Frustrated with the lack of SSL [Nginx Proxy Manger Solved the issue]

Oh no, this discussion again…

When you talk about auto-updates, people says you shouldn’t update if you don’t know what are the changes, if you say you would work with a ‘turn-key’ mode without updating, then you say the system requires updates…

Sorry, but you might be influenced by your experience with earlier versions of HA, now, the system is stable enough to be considered a comercial system and can be used as turn-key.
Which comercial system is more stable than HA?

No one says that. At least no one that knows anything about Home Assistant.

It’s not just about stability it’s also about security.

If you don’t update for a year and a vital security patch is released you are going to be in a world hurt due to the massive number of breaking changes. Like this person:

Stay up to date. Home Assistant is constantly evolving which necessitates breaking changes. Do not get behind and have to do a large number of them all at once.

I fully agree with you about the importance of updating, but there are lots of experienced people disagreeing with us…

Please provide a link to these “experienced people” saying this.

2 Likes

@tom_l I have been in IT for almost 50 years, is that experienced enough? I understand both the arguments for “if it isn’t broke, don’t fix it!” , and the need for updates in todays insecure world. The general rule of thumb is that if you are keeping something on your own network, you can get away without updating. However, in this hyper-connected world that is rarely the case anymore?!

That is not really the discussion anyway… Since my want is to make this available on the Internet, it makes sense that updates should not break anything in a perfect world. It would just be nice to have HA generate a certificate by default, and not have all these wonking work-arounds.

I am sure I will figure this out, I was just venting a bit in hopes someone would share there solution in response to my newbie disappointment. Cheers!

1 Like

You have been a member of this forum since July this year, so no, not enough experience with Home Assistant at all. As evidenced by this statement:

Pretty much every update of Home Assistant breaks something. Case in point.

As I said this is a bad idea unless you plan to support the smart home you sell.

@tom_l I am sure a 5th grader could operate HA better than I. I am surprised as a moderator in an advertised support forum that you would be so critical of the product. :thinking:

Thanks for the concern, and I get it… I have been reading and viewing videos about the Pros and Cons as I attempt this project. Turning over a home with smart products is a lot easier than it was 20 years ago, so I am not that concerned, as long as I can get it to work and encourage the buyer to have some fun with it. However, preventing passwords being sent in plain text is a must IMHO?!

1 Like

I’m not being critical, just realistic. The rate of breaking changes has declined as Home Assistant matures but they are still there, in all recent releases.

I’m not concerned for you, I’m concerned for the buyer. Home Assistant involves a requirement to put aside some time every month to maintain it.

1 Like

I looked at HA about a year ago, and it is amazingly improved. I have updated a few times this month without anything breaking so far… I am trying to limit the product variations, and complexity, so I am sure that helps?

The market I am in caters to tech professionals, so I wouldn’t be too concerned. It is highly likely that whoever buys will start from scratch anyway. What I am providing is a solution to encourage exploration and some value-add to the home. HA was a lot easier than rewriting (and supporting :persevere:) the homegrown web application I developed for the aged “smart” tech in my home that I have been using for the last 15-20 years. I appreciate your view point. It is valid, but IoT is insecure by it’s nature. Just like the industry, I am just trying to capitalize on it’s availability, and if I can promote HA and improve the experience, that would be cool too? :wink:

1 Like

I have to agree with @tom_l on this. I’ve been using HA for around three years and have two in use, one at my house and one at a rental property. I also have a couple of SmartThings devices in play at some other properties that I’ve been using for nearly five years now.

Of them all, the SmartThings devices are the low maintenance ones. I hate the platform but I can basically ignore it and it is rock solid. HA on the other hand needs regular care and feeding. Some of that is because there is no auto-update functionality in the system for the core, but some of that comes from the rapidly changing integration options.

As to the lack of SSL being “built in”, I personally believe the devs have gone the correct way. They’ve split the SSL management out to something that can be upgraded outside of the core of HA itself and also keeps it from having HA be the opinionated one as to how the cert is managed.

