Connecting to HA locally using HTTPS

  1. Apple
    Trust manually installed certificate profiles in iOS and iPadOS - Apple Support

  2. Android
    Add & remove certificates - Pixel Phone Help

So I would not go that far to say it’s no possible.

Edit: And yes, this is the right way how to do it. What do you think how ssl interception works in enterprise companies? Pricesely the same way. The normal user even does not realize when he connects to google.com via chrome/edge/whatever that the real certificate is not from google, instead it’s from the own company CA. Surely there are ways to circumvent this, but there are also ways to cicrumvent the cert pinning…

2 Likes

As it seems this is just a normal Raspberry OS aka Raspbian, it should be easily possible to change that. But I don’t know which magic the Home Assistant devs used to configure this installation. To be honest I also don’t have time to try for you.

But when you have ssh access to the machine and you are able to run commands, it should work the way I described. If not, you can easily revert it and also give details what did not work.

“ssl interception”? “cert pinning”? Did you just make those terms up? LOL

And no - just because it can be done does not mean it is the correct way of doing it.

Having said that, it appears you’re only here to argue. To post a wall of text about how you won’t help, then you provide half-baked “solutions”, then argue with people who know better. Then when pushed, you say you “don’t know which magic”, and “don’t have time to try”.

I’m putting you on my ignore list. Bye.

Sure. Just read it in a newspaper…

As almost nobody have a public CA running which is “trusted”. The only solution are self signed certificates. With the limitations that several applications will complain or even not work. Furhermore without a FQDN (e.g homeassistant.u-r-not-the-sharpest-tool.in-the.box) pointing to a public domain, even this will create issues in your home “local area network”. So basically you won’t be able to add one of the non public routable IPs. (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) Because the Public CA’s won’t accept such a CSR. But I am sure you know that. Surely what you can do is even to use locally a public domain with for example a free cert of lets encrypt. But as most ppl have no real clue how to setup their routers, or even to run a bind, dnsmasq, or know what DNS means, what are CNAMES, Forwards, NAT/PAT, BGP/EIGRP/OSPF, … etc or even to just add that needed stuff to the hosts file… It makes absolutely no sense to explain.
Also here I am quite sure you know better. So let’s participate the ppl from your impressive knowledge… instead of saying “it does not work”

Literally the information came from the offical documentation. This is what I meant with “use your favorite search engine” And yes, surely I am not about to setup every environment to help anyone.

But once again. Let the ppl participate from your deep knowledge. You don’t need to ignore me, because for me thats definetly it. Waste someone elses time…

1 Like

I do like the fact that f4stb00t is trying to explain to me how it is done, and actually this all goes above my knowledge I am afraid, but that there is someone trying to figure out how to get this voice thing running without the need of the internet, thank you.
Please do not start a fight over this.
See I know many people say use Nabu Casa, for me it has two side effects I can not live with, one is, some say it is cheap soon 6,50 or so per month well that is still a lot to me. Secondly I do not like to try with my simple knowledge of things opening ports to the internet, which I do not require, my home is smart enough out of its self now with HA, so no need to say I am driving home or on vacation switch on the light I do use automations for that no need to look at my phone.
So for me the internet route is not the one I like to pursue.
I wished simply for voice to work locally in my browsers without all the fuzzz, and was looking for answers to if it is possible.

4 Likes

I am in the same boat as jayjay, I’d like to take advantage of this year of the voice, but sadly the official documentation is lacking in the area for how to set up https for local use.

The error message points you here: Securing - Home Assistant which literally talks about remote access to home assistant.
I have signed up to Nabucasa, but it does not provide local https access. Perhaps because I have installed Home Assistant in docker.

Anyway, I am left wondering what I need to setup / configure to make this work …

3 Likes

Did I or someone else harm you in any way, that you talk like that me?

If you don’t want to waste your time on helping people like me then fine. Just please don’t rub it into my face how stupid I am because I don’t understand, how to get a secure connection to my local home assistant instance.
Not everyone knows the perfect search phrase to google away all their problems like you.

