GUI support for https / SSL / certificate signing request process

Home Assistant is almost a ‘big boy’ now, there are some basic pillars missing imho;

The ability to undergo the certificate signing request process from the GUI.

There is a lot depending on this, for example, if you ever want to support serious authentication options like SSO / SAML / Oauth.

Ofcourse we have ‘Let’s Encypt’, but to be taken serious, you should offer the option to use your own certificate (3rd party backed or self signed)

This is, imho, much more important that adding support for the 73th type of Chinese airconditioning. In the past I managed to used my own certificate, but that was not documented and unclear as of where HA expect the files. Far to complicated for avarage users.

A nice GUI that will allow you to do your certificate request, with clear explination on the steps and what to do next with documentation on the biggest three third party certificate authorities (IdenTrust,DigiCert Group,Sectigo). Explaining in what format you can paste your certificate.

And ofcourse, a nice ‘certificate chain’ checker with green checkboxes.

I assure you Let’s encrypt is taken much more seriously than any self-signed PKI you would put in place.
That’s why their certificates are trusted by your browser, while yours would be deemed unreliable :wink:

Actually, in a “serious” setup, you don’t expose HA directly but through a reverse proxy.
In that situation, HA needs exactly 0 (zero) certificates, and the reverse proxy does the work.

nginx proxy manager, for instance, handles the management of certificate on its own, transparently (and, yeah, they are using let’s encrypt certificates)

If you want a nice GUI for your own certificate management, I suggest XCA (Home)

1 Like

I’m not rooting for self signed certificates, you misunderstood…

I don’t want to use a reverse proxy. And even if you choose that path, you still need to install the reverse proxy, and add the certificate to the reverse proxy. A lot of hassle for the same result plus another dependency, another setup, knowledge needed and an other component you need to manage and update. While a simple NAT rule would be sufficent, thus you don’t expose HA directly.

Oh, you want a tool to create a CSR for non-let’s encrypt CA?
Why would you pay $300 per year for a Digicert certificate for HA rather than a free one? Those bring you exactly no added features…

Heh, sure, but you have an HA addon that does that.

No, nginx reverse proxy does it for you.
That’s another added value of let’s encrypt: the process of asking and renewing a certificate can be completely automatized…

1 Like

Not if you want your own certificate

Looks like you have nginx stocks or something. But introducing another component (proxy) is not an option for something simple as a certificate. Especially when you only have one web service you want to expose. (KISS principle)

Reasons not to use a proxy;

-needs to be installed

-needs to be maintained

-needs to be configured

-need extra knowledge

-add complexity to your setup

-only relay’s the certificate issue, if you want you own certificate, you still need to add it

Most HA setups are already behind NAT so HA is not exposed to the outside.

Just having the possibility to add your own certificate is basic functionality.

There we are on the same page.
Let’s KISS and use existing tools to get your public certificates rather than push that (unrelated) functionality in HA for a couple users.

1 Like

Stop pushing your reverse proxy idea, that’s totaly unrelated to my suggestion.

It’s a work-around that no one wants / needs. Really what’s in that for you?, why are you pushing this needlessly, over complex work-around?

Because it’s a work-around, every self respecting web component should offer SSL and is own, with a certificate that you pick.

I could also install a stateful firewall or a load balancer and do SSL offloading in it’s VIP. But, that’s totally undisired in a average HA setup…

Stop hijacking this discussion

I used to generate SSL certificates on a remote W10 machine (ok, i did use the Let’sEncrypt bot command line tool, but you could use any other)
On the W10 I used a schedule to check and generate, and when a new certificate was generated, I’d move it to HA’s SSL folder…

So in a way that was automated…

No proxy whatsoever involved.

I needed to do that, as my DNS provider was not supported by the Let’sEncrypt addon.
Eventually I changed DNS provider, so now I do use the Addon (but still not using reverse proxy :wink: )

1 Like

Let’s forget about proxies and focus on the merits of “GUI support for https / SSL / certificate signing request proces” for not let’s encrypt CA’s :wink:

  1. Who actually uses a $300 / yr certificate for HA
  2. I rest my case :smiley:
1 Like

Just because you don’t like it, doesn’t mean the whole world should adapt to your way. So yes, please do rest your case.

A certificate doesn’t have to cost 300 euro per year, specially when you already have one or when you sign your own certificates.

There are 100 ways to reach your HA instance from the internet, reverse proxy, VPN, private lease lines etc. etc. These are all workarounds for HA’s lack of general certificates support. It’s possible to use your own certificate, but it’s not properly documented and impossible for novice users.

Like everything else that offering web pages, there should be general support for certificate signing requests. With proper guides for the top most certificate stores.

It’s nice to have let’s encrypt, but you need to update your certificate to often and you need to remember to keep port 80 open.

That is an extremely bold statement.
Neither apache nor nginx, arguably the most common web servers in the world, offer such a system.
I actually know no application having a webui offering any kind of UI for creating CSR and importing back the signed CER.

99% of the time, you’ll use the UI or CLI tool of the CA to create the CSR / CER.
The remaining 1% are openssl-using masochists like me :smiley:

No sure what you mean by that. It’s as simple in HA as in apache: add 2 lines to a configuration file.

Again, please stop responding to my posts. You are just ventilating your personal preference and hijacking the conversation. You made it already very clear how you would solve it.

HA with its nice GUI is clearly trying to aim for non-technical ppl. Linux command lines are reverse proxies that are not within reach of those people and are overkill for what they really want.Having to have port 80 open and updating your certificate every 3 months; not user friendly.

It’s no use recommending Ubuntu for your grandmother just because you think it’s so easy. Have some empathy, what’s best for you, is not best for everybody.

But again, don’t see this as an invitation to, again, ventilate your preference Chris. I wanna hear what other people think.

I’m saying, make it easier for non technical people to use HA securely by providing SSL from the GUI.

Non-technical people do not have a clue of what a certificate is.
Non-technical people should not expose their HA to the internet, so don’t need a certificate at all.
Non-technical people use HAOS and the let’s encrypt addon or similar if they actually understand the risks.
Actually, non-technical people should use Nabu Casa services, both to mitigate the risks and to support the project financially, rather to rely to Youtube.
Non-technical people surely do not have a clue of what the CSR-sign-import process is about.

This is not a FR for non-technical people. This is not a FR for technical people, either.
This FR just doesn’t make any sense.

<ignore ON>

But again, don’t see this as an invitation to, again, ventilate your preference Chris. I wanna hear what other people think.

wish you did that 5 posts ago…

I agree with Chris. For nearly all commercial deployments of anything, SSL termination happens via some front end reverse proxy. NGINX is a fairly common choice. While NGINX is simple and trivial, its also familiar to a broad audience. But its not alone as a good solution for managing https termination. There are several other good reverse proxy options.

Having a GUI for key management baked into HA is a wasteful distraction. Let’s Encrypt solves the problem for free and is easy to integrate with something like NGINX. The onus for anything beyond this shouldn’t be a distraction for the HA team.

I think they are already taken seriously without wasting time on this feature.