Connecting to HA locally using HTTPS

Hi Guys,
i have the same Problem. I want to use the Assist, but only local and not with access from outside.
When i cant create an SSL Certificate to an internal adress, is there an way to use the assist over http?

It’s totally possible to create a certificate for a local address. I have a subdomain (say foo.bar.com), set by DNS to HA’s IP (192.168.X.Y or whatever) and got a let’s encrypt certificate via DNS challenge (http challenge is not possible since the IP is local, although one could get the certificate then change the IP).

Then I just access HA locally at https://foo.bar.com/.

One small downside is that if internet is down, DNS might fail and you might be unable to access foo.bar.com even though it’s local. This is quite rare to happen, given that DNS is cached, but to be 100% sure I have configured my local DNS to answer such queries locally.

3 Likes

@f4stb00t, you just wrote 3! paragraphs just to tell us you are not prepared to help. Then dont waste our time.

11 Likes

Guess you read it the wrong way. It looks more like you want someone else to do your job. This is literally not how a forum works. If you want someone else to do your work, you have to pay for it…

Also problem descriptions like “does not work” says exactly nothing to the person who wants to help. So I would question myself how I ask for help… and furthermore which details I can provide to get help…

1 Like

Maybe I should not ask this here, but I am totally missing how i can use my HA pure locally, no Nabu Casa no DNS, I do not wish nor need an internet access.
Still there is the problem to use voice locally I need my HA to be in HTTPS how do I do that, where and what do I need for that?

2 Likes

create self signed ssl cert

openssl req -sha256 -addext “subjectAltName = IP:” -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 365 -out fullchain.pem
Example:

openssl req -sha256 -addext "subjectAltName = IP:192.168.0.2" -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 365 -out fullchain.pem
Generating a RSA private key
......................................................................................................................................................................................................++++
........................................................................++++
writing new private key to 'privkey.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:homeassistant.myhometestdomain.home
Email Address []:[email protected]

// create directory and move .pem files
mkdir /home/homeassistant/.homeassistant/ssl_certs && mv *.pem /home/homeassistant/.homeassistant/ssl_certs/

change HA configuration.yaml

http:
  ssl_certificate: /home/homeassistant/.homeassistant/ssl_certs/fullchain.pem
  ssl_key: /home/homeassistant/.homeassistant/ssl_certs/privkey.pem

reload HA or reboot the machine.

5 Likes

Thank you for the help, one last question if this goes wrong will I still be able to get into HA, or will I be locked out?

Plus this command:

openssl req -sha256 -addext "subjectAltName = IP:192.168.0.2" -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 365 -out fullchain.pem
Generating a RSA private key

where do I run that in my PC/Linux/or raspberry 4 with HA in shell

Well, this is what I meant with my previous posts. I don’t know your setup.

Normally you should not log yourself out. But if this happens, you can just revert what you did and reload HA again.

The openssl command can be used on any system with openssl installed. But surely then you need to transfer the certificates to HA.

So for example I run HA on a Linux distro on a mini pc, because a rasperry pi had not enough power for my setup. I’ve installed a Core Version in a python venv. I also do not use the functionality of HA itself to have https running. Instead of that I’ve configured nginx as a reverse proxy. But for this setup also my configuration looks different from what I showed to you. That means, again, without details about your specific setup, I can only guess.

Running HA on a raspberry4, with SSD, native no docker as I think. SSH is add-on version nothing special nothing weird, for that would be out of my league.
Hopefully that is all you need to know, if not well please do tell what it is you look for specific?

1 Like

That is not possible. You’re going to need a trusted certificate from some issuer somewhere that your devices will trust, and then you’re going to need to be able to correctly resolve the name on the certificate to the ip address of home assistant.

Ok, thank you, so I take it then it is only not in browser so I have to build esp32 nodes or other mic/speaker rhasspy or other input devices, they will work I hope, without internet doors open and without needing the certificate for HTTPS.

Can you precise which installation method you used? I am not familiar with the other installations, as I wanted to have the most flexibility for my environment. That’s why I use the Core installation.

