Connecting to HA locally using HTTPS

_xj · March 7, 2024, 7:58pm

I don’t know if someone has already written about it here, but maybe the way I solved it will help someone.
For external access, I have my domain + Let’s Encrypt certificate. It works OK.
I simply added the routing url to the local ip HASS in hosts

c:\Windows\System32\drivers\etc\hosts

localip outerurl #note
(e.g. 10.2.2.10 www[dot]yourouterurl[dot]com #home assistant)

That’s how https[://]www[dot]yourouterurl[dot]com works for me even in the local network. It should work for dynamic dns as well.

Of course replace [dot] with real .

aceindy · March 7, 2024, 8:11pm

But you will need to do this on every machine you use to connect to HA…

Easier would be to resolve the DNS in your dns-server (normally on your router).

_xj · March 7, 2024, 8:51pm

It doesn’t work for me on Mikrotik with HA. When I set the redirect DNS on the router, it redirects to the correct IP, displays the initial HA logo, but it gets stuck on unable to connect + retry in 60 sec.
If I do it via hosts, it works OK.

Edit: It works on Mikrotik, but only with static DNS. Layer 7 protocol DNS forwarding +NAT doesn’t work.

aceindy · March 7, 2024, 9:21pm

Not that i use one, but it should be possible
Check aesmiths reply here
https://forum.mikrotik.com/viewtopic.php?t=182941

_xj · March 7, 2024, 9:47pm

He’s using static DNS and it also works on Mikrotik. Thank you.

mitchmario · March 8, 2024, 9:20am

You can get around this by using ‘Insecure origins treated as secure’ in Chrome under chrome://flags/. It’s discussed here.

thecodingart · March 10, 2024, 5:52pm

The HA application on macOS would be using Safari’s WebKit to my knowledge wouldn’t it?

It would be silly for it to embed a 3rd party web client and I’m certain it can’t via macOS App Store distribution.

kgolding · April 11, 2024, 9:28am

After far too much time spent solving the local access over https (for me so I could use ESPHome), I’ve written up some instructions and created an online tool to help generate the required certificates.

Seems to work here and on a friends’ system, and no router/DNS magic settings needed.

aceindy · April 11, 2024, 9:52am

Hi @kgolding, welcome to the community.

Since when is HTTPS a requirement to use the ESPHome addon ?
For sure it is not on HAOS…

You could setup SSL, but that is optional…

3. Optional: If you're using SSL/TLS certificates and want to encrypt your communication to this add-on, please enter `true` into the `ssl` field and set the `fullchain` and `certfile` options accordingly.

github.com

esphome/home-assistant-addon/blob/b5ef9084693f904dd06c819cb2557d4cc7477660/esphome/DOCS.md

# ESPHome Add-on
## Installation

The installation of this add-on is pretty straightforward and not different in comparison to installing any other Home Assistant add-on.

1. Search for the “ESPHome” add-on in the Supervisor add-on store.
2. Press install to download the add-on and unpack it on your machine. This can take some time.
3. Optional: If you're using SSL/TLS certificates and want to encrypt your communication to this add-on, please enter `true` into the `ssl` field and set the `fullchain` and `certfile` options accordingly.
4. Start the add-on, check the logs of the add-on to see if everything went well.
5. Click "OPEN WEB UI" to open the ESPHome dashboard. You will be asked for your Home Assistant credentials - ESPHome uses Home Assistant's authentication system to log you in.

