I couln´t find a solution to this using the search engine but I would like to solve the issue for using https on the local network as well.
I use duckdns and let’s encrypt for remote access and it works nicely.
For local access I would like to use the local IP address but the certificate is only valid for the duckdns address.
How can I fix this so that both the duckdns address and the local IP address are part of the certificate?
You could:
- Set up nginx HA addon, and access you local site as usual https://my.duckdns.site/
- Set up Apache as reverse proxy and access you local site as usual https://my.duckdns.site/
- Set up a local dns and access https://my.duckdns.site:8123
- Set up a local dns with hairpin NAT (provided you router supports it) and access you local site as usual https://my.duckdns.site/
I used to use option 2, which just required one config change in my router,.
A bit later added the hairpin (option 3)
And after i realized i could use Apache as reverse proxy, i implemented option 4 (as i had apache running already anyway).
I’ve done this with the DuckDNS addon and a local DNS server. This concept is called split-horizon DNS.
I’m using bind but you could probably do this with the Adguard addon and Custom Filtering rules to return the internal IP of you HA instance instead of the external IP which is configure in DuckDNS.
This would require setting the DNS server that is given to the DHCP clients to the IP of the Adguard addon / HA instance. Keep in mind that this may affect all connectivity to the internet on your internal network if your HA instance is down.
The certiicates you can get only support DNS names and no IP addresses.
The solutions mention above here are both for using DNS names on the local network.
If you are adamant in using HTTPS with local IPs, then you need to run your own Certificate Authority (CA) anf take the fight to get it imported in the Certificate Store (CS) on all your devices.
There was no requirement given to use the internal IP specifically. I’d recommend to stay away from managing your own CA and certificates as it does add admin overhead, especially when trusting the CA on all your devices and updating that cert when it expires - and it should expire for security reasons, otherwise, what’s the point.
The solution I proposed above is more a a set-and-forget solution. Once it is set up, HA will help to keep the addons up-to-date, and the certificate rotation is handled by the DuckDNS addon.
One caveat to mention is that once in a while chrome wil say the site is unsafe because it detects the IP that was returned by the internal DNS is different from the public one.
There was a wish for it.
My bad… I understood that as just local connectivity.
Your and aceindys replies were still correct.
It was just to make certain facts about them clear. 
Sorry to hijack the thread. I am having a similar issue. I set up duckdns and Nginx. When i go to my my-name.duckdns.org:8123 I am able to connect both inside and out. However when I connect to my company’s Proxy/VPN, it tries to route to the public IP and is blocked by the firewall. I would like to be able to navigate to something internal. Before DuckDNS I could go to https://homeassistant.local:8123 and it would work fine. Now it says the certificate is invalid. I can work around it, but don’t really want to. I set up nginx and if I go to https://homeassistant.local I get an unrecognized name alert. Going to https://my-name.duckdns.org gives me an 502 bad gateway Nginx error. Is there something I misconfigured in the Nginx setup?
Not possible.
A .local domain is reserved for mdns and every local network with a mdns device is running such a network, so it is not unique to you and can therefore not be linked to a certificate only you control.
Even if you could, then it would not solve the problem with your company’s VPN, because it is configured to not allow local connections at all once it is active.
A device connected to two or more networks are per definition a router, which means you can have a security hole in your home router and then malware can connect to your computer and then be routed into your company’s network. The local network is blocked to prevent this scenario and there probably nothing at all you can say or do to change that decision.