When I did my time looking up solutions which I wasn’t able to implement, then it is very disappointing receiving answers such like yours only because I was to dumb enough to believe that there could be goodhearted, smarter people here which help I would have much appreciated.

2 Likes

Following this thread. I would also like to be able to use https://192.168.1.123:8123 locally, but the details of how to make this work are amazingly absent.

2 Likes

It is perfectly possible of using a real ssl certificate locally only.
I used to:

  • add my registered domain name to my routers dns service (domain.my).
  • use a dhcp reservation for ha f.e. 192.168.0.1
  • run apache on a w10 machine
  • run certbot (let’s encrypt) on that w10 machine regularly to generate the SSL certificate.
  • copy the certificate to HA.

In this way ha.domain.my does resolve correctly to 192.168.0.1
No hassle, no nginx, no nabu casa, no ports open to ha (only port 80 for apache, as it is required for certbot to work)
You could stop apache/close port 80 after that, but i ran certbot once a week automated, as the let’s encrypt certificate is only valid for 90 days; wanted it to renew automatically :wink:

Sounds awesome, finally a do-able work around, finally working voice, to me the way it went was like a train running and running and no one truly was interested in offline integration. Thank you.

a few questions:
registered domain name, is that local domain name?
where to copy the certificate into HA??

I had not read this post for a while for there was not a working solution proposed here till I hope now. But now that I am here I like to react on Nid01, for a reason that I feel a lot like Nid01.
I use HA a long time, more then you see in my profile, used it probably since version 14. something right after NoDo.
What started out as helping people in this forum now often goes to derogative remarks, pointing out that it is in the forum, or look better in google, do your search.
The fun of this forum used to be we are all explorers, one more gifted then the other, now you have to be a crack often to not get looked down upon. This forum has become soooo huge that finding stuff, and here it comes as N1do1 pointed out so well, if you do not know the search term of phrase, specially as none native English speaker, you are lost.
And asking here often and more often then it used to be, gets met with do your searching do not trouble us gods who know all. Which I think is not what should be, Help or do not react.

3 Likes

There are several ways to do this. I mean self-sign certificate is one way to do it, however, adding each cert to all the devices can be painful.

Another option is to buy a domain name + Cloudflare account (better to get the domain from them too) with this you have endless options. Cloudflare Zerotiers is the easiest way.

Next is to throw in the reserve proxy/NPM caveat that you will need to own an IP public and open a port in your home or you need to use Cloudflare API to update your IP Public need to find the script

DuckDNS is something for you to try ( I believe there are some guide articles around here somewhere)

This is possible and I use https on local network for a few years. I bought domain because I could have only four subdomains on a free domain.
I set up nginx reverse proxy and got my lets encrypt certs for a domain and all subdomains. My domain is my ha instance and subdoamins are other docker containers ie. adguard.mydomain.com
I use adguard to do dns rewrite for mydomain.com and mysub.domain.com to resolve fqdn to my server ip.
And this is working with no problem, certs are automatically renewed.

There is just one problem I didn’t manage to solve. I can’t open my.subdoamin.com using nabu casa cloud. As other people wrote to use iframe from outside of your network your subdomain should be accessible over net and my aren’t.
I have docker installation, but this should work with any other type of ha installation. I can provide more info when I came home from work.

Hello jayjay,

you might be right. But it is also right, that A LOT of people who “EXPECT” help from volunteers are not slighly providing information what is the issue, where the issue is, if its reproducable, how is it reproduceable and such necessary information. The volunteers help in their free time and litereally not getting paid for that job. You can check any tech forum and you find this behavior.
Also literally many people do not understand how a forum works. It is also not about language barriers, as I saw that since the beginning of my times in BBS or internet. Yes, also in my own language. And that’s since the 14.400 baud times. So for quite some time.
So after all the expectation from a high percentage of people is to get pre processed data to fit exactly their problem and to solve it.