You can view the ESPHome documentation at https://esphome.io/

## Configuration

**Note**: _Remember to restart the add-on when the configuration is changed._

Example add-on configuration:

```json

This file has been truncated. show original

I also think this should be a separate thread, as i hasn’t much to do with the original post

stevemann · April 26, 2024, 7:37pm

It isn’t but my browser, Edge, complains that my .bin files are unsafe and I have to jump through hoops to get the files. Microsoft help indicates that if the site were connected with https that downloading the bin file would be uninterrupted.

harryfine · May 14, 2024, 5:37pm

@kgolding I’ve been struggling with this the last few days, and now after looking at your page describing how to get local https access.

I have the two certificates, paid on noip.com. The files are in the proper folder in HAOS, I’ve edited my configuration.yaml and restarted. My entry in configuration.yaml is:

http:
  server_port: 8123
  ip_ban_enabled: true
  login_attempts_threshold: 5
  ssl_certificate: /config/ssl/fullchain.pem
  ssl_key: /config/ssl/privkey.pem

After restart, I cannot log in with http (great) and I can login with https:homeassistant.local (also great) although with warnings. But the webpage title bar shows the connection as not secure.

Connection_not_secure

So I log in ignoring warnings, and when I try to access Music Assistant in an addon (Music Assistant) through a dashboard view using a web card with https://192.168.1.55:8095/#/home, it gives me this error in Firefox:

# Secure Connection Failed

An error occurred during a connection to 192.168.1.55:8095. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

In Chrome and Edge it just says "Refused to Connect:. So logging in locally using https with this method is not working.

exx · May 15, 2024, 11:31pm

Have you followed the video I posted in this thread months ago? Works fine, is not complicated, and I, too, use music assistant.

harryfine · May 16, 2024, 12:50am

Can you provide the link please?

exx · May 16, 2024, 3:10am

I think that’s a new record.

paddy0174 · May 16, 2024, 11:31am

You do know how to use a computer mouse, do you?

Let me give you a hint: the wheel that you can scroll on your mouse is the key. Scroll up in this topic and you’ll get to a post, where a video is posted. You just need to scroll with that mouse wheel. Oh, and if nothing moves on your screen, that means you’re scrolling in the wrong direction - try the other direction…

harryfine · May 16, 2024, 1:20pm

Actually I do recall watching that, at the beginning of the video he said that it was a method to reach home assistant from the internet. That is not what I’m trying to do. I already use Nabu Casa for that. I’m trying to something of my internal connection be using https.

paddy0174 · May 16, 2024, 1:33pm

That’s not the point. The point was you asking for a link to a video that is literally not even 30 posts above your question…

Moving on… There is no way you can setup a local IP for your certificate, but that is needed for a secure connection. That leaves you only with one way, you need a domain for it to work. That’s where DuckDNS or NabuCasa come into play.

I’ll try to exlpain it as easy as possible:
A certificate can only work with a domain name (yourcooladdress.anywhere), not with an IP address (10.10.10.1). To circumvent this requirement, you setup a domain and get the certificate for it. So all devices are cool with the security and can connect safely.

How you handle that domain afterwards, is up to you. In my case I’m telling my router, to not lookup the DNS entry for mydomain.com and route it directly to an IP address in my local network. This way, the certificate still works (as I’m calling the domain) and there’s no “outside” traffic. But there are many other ways to do that, one of them being shown in the video above.

Hope that makes it a little clearer.

harryfine · May 16, 2024, 1:48pm

So am I understanding this correctly that I have to set up my own DNS server in some way, either with DNS server software somewhere on the same subnet or through the router assuming the routor supports it. I have a Synology router which I think is pretty capable?

ddaniel · May 16, 2024, 2:24pm

You can use aguard as dns server and set up your domain to point back to your ha ip address. I’m using it like that. I configured reverse proxy using nginx. got ssl cert for my domain and use adguard to route traffic for that domain back to my ha ip.

paddy0174 · May 16, 2024, 2:44pm

No, you don’t need (EDIT: a your own) DNS server for that. Sorry, it’s really hard to explain.

This is how it goes for internal IPs

you type your HA IP into the browser, like 10.10.10.5:8123
this is a local request, your router automatically knows where to send the data as it’s in the local network

This is how it works for external addresses, like a domain

you type a domain address in, like disney.com
your browser sends a DNS request through your router to the DNS server that is configured (normally the one from your ISP)
response comes back with the external IP address, that’s configured to that domain

This is how it should work with a secure connection

you type in the domain name
your browser sends a DNS request
your router checks the domain, and, if configured correctly, recognizes this domain as an internal domain and answers itself, without the need to poll an outside DNS server. The answer then is the internal IP aka your HA.

Now you just need something, that handles all that from the point where the server is addressed internally.

Just to note: you can use a DNS server for that, like Pi-Hole or AdGuard, but they’re not a requirement for this to work!