server_port: 8123
  ip_ban_enabled: true
  login_attempts_threshold: 5

Thank you

What is in the zip file? Typically you will get the server certificate, the private key, the root certificate, and possibly an intermediate certificate. In some cases, the server, intermediate, and root certificate are combined in a single file.

The .pem files are text. You can open them to figure out if it’s a “chained” (multiple certificates) in a text editor. The private key file will have the phrase “PRIVATE KEY” in the text file.

Based on the (1) (2) and (3) files you have multiple versions of the same file, so you likely only have 3 files, not 6.

Oh, and Fully Kiosk has a setting to ignore TLS errors, so that’s likely why it works there. I wouldn’t turn that on unless you understand the implications.

Thank you for the response and you are correct. I renamed the private key to privkey.pem and the other one with multiple things inside fullchain.pem. I created a folder called ssl under the /config folder. I moved the two files there using an add-on to gain access.

And then I modified my configuration.yaml file with references to those files:

http:
  server_port: 8123
  ip_ban_enabled: true
  login_attempts_threshold: 5
  ssl_certificate: /config/ssl/fullchain.pem
  ssl_key: /config/ssl/privkey.pem

I restarted home assistant. I logged in for my desktop using https:192.168.1.65:8123

Low and behold even though it warned me the site was not secure (I guess because it was a self-signed certificate), it logged into the dashboard. I was so excited, using simply http no longer worked, also good.

It even asked for permission to use my microphone when I was at a page that permitted audio input, and I am aware that pages without a certificate won’t allow that. So I was pretty stoked.

So after re-starting, I even changed browsers so that I wasn’t having something in the cache. I edited the dashboard code for the webpage card configuration. That should have done it.

But I was still getting errors when I try to access the web frame with music assistant. It said:

Secure Connection Failed
An error occurred during a connection to 192.168.1.55:8095. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

wepage_card910×427 26.2 KB

I tried some Googling for that error, but found nothing. I would be very grateful if you could assist. Also, the security shield both in Firefox and Chrome shows that the connection is not secure.

BTW, it wasn’t just the Music Assistant that would not load in the web frame. The Plex Meets Home Assistant HACs integration in a different view on the same dashboard no longer worked. The card has a pull-down for HTTP or HTTPS. I had been using it successfully with HTTP. But now that I’ve modified my config, it no longer worked. I changed the pull-down to HTTPS, and it still didn’t work, so clearly that is related.

You shouldn’t get warnings, and it shouldn’t be a self-signed certificate. That’s the point of issuing a certificate chain.

First off, when browsing your local Home Assistant, are you using the IP Address or Fully Qualified Domain Name? Certificates don’t work when using the IP, you must be using DNS names.

When you first browse to your Home Assistance instance, check the certificate. If you’re using Edge, just click the lock, then click “Connection is Secure” then click the icon of the certificate. The common name of the certificate should match the name you entered in the browser to get to Home Assistant. The certificate path should be the one issued to you that you installed. Anything else, and you’ve done something wrong.

Reading your response again, you have another hurdle to overcome. You must use DNS records, not https://192.168.1.65

If you’re using Windows you can test this by entering the hosts names into the Windows hosts file.

These instructions will work for testing: How to add a static entry in the ETC/host files (manageengine.com) Instead of the example IP use your IP above and the full name of your host in the certificate.

This is only a test, however as it only will work on this PC. You’ll need a local DNS solution that will provide your IP as a response the host name in the certificate. This can be an internal server, a firewall rewrite, lots of (complex) ways to solve this problem. If this is all gibberish to you, you should reconsider your path. Don’t make dynamite from instructions you don’t fully understand, you will likely blow yourself up.

Sorry it is not self-signed. Shows my ignorance.

OK, so that certificate request was tied to a FQDN, and that is how I should be reaching HA, even from my local network, correct?

If that’s the case, how does my local network “find” my HA instance without going out to the internet?

Anyway, to answer your question, when I take the comments out of the configuration.yaml file and reboot, and then enter https://192.168.1.55:8123, I do NOT get a secure indication. I get:

The connection for this site is not secure

192.168.1.55 sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

As you can tell, I don’t understand what’s happening. How can https work, and yet it’s not secure. I thought the fact that I could now access with https and not http meant that I had a secure connection?

I’m using LInux Mint on my desktop.

And yes, I don’t have a solid understanding, I’m going slowly so I don’t blow things up.

But is there no easy way to access your internal instance from inside your network via a secure route?

There is only one (scalable) way, local or Internet to convert names to IP addresses on the Internet scale. DNS.

Many people, and most businesses, run internal DNS servers for internal host name resolution. These internal servers typically are configured with external “forwarders” for resolution of names that aren’t local.

Moving from http to https simply applies encryption during transmission. That’s only one part of the term “secure” as defined for web browsing. Here’s another:

Let’s take the analogy of mail delivery. You know, the old fashioned “write a letter, put a stamp on it, and send it to someone” mail. Party “A” writes a letter, puts it in an envelope and the Postman delivers it to you, party “B”. While it’s in the hands of the post office they could open the letter and read it. That lack of security is solved by encryption. What isn’t solved by encryption is that the letter is really from party “A”. Solving that problem is what a certificate is for. To ensure that the letter you get is actually from the person you expected it from. All of these concepts, and more, are wrapped in the term “security” as far as Internet communications is concerned.

Can you please help me understand how did you created the CSR?

Thanks in advance for help.