Google Chromecast, Text to Speech and SSL

Configuration
1

My apologies if this has already been covered elsewhere - I’ve scanned related topics and tried the suggestions in those posts, but to no avail!

The issue I’m having relates to the Google Chromecast and the Text to Speech function in Home Assistant. My Casts are set up, and working within Home Assistant and I have the Amazon Polly TTS component enabled (although I’ve also tried the Google service).

I’ve been attempting to get Text to Speech to output on the Chromecast, but so far I have been unsuccessful to get the Chromecast to actually play anything (it goes through the motions of loading a file, but no output). Within the devices page of Home Assistant the URL updates and the file is playable.

The issue seems to be related to either the Home Assistant domain or the SSL. Although I have set up some automations to utilise the Text to Speech, for the purposes of testing I’ve been calling the services using the developer panel in the Home Assistant web interface

Steps I’ve tried:

SSL enabled with base url (443 to 8123 port forward on router)
SSL enabled with base url and port specified (8123)
SSL enabled with IP address as base url (shot in the dark with that one)
SSL disabled with base url and port specified (8123)
SSL disabled with IP address as base url (8123) - it works!

Is there something that I’m overlooking with my set up that would cause the URL of the audio file to be rejected by the Chromecast when using SSL and the domain I have set up?

Any pointers or suggestions would be greatly appreciated!

2

Do you have a proper SSL or a self-signed one?
3rd-party devices like Chromecast probably won’t work with self-signed.

Also check HA log: Any errors there?

3

TTS for chromecast works for me.
I have: base_url: https://mydomain.com:8123

4

Thanks for your response. I’m using a proper SSL certificate (full chain)

No errors in the HA log, and I’ve just tried the base_url you’ve suggested - no change

5

I have the same issue and have read alot of posts. I read something about NAT loopback, I haven’t tried it myself but can say that with SSL and every combination of base url setup, I couldn’t set this up. Works great with http no problem

6

I’ve recently resolved this issue, and NAT loopback played a part in this. The ChromeCast units have Google DNS hardcoded into them, so where my router’s DNS was pointing to an internal IP address of my HA installation, the ChromeCast was pointing to a public IP address which was unreachable.

In order to resolve this I’ve ended up forwarding Google DNS requests through my router to allow it to pick up requests for my HA installation

7

How did you forward google DNS to router

8

So, I use a Unifi Secure Web Gateway as my router, so the config I loaded for the DNS redirect looks like this:

{
	"service": {
		"nat": {
			"rule": {
				"1": {
					"description": "DNS Redirect",
					"destination": {
						"address": "!192.168.1.1",
						"port": "53"
					},
					"inbound-interface": "eth1",
					"inside-address": {
						"address": "192.168.1.1"
					},
					"log": "disable",
					"protocol": "tcp_udp",
					"type": "destination"
				}
			}
		}
	}
}

So in short, any traffic on the LAN which attempts to make use of #53 (DNS) is getting redirected to the IP of the router. Obviously this isn’t much use if you don’t have a Unifi device, however the principal is the same, assuming your router allows you to do this.

This link has some more explanation for pfSense, Redirecting all DNS Requests to pfSense, and this for DD WRT Force DD WRT to use OpenDNS

2 Likes
9

Johnnie all I want https for is google actions. I don’t want to expose my HASS to outside world can this be done? If I use SSL I loose tts and doesn’t matter what ports I changed and forward that function goes away. Is there a way to configure https without exposing my HASS and still keep tts?

10

Yea, the same issue. Your solution worked for me too. But it is strange, as my 8123 port was available over DNS record from both public and private network. It should work does not meter if it is resolved to public or private IP of HA (as it works from cell phone network and WiFi).

On Mikrotik, it is just about adding DSTNAT rule that redirects UDP port 53 to routers IP address.

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=53 protocol=udp to-addresses=[router local ip]

11

Is the a bug or just something you have to live with? I’ve been trying to figure out what I did recently to make Google Text-to-Speech stop working and I came across this post. I use GTTS a lot and the family have gotten to love it but I’m figuring that after I added the SSL/DuckDNS add-on so I could start playing with the Google Assistant component, TTS stopped working.

I’n not savvy enough to start mucking around with DNS stuff and don’t know if my Synology router even supports what’s been documented here.

Would appreciate some feedback. P.S Running Hass.io 0.65.6 on Pi3.

12

Yep, This Fixed my issues as well. It more to do with NAT reflection that DNS names :slight_smile:

Matthew

13

I struggled for many hours reading all these posts with suggestions to fix this same issue of a mute Google TTS (Hass.io V75.2/DuckDns SSL).

I found that simply checking “Intercept DNS” in a Tomato (or DDWRT) router, it will forward UDP 53 to the local DNS (DNSMASQ). That will create the iptable rerouting for you. But you also need to include a custom DNSMASQ entry of : address=/mydomain.duckdns.org/192.168.0.xxx .

The dnsmasq entry also fixed launching the configurator and ssh web ui that are also set up to use SSL without having to open those ports (3218, 7681) externally.

1 Like
14

I can confirm this is working! You need to have a router where you can specify or “Intercept DNS” or where you can create your own firewall rules.

Here is an example of the rules:
IPv4 example:

`iptables -t nat -I PREROUTING -i eth1 -p tcp --dport 53 -m mac --mac-source <MAC_address_of_device> -j DNAT --to <your_IPv4_DNS_IP>

iptables -t nat -I PREROUTING -i eth1 -p udp --dport 53 -m mac --mac-source <MAC_address_of_device> -j DNAT --to <your_IPv4_DNS_IP>`

But it is possible that your syntax is a bit different. I had to modify mine because I use a netgear router with Voxel firmware.

Thanks for sharing!

1 Like
15

I was having a pickle of a time trying to play local media (pre-recorded announcements of motion, doors open, etc.) through chromecast audio devices. All was working well until I enabled SSL, then nothing worked. I saw this post about how chromecast devices are hardcoded to google’s DNS services, so I created a d-NAT DNS re-direct rule on my edgerouter, and all is good. I isolated the redirection to an address group that only includes the chromecast devices.

Not really sure why this breaks with the SSL enablement, unless the google DNS servers don’t respect letsencrypt certs.

Here is my rule in edgeos (edgerouter 4) syntax:

nat {
        rule 1 {
            description "DNS Redirect for Chromecast Devices"
            destination {
                port 53
            }
            inbound-interface eth3.1
            inside-address {
                address 192.168.0.250
                port 53
            }
            log disable
            protocol tcp_udp
            source {
                group {
                    address-group chromecasts
                }
            }
            type destination
        }

Where the inbound interface is the vlan that my chromecast devices are on, the inside address (UI calls it translation address & port) is my internal DNS server, port is the standard DNS port#, and the source group is an address group created that includes my chromecast devices (‘static’ ip address via dhcp reservations).