On HAOS that means need to either subscribe to Nabu Casa or you install some add-ons such as the Nginx Proxy Manager (recommended) add-on or the SSL Proxy add-on (only good for handling HA itself and nothing else)

With the straight docker setup on something else, well you’re already into a world of high customization at that point, there are several options. I would suggest looking at Nginx Proxy Manager (which does happen to also be available as a HAOS addon)

For any other type of install, well, you’ve got whatever tools you have in the other installs.

For a something where I was even vaguely considering selling the setup, I would us HAOS. Despite my agreement, it’s the least problematic method if you’re going to turn over a system to someone else.

1 Like

lol no. That is terrible advice. Sorry but keeping out of date products on your home network isn’t a rule of thumb.

Yes please.

Personally, I think it’s a disaster turning HA over to a new home owner. The very practice/experience that YOU are going through of setting it up is important in the learning aspect of THEMrecovering it and managing it. Once you ‘build it’ for them and turn it over, they would be expected to maintain it. If they really want to maintain it, they should not be deprived the experience/knowledge of how it was setup and built.

HA OS is pretty good but requires care and feeding and patching and refactoring. It isn’t an appliance even though that seems to be the direction the devs would like to take it to.

I have read several threads regarding turning over HA to a new owner, and I have weighed the Pros and Cons… that is not what this thread is about.

Also, a home network is not an isolated network, so “home” and “own” are totally different things. I have 3 isolated networks in my house that never get attached to the Internet. The only updating that happens is when I manually decide to update devices. A couple of the devices are over 40 years old, so it would be a small miracle to get any updates for them anyway.

…back to the original topic: A self signed certificate is a temporary solution and is a pain. dynDnS is pointless for folks that have nothing but static IPs …most everyone in my neighborhood has bought into the lone local ISP’s 8 static IPs on a symmetrical 100 meg connection per house. Most of us are IT professionals who work for one of the colos just down the freeway… a lot of network labs in each house, so a proxy is not a bad idea, but just an unecessary layer to be running on the same box as the app. Especially since this is running on a Pi with a single app. I have seen the Cloudflared solution and it looks interesting, but that complexity is not warranted either if you can run openssl on the box, which must be possible by default since there are connections being made to and from the box from installation.

I think it is just a matter of finding the time to look under the hood and find the web components. This is what I was hoping to get from this thread.

Folks giving advise about security and transferring the system was a little surprising… I dont consider anyone who uses IoT devices security focused by a long shot, and I know from my own experience and from past reading that most people take their devices with them when they move.

@tykeal I find your use case intriguing. How do you handle management? Do you let the tenants make changes? How often do things break, and how are you managing remote connectivity. I envy the free time you must have on your hands? :wink:

Well, I know I’m not the only one in my case (multiple properties that they’re renting out). No, tenants have no access to the systems, outside of physical if they break into the location where they are located. I’m using IoT for driving management of short term rental properties so they are handling managing locks primarily along with a specific lighting considerations.

Handling management is simple. I own a domain. I have DNS by way of DNSMadeEasy at their business tier. This gives me access to their API. Therefore, I can use Nginx Proxy Manager (NPM) to handle Let’s Encrypt (LE) certificates for the HA device by way of DNS challenge. It also serves as the proxy to the Ubiquity management console I also have running on the HA device as an add-on (also LE encrypted via NPM). Finally my sprinkler controls are all OpenSprinkler devices which again, I’m proxying through NPM on.

All of the IoT is running on a separate VLAN from the rest of the properties so that I can provide WiFi access to the guests.

The thermostats are also IoT. I presently allow the guests to make changes directly at the thermostat, though they can’t set schedules, if they want that they can talk to me and I’ll set one up remotely.

As for the free time. Managing this isn’t difficult for me, I’m by trade a systems engineer / administrator. I literally work on Linux systems for a living so I’m just leaning heavily on that and my experience as a developer.