Why shouldn’t it be possible? Now I am curious. Basically I run my HA installation with a self signed cert, as I also do not want to expose my HA to the public. Even the companion app on my android phone is working like a charm.

There is an automated installation method for respberry pi’s you just need to make an SD card flash HA operationg system on that insert it in your Pi and it all starts. Only thing you need to do is use another SD card to make your pi install it on the SSD but that is all, so dedicated HA operating system.
The howto was here:

Android devices do not trust self-signed certificates, neither do iOS devices.

It is possible that you found a way to add it to the trusted store on the device, but that is not the correct way to do it, and it’s way out of scope of what a “normal” user is going to do - not to mention that AFAIK that’s not even possible on an iOS device, so that’s not even a viable solution for all use cases.

  1. Apple
    Trust manually installed certificate profiles in iOS and iPadOS - Apple Support

  2. Android
    Add & remove certificates - Pixel Phone Help

So I would not go that far to say it’s no possible.

Edit: And yes, this is the right way how to do it. What do you think how ssl interception works in enterprise companies? Pricesely the same way. The normal user even does not realize when he connects to google.com via chrome/edge/whatever that the real certificate is not from google, instead it’s from the own company CA. Surely there are ways to circumvent this, but there are also ways to cicrumvent the cert pinning…

2 Likes

As it seems this is just a normal Raspberry OS aka Raspbian, it should be easily possible to change that. But I don’t know which magic the Home Assistant devs used to configure this installation. To be honest I also don’t have time to try for you.

But when you have ssh access to the machine and you are able to run commands, it should work the way I described. If not, you can easily revert it and also give details what did not work.

“ssl interception”? “cert pinning”? Did you just make those terms up? LOL

And no - just because it can be done does not mean it is the correct way of doing it.

Having said that, it appears you’re only here to argue. To post a wall of text about how you won’t help, then you provide half-baked “solutions”, then argue with people who know better. Then when pushed, you say you “don’t know which magic”, and “don’t have time to try”.

I’m putting you on my ignore list. Bye.

Sure. Just read it in a newspaper…

As almost nobody have a public CA running which is “trusted”. The only solution are self signed certificates. With the limitations that several applications will complain or even not work. Furhermore without a FQDN (e.g homeassistant.u-r-not-the-sharpest-tool.in-the.box) pointing to a public domain, even this will create issues in your home “local area network”. So basically you won’t be able to add one of the non public routable IPs. (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) Because the Public CA’s won’t accept such a CSR. But I am sure you know that. Surely what you can do is even to use locally a public domain with for example a free cert of lets encrypt. But as most ppl have no real clue how to setup their routers, or even to run a bind, dnsmasq, or know what DNS means, what are CNAMES, Forwards, NAT/PAT, BGP/EIGRP/OSPF, … etc or even to just add that needed stuff to the hosts file… It makes absolutely no sense to explain.
Also here I am quite sure you know better. So let’s participate the ppl from your impressive knowledge… instead of saying “it does not work”

Literally the information came from the offical documentation. This is what I meant with “use your favorite search engine” And yes, surely I am not about to setup every environment to help anyone.

But once again. Let the ppl participate from your deep knowledge. You don’t need to ignore me, because for me thats definetly it. Waste someone elses time…

1 Like

I do like the fact that f4stb00t is trying to explain to me how it is done, and actually this all goes above my knowledge I am afraid, but that there is someone trying to figure out how to get this voice thing running without the need of the internet, thank you.
Please do not start a fight over this.
See I know many people say use Nabu Casa, for me it has two side effects I can not live with, one is, some say it is cheap soon 6,50 or so per month well that is still a lot to me. Secondly I do not like to try with my simple knowledge of things opening ports to the internet, which I do not require, my home is smart enough out of its self now with HA, so no need to say I am driving home or on vacation switch on the light I do use automations for that no need to look at my phone.
So for me the internet route is not the one I like to pursue.
I wished simply for voice to work locally in my browsers without all the fuzzz, and was looking for answers to if it is possible.

4 Likes