If we use a registered (purchased) domain name, does that need to be purely for the use of the certificate? I’ve had a domain for years that’s currently used just to host a blog which I very rarely update. Would I need to change the domain records to point it to my local machine? (I don’t want external access for my Home Assistant server - or anything on my home network with the exception of a couple of services - and am puzzled by the idea of using an Internet domain name for a local certificate.)
This is what I did. I purchased a domain because you can have up to four subdomains on free domain. As I use docker installation I wanted a subdomain for all my docker containers. That’s why I purchased a domain. It’s 20 € yearly so it’s not that expensive. I spend way more on beer weekly.
Now the only thing you have to do is to get ssl cert for your domain and subdomains. It’s easy to do it using nginx. I use subdomains for my containers ie. adgurad.mydomain.com
To resolve my domain and subdomains to my ha local ip I use adguard for dns rewrite.
There is a one lack of my setup and that is that I can’t access remotely my docker containers ie z2m. I’m using nabu casa for remote access.
As people said on the forum for remote access you will need that your subdomain is accessible over net and my isn’t and I don’t want to make it accessible. But maybe there is another way but none figured it out.
Sharing my solution for this, if anyone else can benefit from it.
I was running DuckDNS for external access before Nabu Casa came along, but I moved to Nabu Casa because I wanted to support the project and close a port on my firewall.
When attempting to put a button to call assist on my dashboard, I quickly realized that my local connection wasn’t going to work using my IP on mobile, and discovered this thread.
Here’s my solution:
I restored my DuckDNS configuration and it’s maintaining a cert for my home assistant server. I don’t have any ports open on my firewall for Home Assistant.
I happen to be running a NextDNS server on my Synology NAS and it supports rewrites, so I used that to rewrite my myhass.duckdns.org URL to my local IP.
As I read this some months later, I now see exactly what is attempting to be accomplished.
The solution is to follow the steps in this video - just ignore the part about making a firewall rule to let traffic in from the internet.
This video will register a domain name for you (not really that important since you don’t want external access, but it WILL get you a valid FQDN for the cert the be assigned to), then it will show you how to configure the certificate part, and will auto-renew that cert for you, and then it will show you how to configure internal dns for proper name resolution so you don’t get certificate mismatch errors.
Same problem (which I expect should have a common solution) - "How to run Assist (which requires HTTPS) with NGINX setup (which doesn’t use HTTPS for local access).
This is the closest I’ve seen to a solution but am still stumped as to what steps to take.
I also have a Synology but also run a PiHole DNS server. It seems you’re “fooling” HA into thinking it’s accessing a secure HTTPS url but “re-writing” locally is that right? Can this be done on a PiHole?
Thanks.
I use WireGuard for VPN access into my network. I have 0 reasons to expose anything via HTTPS outside of my network. I fail to understand why I’m being required to use HTTPS at all within my own local network…
I fail to understand why you feel you are being required to use HTTPS? For what it’s worth, I too am using wireguard when I need remote access. Wireguard is only actually enabled when I am away ftom the house so if I am here VPN is turned off automatically.
The UI of Assist within the GUID for chat doesn’t provide a microphone option noting that you must be connected to home assistant through HTTPs in order to use this functionality – although the connection is within a local network.
This is a browser limitation, not a HA limitation, but yes, if you want to use your device microphone I think you will need HTTPS for this. Again this is the browser that enforces this so unless that changes (not likely) you will need another option. And as I am sure you already know there is no good documentation, to easily implement this for a local network.
Maybe I’m slightly confused on this, but is there something outside of standard browser permissions that trigger this? By chance, do you have a documentation link for the API?
Given I’m also running this as the web app (man I wish it was a native app) as well, permission sandboxes should allow for this. I’ve personally had past projects that allowed for this in a sandboxed web view… Aforementioned they were using HTTP in lower environments rather HTTPS at the time.
You likely already have more experience with this than myself. I continue to run http on my local network. I have not “needed” the https requirement at this point as I am using a couple “satellite” devices with RPI to test with. If you do manage to figure more out, pass it along.
I don’t know if someone has already written about it here, but maybe the way I solved it will help someone.
For external access, I have my domain + Let’s Encrypt certificate. It works OK.
I simply added the routing url to the local ip HASS in hosts
It doesn’t work for me on Mikrotik with HA. When I set the redirect DNS on the router, it redirects to the correct IP, displays the initial HA logo, but it gets stuck on unable to connect + retry in 60 sec.
If I do it via hosts, it works OK.
Edit: It works on Mikrotik, but only with static DNS. Layer 7 protocol DNS forwarding +NAT doesn’t work.