1 Like

very cool. Your scenario makes more sense now.

I am a retiring network engineer, so I know enough programming languages at a basic level to just be dangerous. I have contributed to a few open source projects, but rarely have the time anymore. Maybe when I retire?

I plan to give one of my domains to the new owner along with the network gear at the house. The IoT stuff is on a segmented wireless network with a vpn appliance which was working well until I didnt read the integration notes and installed a Rachio sprinkler system to replace the Rain8 x10 system I was using for the last 15+ years. Everything works, but the lack of UI updates with Rachio has me rethinking that choice. It has broke my “local only” goal…

Nabucasa cloud has never been an option. I am trying to keep it simple enough that I can replicate the effort on a HA Yellow and give the owner a password list, and then let them decide what they want to do with the gear.

When I bought the house I had a similar choice. I inherited a lot of equipment that I eventually replaced, but the x10 devices were in use until about a month ago. I had a LAMP install controlling everything with web pages I have been improving over the years. The choices now are mind boggling and HA has opened up a whole other level?! HA is a much needed solution over my 15+ year system that is obsolete by todays standards.

BTW, as you’ve pointed out, the purpose behind this thread wasn’t about handing over IoT gear to a new owner, but given the intent behind the start of the thread it’s the root of the matter ;).

Speaking from experience of having recently purchased a house that came with IoT gear in it. I really would have preferred that the previous owner had completely collapsed the IoT network and factory reset gear and given me information on what all the devices were. It would have made my take over significantly easier.

I ended up having to actually get in direct contact with the prior owner to get them to work through relinquishing access on several pieces of gear.

Having IoT in the house as part of the sale is great and all, but having to deal with figuring out how to get access to devices that couldn’t be handed over easily was painful and between HA and SmartThings I’ve been playing with these platforms for 5+ years now. Imagine what it would be like for someone that isn’t as into IoT coming into such a situation? That’s a large part of why people keep saying you shouldn’t build it out and hand it over…

1 Like

Got me! :wink:

Trust me though… I fully understand the transferring ownership thoughts. Most of the homes in the neighborhood are smart homes, so “smart home ready” is a minimal expectation… some old tech and some newer… When I moved in I had all these x10 devices, 2 mini-timers and 2 remotes. An cm11a was left in a box in the telecommunications closet with a hand written note explaining a few software choices. It was a fun but frustrating journey. I hope I do a better job. :wink:

And I guess the SSL piece is just a by-product because I care about not having access compromised if they decide to access it from cell phones and decide to just port forward and not use the vpn. HA is far less complex than the web server I ran my systems on, but I also had other daemons running alerting me of network events, and who was logging in to devices. That is too much to try to pass on. I just want to offer an encrypted login with a functional setup until they have time to dive in.

I am going to look at the nginx proxy again. I saw the yaml config for banning IPs based on failed logins too, so I need to read up on that.

So much to research and not enough time?! :persevere:

Nginx Proxy Manager looks like the ticket! Thank You! It looks like I have another item to add to my weekend exploration. Curious to find out why MariaDB is needed, but the install seems pretty straight forward? I have an SD Duplicator, so backup is not that big of a deal right now, but I am wondering how others backup the setup. Is there an option to backup containers outside of the Core Install? This is probably all available in the Docs, I just have not had the time to get that far.

I was surprised to find I had overlooked Nginx Proxy Manager. I was a little confused for a moment because I am used to NPM being a package manager, and the acronym made me think I was not understanding what was being discussed. lol Another set of acronyms to try to remember? :roll_eyes:

As far as handing over the devices, I have been spending time before I make purchases to determine the procedure for transfer of ownership, and that is part of the purchasing decision. I am documenting the procedures to provide to the new owner. :+1:

I use this.

1 Like

Thanks for that. I will have to look at it to see if I can apply it to backing up to a NAS, but I do not use google products, and in fact have most of google services blackholed, so google drive is not really an option for me.

Understandable lol. This is another popular option.

1 Like