Connecting to HA locally using HTTPS

Hi all,

I’m sure the answer to this is already in the forum but my searching has left me confused.

Am I right in thinking that to speak to HA’s Assist via a web browser I need to be connecting to HA via HTTPS? (Also, I see that connecting to HA via HTTPS also makes installing ESPHome firmware easier.)

So, it seems that I would be better off connecting to HA via HTTPS even for purely local connections.

At the moment I use Nabu Casa to connect to HA remotely. I see no reason to change this. The fewer ports I have open the better. I do howerer use DuckDNS and WireGuard to VPN into my network remotely.

So, can I set up HTTPS purely locally (and still use Nabu Casa for remote connections)?

I believe I just need a certificate for homeassistant.local? Is there a guide that explains how to do this?

I suspect the answer is ‘no’ as this would lead to many machines having the same certificate and that would be wrong, I guess.

I’ve seen guides on how to set up remote access using DuckDNS and LetsEncrypt and then DNSMasq to fix loopback issues. I could do this and then miss out the step of opening port 443 on my router. This all seems a bit cumbersome.

I don’t want to disrupt my WireGuard VPN.

I hope someone can advise.

4 Likes

nginx/apache reverse proxy…

2 Likes

Can someone point to a guide on how to do this? I have the same question.

3 Likes

First of all, you can’t get a publicly trusted certificate for anything “.local”. That’s not a valid domain name. The only way to do that would be to host your own internal CA, but then you’re going to have to import the root and/or subordinate CA certificates into your devices trusted issuers store, which is a completely different problem.

DuckDNS/LetsEncrypt and DNSMasq will be the simplest way to solve this. Then you simply point your devices at https://myhomeassistant.duckdns.org:8123 and you’re off to the races.

nginx is another, but that is honestly much more complicated to configure. Just search this forum for the dozens of posts of people unable to get it working properly.

1 Like

I’m having the same situation that I want to use the Voice Assistant locally via web browser, but I’m not able due to the following message from the Assist:

Your connection to Home Assistant is not secured using HTTPS. This causes browsers to block Home Assistant from accessing the microphone.
Visit [the documentation ](https://www.home-assistant.io/docs/configuration/securing/#remote-access)to learn how to use a secure URL

I spent the last 8 hours trying to figure out how to establish a secure connection via nginx/swag and DuckDNS, but had no success.
I’m running HA as a docker on a Ubuntu machine so such simple steps like installing the required addons in HA OS/supervised instances are no options for me.
I find neither the link from the Voice Assitant to the home assistant > remote access nor @f4stb00t’s reply helpful.
So can someone explain properly or link a detailed documentation on how to configure HA docker with the required tools, please?
Also please let me know when further information is needed or in case I should create a separate topic for my situation.

2 Likes

Hi Guys,
i have the same Problem. I want to use the Assist, but only local and not with access from outside.
When i cant create an SSL Certificate to an internal adress, is there an way to use the assist over http?

It’s totally possible to create a certificate for a local address. I have a subdomain (say foo.bar.com), set by DNS to HA’s IP (192.168.X.Y or whatever) and got a let’s encrypt certificate via DNS challenge (http challenge is not possible since the IP is local, although one could get the certificate then change the IP).

Then I just access HA locally at https://foo.bar.com/.

One small downside is that if internet is down, DNS might fail and you might be unable to access foo.bar.com even though it’s local. This is quite rare to happen, given that DNS is cached, but to be 100% sure I have configured my local DNS to answer such queries locally.

3 Likes

@f4stb00t, you just wrote 3! paragraphs just to tell us you are not prepared to help. Then dont waste our time.

11 Likes

Guess you read it the wrong way. It looks more like you want someone else to do your job. This is literally not how a forum works. If you want someone else to do your work, you have to pay for it…

Also problem descriptions like “does not work” says exactly nothing to the person who wants to help. So I would question myself how I ask for help… and furthermore which details I can provide to get help…

1 Like

Maybe I should not ask this here, but I am totally missing how i can use my HA pure locally, no Nabu Casa no DNS, I do not wish nor need an internet access.
Still there is the problem to use voice locally I need my HA to be in HTTPS how do I do that, where and what do I need for that?

2 Likes

create self signed ssl cert

openssl req -sha256 -addext “subjectAltName = IP:” -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 365 -out fullchain.pem
Example:

openssl req -sha256 -addext "subjectAltName = IP:192.168.0.2" -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 365 -out fullchain.pem
Generating a RSA private key
......................................................................................................................................................................................................++++
........................................................................++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:homeassistant.myhometestdomain.home
Email Address []:[email protected]

// create directory and move .pem files
mkdir /home/homeassistant/.homeassistant/ssl_certs && mv *.pem /home/homeassistant/.homeassistant/ssl_certs/

change HA configuration.yaml

http:
  ssl_certificate: /home/homeassistant/.homeassistant/ssl_certs/fullchain.pem
  ssl_key: /home/homeassistant/.homeassistant/ssl_certs/privkey.pem

reload HA or reboot the machine.

5 Likes

Thank you for the help, one last question if this goes wrong will I still be able to get into HA, or will I be locked out?

Plus this command:

openssl req -sha256 -addext "subjectAltName = IP:192.168.0.2" -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 365 -out fullchain.pem
Generating a RSA private key

where do I run that in my PC/Linux/or raspberry 4 with HA in shell

Well, this is what I meant with my previous posts. I don’t know your setup.

Normally you should not log yourself out. But if this happens, you can just revert what you did and reload HA again.

The openssl command can be used on any system with openssl installed. But surely then you need to transfer the certificates to HA.

So for example I run HA on a Linux distro on a mini pc, because a rasperry pi had not enough power for my setup. I’ve installed a Core Version in a python venv. I also do not use the functionality of HA itself to have https running. Instead of that I’ve configured nginx as a reverse proxy. But for this setup also my configuration looks different from what I showed to you. That means, again, without details about your specific setup, I can only guess.

Running HA on a raspberry4, with SSD, native no docker as I think. SSH is add-on version nothing special nothing weird, for that would be out of my league.
Hopefully that is all you need to know, if not well please do tell what it is you look for specific?

1 Like

That is not possible. You’re going to need a trusted certificate from some issuer somewhere that your devices will trust, and then you’re going to need to be able to correctly resolve the name on the certificate to the ip address of home assistant.

Ok, thank you, so I take it then it is only not in browser so I have to build esp32 nodes or other mic/speaker rhasspy or other input devices, they will work I hope, without internet doors open and without needing the certificate for HTTPS.

Can you precise which installation method you used? I am not familiar with the other installations, as I wanted to have the most flexibility for my environment. That’s why I use the Core installation.

Why shouldn’t it be possible? Now I am curious. Basically I run my HA installation with a self signed cert, as I also do not want to expose my HA to the public. Even the companion app on my android phone is working like a charm.

There is an automated installation method for respberry pi’s you just need to make an SD card flash HA operationg system on that insert it in your Pi and it all starts. Only thing you need to do is use another SD card to make your pi install it on the SSD but that is all, so dedicated HA operating system.
The howto was here:

Android devices do not trust self-signed certificates, neither do iOS devices.

It is possible that you found a way to add it to the trusted store on the device, but that is not the correct way to do it, and it’s way out of scope of what a “normal” user is going to do - not to mention that AFAIK that’s not even possible on an iOS device, so that’s not even a viable solution for all use cases.