Connecting to HA locally using HTTPS

I don’t know if someone has already written about it here, but maybe the way I solved it will help someone.
For external access, I have my domain + Let’s Encrypt certificate. It works OK.
I simply added the routing url to the local ip HASS in hosts

c:\Windows\System32\drivers\etc\hosts

localip outerurl #note
(e.g. 10.2.2.10 www[dot]yourouterurl[dot]com #home assistant)

That’s how https[://]www[dot]yourouterurl[dot]com works for me even in the local network. It should work for dynamic dns as well.

Of course replace [dot] with real .

1 Like

But you will need to do this on every machine you use to connect to HA…

Easier would be to resolve the DNS in your dns-server (normally on your router).

It doesn’t work for me on Mikrotik with HA. When I set the redirect DNS on the router, it redirects to the correct IP, displays the initial HA logo, but it gets stuck on unable to connect + retry in 60 sec.
If I do it via hosts, it works OK.

Edit: It works on Mikrotik, but only with static DNS. Layer 7 protocol DNS forwarding +NAT doesn’t work.

Not that i use one, but it should be possible
Check aesmiths reply here
https://forum.mikrotik.com/viewtopic.php?t=182941

He’s using static DNS and it also works on Mikrotik. Thank you. :ok_hand:

You can get around this by using ‘Insecure origins treated as secure’ in Chrome under chrome://flags/. It’s discussed here.

1 Like

The HA application on macOS would be using Safari’s WebKit to my knowledge wouldn’t it?

It would be silly for it to embed a 3rd party web client and I’m certain it can’t via macOS App Store distribution.

After far too much time spent solving the local access over https (for me so I could use ESPHome), I’ve written up some instructions and created an online tool to help generate the required certificates.

Seems to work here and on a friends’ system, and no router/DNS magic settings needed.

3 Likes

Hi @kgolding, welcome to the community.

Since when is HTTPS a requirement to use the ESPHome addon ?
For sure it is not on HAOS…

You could setup SSL, but that is optional…

3. Optional: If you're using SSL/TLS certificates and want to encrypt your communication to this add-on, please enter `true` into the `ssl` field and set the `fullchain` and `certfile` options accordingly.

I also think this should be a separate thread, as i hasn’t much to do with the original post :thinking:

It isn’t but my browser, Edge, complains that my .bin files are unsafe and I have to jump through hoops to get the files. Microsoft help indicates that if the site were connected with https that downloading the bin file would be uninterrupted.

@kgolding I’ve been struggling with this the last few days, and now after looking at your page describing how to get local https access.

I have the two certificates, paid on noip.com. The files are in the proper folder in HAOS, I’ve edited my configuration.yaml and restarted. My entry in configuration.yaml is:

http:
  server_port: 8123
  ip_ban_enabled: true
  login_attempts_threshold: 5
  ssl_certificate: /config/ssl/fullchain.pem
  ssl_key: /config/ssl/privkey.pem

After restart, I cannot log in with http (great) and I can login with https:homeassistant.local (also great) although with warnings. But the webpage title bar shows the connection as not secure.

Connection_not_secure

So I log in ignoring warnings, and when I try to access Music Assistant in an addon (Music Assistant) through a dashboard view using a web card with https://192.168.1.55:8095/#/home, it gives me this error in Firefox:

# Secure Connection Failed

An error occurred during a connection to 192.168.1.55:8095. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG

In Chrome and Edge it just says "Refused to Connect:. So logging in locally using https with this method is not working.

Have you followed the video I posted in this thread months ago? Works fine, is not complicated, and I, too, use music assistant.

Can you provide the link please?

I think that’s a new record.

2 Likes

You do know how to use a computer mouse, do you? :wink:

Let me give you a hint: the wheel that you can scroll on your mouse is the key. Scroll up in this topic and you’ll get to a post, where a video is posted. You just need to scroll with that mouse wheel. Oh, and if nothing moves on your screen, that means you’re scrolling in the wrong direction - try the other direction… :wink:

Actually I do recall watching that, at the beginning of the video he said that it was a method to reach home assistant from the internet. That is not what I’m trying to do. I already use Nabu Casa for that. I’m trying to something of my internal connection be using https.

That’s not the point. :slight_smile: The point was you asking for a link to a video that is literally not even 30 posts above your question… :wink:

Moving on… There is no way you can setup a local IP for your certificate, but that is needed for a secure connection. That leaves you only with one way, you need a domain for it to work. That’s where DuckDNS or NabuCasa come into play.

I’ll try to exlpain it as easy as possible:
A certificate can only work with a domain name (yourcooladdress.anywhere), not with an IP address (10.10.10.1). To circumvent this requirement, you setup a domain and get the certificate for it. So all devices are cool with the security and can connect safely.

How you handle that domain afterwards, is up to you. In my case I’m telling my router, to not lookup the DNS entry for mydomain.com and route it directly to an IP address in my local network. This way, the certificate still works (as I’m calling the domain) and there’s no “outside” traffic. But there are many other ways to do that, one of them being shown in the video above. :slight_smile:

Hope that makes it a little clearer. :slight_smile:

1 Like

So am I understanding this correctly that I have to set up my own DNS server in some way, either with DNS server software somewhere on the same subnet or through the router assuming the routor supports it. I have a Synology router which I think is pretty capable?

You can use aguard as dns server and set up your domain to point back to your ha ip address. I’m using it like that. I configured reverse proxy using nginx. got ssl cert for my domain and use adguard to route traffic for that domain back to my ha ip.

No, you don’t need (EDIT: a your own) DNS server for that. :slight_smile: Sorry, it’s really hard to explain.

This is how it goes for internal IPs

  • you type your HA IP into the browser, like 10.10.10.5:8123
  • this is a local request, your router automatically knows where to send the data as it’s in the local network

This is how it works for external addresses, like a domain

  • you type a domain address in, like disney.com
  • your browser sends a DNS request through your router to the DNS server that is configured (normally the one from your ISP)
  • response comes back with the external IP address, that’s configured to that domain

This is how it should work with a secure connection

  • you type in the domain name
  • your browser sends a DNS request
  • your router checks the domain, and, if configured correctly, recognizes this domain as an internal domain and answers itself, without the need to poll an outside DNS server. The answer then is the internal IP aka your HA.

Now you just need something, that handles all that from the point where the server is addressed internally.

Just to note: you can use a DNS server for that, like Pi-Hole or AdGuard, but they’re not a requirement for this to work!

3 Likes