Coming back to the issue when you do not understand the language or you do not know what you have to search for. I just gave directly one example even with the precise search term. There are thousands of tutorials just for these specfic terms. You can even choose your own language. Or extend it with the things you need. In this regard “Home assistant +nginx +reverse proxy”

Also noone of the so called gods and cracks is looking down on anyone. I would challenge myself instead if I asked the right question to my problem, instead of searching the issue at someone else.
But I also think due to the internet, with its AI’s, googles and other services people getting lazy and forgot how to describe in a good way their issue and what they want to achieve. Especially with the attitude to get everything for free and precisely fitting to their problem without describing the problem. Nowdays it’s even not necessary anymore to save data in your brain, coze if you don’t know you google it.

Give a Man a Fish, and You Feed Him for a Day. Teach a Man To Fish, and You Feed Him for a Lifetime

And about hiding my message… Well… “Computer says no” :poop:

1 Like

No it isn’t, but i do use it local, as it happens to be my local domain too (according my routers dns)

i used to use samba share (\192.168.0.2\config\ssl if i am not mistaken)

i recently moved to another domainname provider (TransIP), as the old one didn’t support dns challenge, only http challenge
Turned out it was a little cheaper too :grin:

With that i was able to move from certbot(running on W10) to the let’s encrypt addon, so no need to copy it anymore.

And i now realize it doesn’t need apache either (however i do have it running anyway for other purposes)

So basically, you just need to get a domain name, and assign that to your routers dns (and add a dhcp reservation)

I too am looking for a solution that is as simple as possible, but so far I have not been successful. In my case, DNS is resolved in the local network via a pi-hole, here I can also assign local addresses (homeassistant.local > 192.x.x.x). Would it be possible to use a functioning OpenSSL certificate that contains, for example, homeassistant.local as the address? I did not succeed with the local IP address, which seems logical to me after reading the articles.
Since I don’t use many clients, I wouldn’t have any problems manually installing certificates there if necessary.

Surely the issue is that even those of us who have a basic knowledge of networking, browsers and Linux find the whole concept of security certificates rather mind-boggling. Many questions arise such as (a) Why do we need a security certificate to send a command from one device to another on our local network, which is meant to be the whole point of Home Assistant? (b) What is that certificate actually doing? (c) Who or what checks and validates the certificate? (d) What are the ways in which the certificate can fail, and does it (as some posts have implied) need to be renewed or updated regularly?

Home Assistant is potentially a great product but it can also create a lot of stress for something which, after all, is meant to make our lives easier.

Edit: I too (having got frustrated with Google Home’s deteriorating speed and reliability) am slowly trying to make Home Assistant useful, and am just reaching the hurdle of voice control via web browsers).

5 Likes

You don’t need ssl cert for local network. When you look on it , ssl certs are not meant to be used on localhosts. But you can do it. The problem I’m facing is using ssl client certs for accessing different containers aka addons. This will be a great security feature IMHO. For example you can garant access to ie. Zigbee2mqtt web ui based on device that is accessing it based on client ssl cert.

Like many, I struggled with this. My solution which doesn’t require copying or samba sharing of the Let’s Encrypt SSL cert file, but does require a router running Tomato:

  • Run nginx-proxy-manager in docker to obtain the SSL certificate for your [sub]domain and proxy HA. Config HA to trust the reverse proxy.

  • To allow for internal network HTTPS access, add a rule to the router’s DNSMasq config, directing the external domain name to the docker server where nginx-proxy-manager runs. e.g.:
    address=/your-docker-server.local/192.168.1.100
    address=/your.domain.com/192.168.1.100

  • So, both internal and external HTTPS requests to the domain use the reverse proxy.

  • Regular HTTP, non-proxied access to HA also remains available locally.

  • Optional: For extra security, to avoid exposing 443 externally, forward another port to 443 for your server running nginx-proxy-manager. If doing this, also forward the port within your docker server, eg.
    sudo iptables -t nat -A PREROUTING -p tcp --dport xxxx -j REDIRECT --to-port 443
    so that you can use the same URL both internally and externally.

1 Like

I have basically similar setup as you do, but I use adguard to rewrite dns request for a domain and subdomains and my (sub)domain is not accessible over the net. I use it on local network only.