You can get around this by using ‘Insecure origins treated as secure’ in Chrome under chrome://flags/. It’s discussed here.
The HA application on macOS would be using Safari’s WebKit to my knowledge wouldn’t it?
It would be silly for it to embed a 3rd party web client and I’m certain it can’t via macOS App Store distribution.
After far too much time spent solving the local access over https (for me so I could use ESPHome), I’ve written up some instructions and created an online tool to help generate the required certificates.
Seems to work here and on a friends’ system, and no router/DNS magic settings needed.
Hi @kgolding, welcome to the community.
Since when is HTTPS a requirement to use the ESPHome addon ?
For sure it is not on HAOS…
You could setup SSL, but that is optional…
3. Optional: If you're using SSL/TLS certificates and want to encrypt your communication to this add-on, please enter `true` into the `ssl` field and set the `fullchain` and `certfile` options accordingly.
I also think this should be a separate thread, as i hasn’t much to do with the original post
It isn’t but my browser, Edge, complains that my .bin files are unsafe and I have to jump through hoops to get the files. Microsoft help indicates that if the site were connected with https that downloading the bin file would be uninterrupted.
@kgolding I’ve been struggling with this the last few days, and now after looking at your page describing how to get local https access.
I have the two certificates, paid on noip.com. The files are in the proper folder in HAOS, I’ve edited my configuration.yaml and restarted. My entry in configuration.yaml is:
http:
server_port: 8123
ip_ban_enabled: true
login_attempts_threshold: 5
ssl_certificate: /config/ssl/fullchain.pem
ssl_key: /config/ssl/privkey.pem
After restart, I cannot log in with http (great) and I can login with https:homeassistant.local (also great) although with warnings. But the webpage title bar shows the connection as not secure.
So I log in ignoring warnings, and when I try to access Music Assistant in an addon (Music Assistant) through a dashboard view using a web card with https://192.168.1.55:8095/#/home, it gives me this error in Firefox:
# Secure Connection Failed
An error occurred during a connection to 192.168.1.55:8095. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
In Chrome and Edge it just says "Refused to Connect:. So logging in locally using https with this method is not working.
Have you followed the video I posted in this thread months ago? Works fine, is not complicated, and I, too, use music assistant.
Can you provide the link please?
I think that’s a new record.
You do know how to use a computer mouse, do you?
Let me give you a hint: the wheel that you can scroll on your mouse is the key. Scroll up in this topic and you’ll get to a post, where a video is posted. You just need to scroll with that mouse wheel. Oh, and if nothing moves on your screen, that means you’re scrolling in the wrong direction - try the other direction…
Actually I do recall watching that, at the beginning of the video he said that it was a method to reach home assistant from the internet. That is not what I’m trying to do. I already use Nabu Casa for that. I’m trying to something of my internal connection be using https.
That’s not the point. The point was you asking for a link to a video that is literally not even 30 posts above your question…
Moving on… There is no way you can setup a local IP for your certificate, but that is needed for a secure connection. That leaves you only with one way, you need a domain for it to work. That’s where DuckDNS or NabuCasa come into play.
I’ll try to exlpain it as easy as possible:
A certificate can only work with a domain name (yourcooladdress.anywhere), not with an IP address (10.10.10.1). To circumvent this requirement, you setup a domain and get the certificate for it. So all devices are cool with the security and can connect safely.
How you handle that domain afterwards, is up to you. In my case I’m telling my router, to not lookup the DNS entry for mydomain.com and route it directly to an IP address in my local network. This way, the certificate still works (as I’m calling the domain) and there’s no “outside” traffic. But there are many other ways to do that, one of them being shown in the video above.
Hope that makes it a little clearer.
So am I understanding this correctly that I have to set up my own DNS server in some way, either with DNS server software somewhere on the same subnet or through the router assuming the routor supports it. I have a Synology router which I think is pretty capable?
You can use aguard as dns server and set up your domain to point back to your ha ip address. I’m using it like that. I configured reverse proxy using nginx. got ssl cert for my domain and use adguard to route traffic for that domain back to my ha ip.
No, you don’t need (EDIT: a your own) DNS server for that. Sorry, it’s really hard to explain.
This is how it goes for internal IPs
- you type your HA IP into the browser, like 10.10.10.5:8123
- this is a local request, your router automatically knows where to send the data as it’s in the local network
This is how it works for external addresses, like a domain
- you type a domain address in, like disney.com
- your browser sends a DNS request through your router to the DNS server that is configured (normally the one from your ISP)
- response comes back with the external IP address, that’s configured to that domain
This is how it should work with a secure connection
- you type in the domain name
- your browser sends a DNS request
- your router checks the domain, and, if configured correctly, recognizes this domain as an internal domain and answers itself, without the need to poll an outside DNS server. The answer then is the internal IP aka your HA.
Now you just need something, that handles all that from the point where the server is addressed internally.
Just to note: you can use a DNS server for that, like Pi-Hole or AdGuard, but they’re not a requirement for this to work!
I also use it to route all dns traffic through it, so I use it.
So, you don’t need a dns server, but then you proceeded to explain why a dns server is needed? Neat. Lol
Better?
No, actually. Your example just appears to indicate that you have a dns server running on your “router” - which is possible, but it’s still a dns server and you’d still have to have your client devices pointed to the IP of your “router” for dns resolution.
For the record, pi hole and ad guard are NOT dns servers. They leverage dns to perform their ad blocking functions, but those functions are NOT functions of a dns server.