It’s a product of my own doing I get that; and if this is asked and answered I apologize, I did look, but maybe I wasn’t searching for the proper things.
Problem statement:
Home Assistant will not connect to OctoPrint.
Reason:
I use a private Certificate Authority to generate certificates for items on my network that I do not publish to the internet. I have OctoPrint setup to require SSL; but the certificate is issued with my private CA.
Goal:
I want to provide Home Assistant OS my custom CA certificate so it may connect to my internal hosts.
I can fix this.
I can muddle through dropping to the shell on the Home Assistant OS and getting the cert recognized. My concern is an update wiping out the change since it would be a rather specific customization to the core.
I can reconfigure HA Proxy on OctoPrint to allow only HA to communicate without SSL. This is really a work around. not a fix, but it would solve the problem.
I can try to create a docker container on HA that only HA has access to that proxies the insecure communication to OctoPrint. Kinda in the middle of the two; won’t be wiped out in an update, and makes the actual network traffic secure.
So why the post then ? Well, I had a few questions.
Is anyone else in this pickle? - How did you go about it?
Is there an official recommendation on how to handle this?
Is there an option I am missing that is even better?
I am leaning toward the third and having a relay that sits only on Home Assistant OS that only Home Assistant OS can access. But is that the best option to choose?
Anyway; thank you for looking at this and I value any input you can provide.
I’m curious, so I hope you don’t mind my question - are you using your own CA for privacy reasons? I h ave no experience doing this in HA. I install a bunch of apps for my job, many require certs. When I run into this sort of thing I usually need to tell the host system or middle-man application to trust the cert. In Windows it would go to trusted cert authority on Local System. When I do that, many of my python apps at work will correctly work. The issue in my case is that the program uses code that doesn’t trust some of the root certs.
I use SSL even internally for security ish, mostly to keep in practice. Also having everything always secure means in the rare case I want to reconfigure and publish something all I have to do initially is just that poke it through the firewall.
I use the CA as opposed to self-signed just for eliminating the security warning (spousal acceptance factor). I have imported my CA cert into my personal devices (phones, laptops, devices). Really just saves the trouble of having to accept the security warning for a self-signed cert when visiting the page. Process wise it is the same as yours of accepting the cert; but in place of accepting each individual cert I accepted one (the CA) and the systems trust what the CA signs off on.
The only time I have found it to be required was Bitwarden. I host Bitwarden locally (long before HA); but do not expose it to the internet (I use my VPN to access it if I am remote). But Bitwarden’s ios app required a valid certificate chain and bitwarden requires SSL. So the CA came in handy in that one specific case (although I could have easily just purchased one).
I haven’t looked into let’s encrypt enough but the research I’ve done so far it tends to want the have public access to the thing being secured for it’s validation process. That doesn’t fly with the internal part.
Anyway I know we are digressing from the topic; but hope that help with my reasoning as to why I am using the private CA to start with.
No problem, I should have mentioned; I owe this person a cup of coffee; but this is what I followed: https://jamielinux.com/docs/openssl-certificate-authority/ It is still accurate with the latest version of openssl but there were just a few flaws / gatchs with OCSP at the end.
You mentioned that you can get the cert recognized; can you explain that a bit further?
We found that HassOS doesn’t use the same certificate store as the alpine it’s built on, but uses certifi instead, which is not supposed to support the addition of certificates. Rebooting HA resets the certifi store, so I wasn’t able to get it running. Krich seems to have got it running on HassOS, but I didn’t hear back from him afterwards.
Sine you’re using HomeAssistant Supervised, what you can do possibly won’t help me on HassOS though. Firefly posted a short script of what he’s doing in his supervised setup.
Did you make further progress since your last post?
I just posted a feature request to handle CAs more gracefully (or at all in my case), but if you managed to find a feasible solution that could be translated to HassOS, this could be closed. Otherwise an upvote would be appreciated!