Home Assistant OS with HTTPs Setup by default

If you actually look at those setups, then it is a VPN. You could call it VPN over HTTPS if you like.
The server setup is a proxy that authenticates your out-of-band delivered client certifcate and rejects the connection if the certificate is wrong.
This setup would work for HA too, but it still requires that the proxy is moved away from the HA installation, so the entire HA surface is not accessible before being authenticated and authorized, and you would still need to handle the out-of-band delivered client certificates.
The setup will be the same as any other VPN server setup with the same hassle.

I definitely agree that there should be a more convenient way of enabling HTTPS, perhaps even during initial configuration. Personally, I would use self-signed certs because I don’t need DNS or WAN access at the moment. This is the proper configuration from a security/privacy standpoint. Not all networks can be trusted, even in a personal residence. I don’t use battery powered sensors so that’s a non-issue for me.

I mean there is. You can sign up for cloud very easily right after install and you’re ready to go with https.

What I assume you’re really asking for is an easy free option. That’s not really possible, here’s why. Earlier the 3 options for this were laid out:

Sure. This is possible OOTB for free with minimal effort. But it really doesn’t help anyone to do this. The certificate won’t be trusted by anything. Which means it won’t work in apps and in browsers you’ll have to say “ignore certificate error”. That really means “don’t verify the certificate” which means security wise it’s doing nothing. If anyone on the same network as you is actually interested in your traffic man in the middle attacks are trivial when you don’t verify the certificate.

You can make all your devices trust the certificate but that is far more work then just installing the let’s encrypt addon. Kind of defeats the point.

Yep, this works. If you run your own DNS server in your lan and have all your devices use it. Which is more work then just installing the let’s encrypt addon and likely significantly more maintenance hassle.

Or you can buy a domain and have a subdomain resolve to a lan IP. Which isn’t free and is kind of complex to set up. HA could definitely make it work OOTB if you had this but it’d be valuable to a niche market.

Yep, this would totally work. Easy for users, doable OOTB.

Except it wouldn’t be free. The services to run the backend of this setup cost money so nabu casa would have to ask users for at least cost. With a bit on top since they are a company and do need to turn a profit to pay their employees

So maybe the last one could be a separate offering at less cost then the full cloud service? But it isn’t free. Which means in the end users have the same choice:

  1. spend their time diying a solution
  2. pay nabu casa to do it for them
1 Like

As mentioned earlier There is another option for remote secure access (that doesn’t use SSL/HTTPS) & that is VPN’s but if you don’t know how to do this already, it’s too complicated to explain.
But if you wanted to explore this option, an easy free VPN solution to try is:
Tailscale
But as @CentralCommand has explained SSL/HTTPS is not free, if you want it to work the way it is suppose to (with the exception of let’s encrypt & that has it’s own set of issues).
I’m a big supporter of Nabu casa, if you like Home assistant & think it’s worth supporting why not help fund the project & in return get an easy, secure way of remotely accessing your HAss.

I really sounds like someone have not understood the difference between VPN and HTTPS.

Both VPN and HTTPS provide a secure communication, so no one can listen in on your data traffic.
This is nice when you are on a restaurant, cafe or some other insecure network, because no one can catch your login information in clear text.
Where VPN and HTTPS differ is in the authentication part, which is the part that decides who are allowed to make a connection and who will be rejected.

HTTPS has not authentication and everyone will be allowed through, which means the host behind will handle all security regarding authentication. In the case of HA, then it means all the hundreds of developers of integrations, addons have that responsibility. Since not all of HA’s developers are programmers by profession, then this leaves some to want for. On top of that there are also developers that leave their project and then no updates of bugs and security holes occur. Sometimes functionality comes before security too.

VPN on the other hand has authentication and there are only on program with one purpose to think about, so it is so much easier to control everything and security always comes first here.
VPN prevents hacker from hammering your HA installation to find security holes, brute forcing your passwords, making DOS attacks and so on.

First, I should apologies for not reading the entire thread first before posting myself.

What do you mean by this? The OP is wanting HTTPs as a standard on HAss, but as some have put forward this has problems. Are you @WallyR for or against HTTPs being standard on HAss?

