I don’t know if someone has already written about it here, but maybe the way I solved it will help someone.
For external access, I have my domain + Let’s Encrypt certificate. It works OK.
I simply added the routing url to the local ip HASS in hosts
It doesn’t work for me on Mikrotik with HA. When I set the redirect DNS on the router, it redirects to the correct IP, displays the initial HA logo, but it gets stuck on unable to connect + retry in 60 sec.
If I do it via hosts, it works OK.
Edit: It works on Mikrotik, but only with static DNS. Layer 7 protocol DNS forwarding +NAT doesn’t work.
After far too much time spent solving the local access over https (for me so I could use ESPHome), I’ve written up some instructions and created an online tool to help generate the required certificates.
Seems to work here and on a friends’ system, and no router/DNS magic settings needed.
Since when is HTTPS a requirement to use the ESPHome addon ?
For sure it is not on HAOS…
You could setup SSL, but that is optional…
3. Optional: If you're using SSL/TLS certificates and want to encrypt your communication to this add-on, please enter `true` into the `ssl` field and set the `fullchain` and `certfile` options accordingly.
I also think this should be a separate thread, as i hasn’t much to do with the original post
It isn’t but my browser, Edge, complains that my .bin files are unsafe and I have to jump through hoops to get the files. Microsoft help indicates that if the site were connected with https that downloading the bin file would be uninterrupted.
@kgolding I’ve been struggling with this the last few days, and now after looking at your page describing how to get local https access.
I have the two certificates, paid on noip.com. The files are in the proper folder in HAOS, I’ve edited my configuration.yaml and restarted. My entry in configuration.yaml is:
After restart, I cannot log in with http (great) and I can login with https:homeassistant.local (also great) although with warnings. But the webpage title bar shows the connection as not secure.
So I log in ignoring warnings, and when I try to access Music Assistant in an addon (Music Assistant) through a dashboard view using a web card with https://192.168.1.55:8095/#/home, it gives me this error in Firefox:
# Secure Connection Failed
An error occurred during a connection to 192.168.1.55:8095. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
In Chrome and Edge it just says "Refused to Connect:. So logging in locally using https with this method is not working.
Let me give you a hint: the wheel that you can scroll on your mouse is the key. Scroll up in this topic and you’ll get to a post, where a video is posted. You just need to scroll with that mouse wheel. Oh, and if nothing moves on your screen, that means you’re scrolling in the wrong direction - try the other direction…
Actually I do recall watching that, at the beginning of the video he said that it was a method to reach home assistant from the internet. That is not what I’m trying to do. I already use Nabu Casa for that. I’m trying to something of my internal connection be using https.
That’s not the point. The point was you asking for a link to a video that is literally not even 30 posts above your question…
Moving on… There is no way you can setup a local IP for your certificate, but that is needed for a secure connection. That leaves you only with one way, you need a domain for it to work. That’s where DuckDNS or NabuCasa come into play.
I’ll try to exlpain it as easy as possible:
A certificate can only work with a domain name (yourcooladdress.anywhere), not with an IP address (10.10.10.1). To circumvent this requirement, you setup a domain and get the certificate for it. So all devices are cool with the security and can connect safely.
How you handle that domain afterwards, is up to you. In my case I’m telling my router, to not lookup the DNS entry for mydomain.com and route it directly to an IP address in my local network. This way, the certificate still works (as I’m calling the domain) and there’s no “outside” traffic. But there are many other ways to do that, one of them being shown in the video above.
So am I understanding this correctly that I have to set up my own DNS server in some way, either with DNS server software somewhere on the same subnet or through the router assuming the routor supports it. I have a Synology router which I think is pretty capable?
You can use aguard as dns server and set up your domain to point back to your ha ip address. I’m using it like that. I configured reverse proxy using nginx. got ssl cert for my domain and use adguard to route traffic for that domain back to my ha ip.
your browser sends a DNS request through your router to the DNS server that is configured (normally the one from your ISP)
response comes back with the external IP address, that’s configured to that domain
This is how it should work with a secure connection
you type in the domain name
your browser sends a DNS request
your router checks the domain, and, if configured correctly, recognizes this domain as an internal domain and answers itself, without the need to poll an outside DNS server. The answer then is the internal IP aka your HA.
Now you just need something, that handles all that from the point where the server is addressed internally.
Just to note: you can use a DNS server for that, like Pi-Hole or AdGuard, but they’re not a requirement for this to work!