I my self didn’t like the fact that HTTPs was not standard on HAss to begin with, but now I use Nabu Casa & even locally i use it. Exposing my HAss to the internet has it’s problems, but I segregate my LAN into vLAN’s to minimise this exposure (& I understand that other integrations in HAss could be vulnerable but any system that is not air-gapped is vulnerable to some degree even with a VPN [& I have even seen examples of systems that are air-gapped that have been made vulnerable]).

@WallyR if you are arguing for a VPN solution for HAss & Tailscale doesn’t meet your needs, why not create a new Thread?

1 Like

I personally use a StrongSwan VPN built into my router (Ubiquiti EdgeRouter 4), so I am covered.
And I generally like the usage of SSL, but HTTPS in browsers require a public available domain name to work properly or you will have to fight a lot of nagging popups.
HTTPS will actually require an internet connection at all times to work properly, because the modern browser require verification of the certificate from the certificate authority.
SSL on other connections are fine.

Since the new Voice Assistant needs https to work, it would be great to have https locally by default!

This might be another option. I was surprised to see our Western Digital NAS (PR4100) has a certificate from Let’s Encrypt. The address (device-local-<serial#>.remotewd.com) resolves to the unit’s internal IP. I’m thinking it must upload that information to a WD server which registers it with DNS and Let’s Encrypt, then downloads the certificate. This unit is running inside a corporate network, It is highly unlikely any ports are auto forwarded to it. WD is a big enough company they can absorb that extra hosting/DNS traffic, maybe at some point Home Assistant / Nabu Casa will be able to do that.
image

There are several issues with that solution.
First only the domains that WD have can be used in the certificate
Secondly only devices that WD allows can use the certificate and opening up for third party devices will circumvent the security in the certificate.

I don’t mean use WD’s solution directly. Home Assistant would have to use their domain to create the certs. not free for them, but maybe built into a device price.

But if they use a domain owned by Home Assistant/Nabu Casa and give you a certificate for a host in this domain, they either have to add the resulting FQDN into a public DNS with the external address for your internet connection ( DDNS, isn’t that what they are doing with Nabu Casa?? I don’t have a subscription) or you have to create a zone for their domain into your DNS and make sure you resolve your internal IP with that FQDN

Armin

You need to read up on how the security in a certificate works.
It will not work unless NabuCasa takes full control of all your devices that should use the certificate.
HA would not be open source anymore then.

1 Like

I’m going to bring this to the top because I cannot believe in 2024 TLS support is still so lacking. Not only is it not enabled by default, which is appalling by any security standard, it is not available unless does manually. Self signed should be the default. if people are “annoyed” by the warning then maybe there should be an option to disable TLS, but HA should be secure by default, that is the way the industry is going, and it’s a good thing.

1 Like

I’ve just read through this whole thread after doing some searches, as I’ve been trying for the last 3 days to have my HA instance be connected with https. I am not a networking pro. Maybe a level 5. But after 3 days, I’ve given up. I have my own domain through noip.com. I have a certificate from noip.com which I created with the included ddns subscription. I tried installing a reverse proxy, I read lots of outdated threads that said if I had a signed certificate from an authority all I had to do was put these 2 files in a newly created ssl folder and point to them in configuration.yaml.

 ssl_certificate: /config/ssl/fullchain.pem
 ssl_key: /config/ssl/privkey.pem

Whatever combinations I tried, it didn’t work. The connection was not secure, not on Chrome, Firefox or Edge using Linux Mint. Not because it can’t be done, but a level 5 like me just can’t do it. I really want to connect with https. I use Nabu Casa so external connections are not my issue, but I want to have my phone and computers inside my network connect with https so that it’s consistent with my Nabu Casa connection. Why? Well, some integrations (Plex for HA, the new Music Assistant for HA) require it otherwise when I connect from Nabu Casa outside my home, it won’t allow those addons to run because it won’t allow an https connection over http.

So after days of trying to configure my instance to run on https, I’ve given up. Another great reason is voice. Voice is going to require that requests are in https, and I’d love to start building some of the esp32 products that do wake-word.

I don’t know what the solution is for me. I’m just a level 5. But I agree wholeheartedly with the OP, there needs to be a way for non-networking-experts to have a secure connection over https.