If you actually look at those setups, then it is a VPN. You could call it VPN over HTTPS if you like.
The server setup is a proxy that authenticates your out-of-band delivered client certifcate and rejects the connection if the certificate is wrong.
This setup would work for HA too, but it still requires that the proxy is moved away from the HA installation, so the entire HA surface is not accessible before being authenticated and authorized, and you would still need to handle the out-of-band delivered client certificates.
The setup will be the same as any other VPN server setup with the same hassle.
I definitely agree that there should be a more convenient way of enabling HTTPS, perhaps even during initial configuration. Personally, I would use self-signed certs because I donât need DNS or WAN access at the moment. This is the proper configuration from a security/privacy standpoint. Not all networks can be trusted, even in a personal residence. I donât use battery powered sensors so thatâs a non-issue for me.
I mean there is. You can sign up for cloud very easily right after install and youâre ready to go with https.
What I assume youâre really asking for is an easy free option. Thatâs not really possible, hereâs why. Earlier the 3 options for this were laid out:
Sure. This is possible OOTB for free with minimal effort. But it really doesnât help anyone to do this. The certificate wonât be trusted by anything. Which means it wonât work in apps and in browsers youâll have to say âignore certificate errorâ. That really means âdonât verify the certificateâ which means security wise itâs doing nothing. If anyone on the same network as you is actually interested in your traffic man in the middle attacks are trivial when you donât verify the certificate.
You can make all your devices trust the certificate but that is far more work then just installing the letâs encrypt addon. Kind of defeats the point.
Yep, this works. If you run your own DNS server in your lan and have all your devices use it. Which is more work then just installing the letâs encrypt addon and likely significantly more maintenance hassle.
Or you can buy a domain and have a subdomain resolve to a lan IP. Which isnât free and is kind of complex to set up. HA could definitely make it work OOTB if you had this but itâd be valuable to a niche market.
Yep, this would totally work. Easy for users, doable OOTB.
Except it wouldnât be free. The services to run the backend of this setup cost money so nabu casa would have to ask users for at least cost. With a bit on top since they are a company and do need to turn a profit to pay their employees
So maybe the last one could be a separate offering at less cost then the full cloud service? But it isnât free. Which means in the end users have the same choice:
- spend their time diying a solution
- pay nabu casa to do it for them
1 Like
As mentioned earlier There is another option for remote secure access (that doesnât use SSL/HTTPS) & that is VPNâs but if you donât know how to do this already, itâs too complicated to explain.
But if you wanted to explore this option, an easy free VPN solution to try is:
Tailscale
But as @CentralCommand has explained SSL/HTTPS is not free, if you want it to work the way it is suppose to (with the exception of letâs encrypt & that has itâs own set of issues).
Iâm a big supporter of Nabu casa, if you like Home assistant & think itâs worth supporting why not help fund the project & in return get an easy, secure way of remotely accessing your HAss.
I really sounds like someone have not understood the difference between VPN and HTTPS.
Both VPN and HTTPS provide a secure communication, so no one can listen in on your data traffic.
This is nice when you are on a restaurant, cafe or some other insecure network, because no one can catch your login information in clear text.
Where VPN and HTTPS differ is in the authentication part, which is the part that decides who are allowed to make a connection and who will be rejected.
HTTPS has not authentication and everyone will be allowed through, which means the host behind will handle all security regarding authentication. In the case of HA, then it means all the hundreds of developers of integrations, addons have that responsibility. Since not all of HAâs developers are programmers by profession, then this leaves some to want for. On top of that there are also developers that leave their project and then no updates of bugs and security holes occur. Sometimes functionality comes before security too.
VPN on the other hand has authentication and there are only on program with one purpose to think about, so it is so much easier to control everything and security always comes first here.
VPN prevents hacker from hammering your HA installation to find security holes, brute forcing your passwords, making DOS attacks and so on.
First, I should apologies for not reading the entire thread first before posting myself.
What do you mean by this? The OP is wanting HTTPs as a standard on HAss, but as some have put forward this has problems. Are you @WallyR for or against HTTPs being standard on HAss?
I my self didnât like the fact that HTTPs was not standard on HAss to begin with, but now I use Nabu Casa & even locally i use it. Exposing my HAss to the internet has itâs problems, but I segregate my LAN into vLANâs to minimise this exposure (& I understand that other integrations in HAss could be vulnerable but any system that is not air-gapped is vulnerable to some degree even with a VPN [& I have even seen examples of systems that are air-gapped that have been made vulnerable]).
@WallyR if you are arguing for a VPN solution for HAss & Tailscale doesnât meet your needs, why not create a new Thread?
1 Like
I personally use a StrongSwan VPN built into my router (Ubiquiti EdgeRouter 4), so I am covered.
And I generally like the usage of SSL, but HTTPS in browsers require a public available domain name to work properly or you will have to fight a lot of nagging popups.
HTTPS will actually require an internet connection at all times to work properly, because the modern browser require verification of the certificate from the certificate authority.
SSL on other connections are fine.
Since the new Voice Assistant needs https to work, it would be great to have https locally by default!
This might be another option. I was surprised to see our Western Digital NAS (PR4100) has a certificate from Letâs Encrypt. The address (device-local-<serial#>.remotewd.com) resolves to the unitâs internal IP. Iâm thinking it must upload that information to a WD server which registers it with DNS and Letâs Encrypt, then downloads the certificate. This unit is running inside a corporate network, It is highly unlikely any ports are auto forwarded to it. WD is a big enough company they can absorb that extra hosting/DNS traffic, maybe at some point Home Assistant / Nabu Casa will be able to do that.
There are several issues with that solution.
First only the domains that WD have can be used in the certificate
Secondly only devices that WD allows can use the certificate and opening up for third party devices will circumvent the security in the certificate.
I donât mean use WDâs solution directly. Home Assistant would have to use their domain to create the certs. not free for them, but maybe built into a device price.
But if they use a domain owned by Home Assistant/Nabu Casa and give you a certificate for a host in this domain, they either have to add the resulting FQDN into a public DNS with the external address for your internet connection ( DDNS, isnât that what they are doing with Nabu Casa?? I donât have a subscription) or you have to create a zone for their domain into your DNS and make sure you resolve your internal IP with that FQDN
Armin
You need to read up on how the security in a certificate works.
It will not work unless NabuCasa takes full control of all your devices that should use the certificate.
HA would not be open source anymore then.
1 Like
Iâm going to bring this to the top because I cannot believe in 2024 TLS support is still so lacking. Not only is it not enabled by default, which is appalling by any security standard, it is not available unless does manually. Self signed should be the default. if people are âannoyedâ by the warning then maybe there should be an option to disable TLS, but HA should be secure by default, that is the way the industry is going, and itâs a good thing.
1 Like
Iâve just read through this whole thread after doing some searches, as Iâve been trying for the last 3 days to have my HA instance be connected with https. I am not a networking pro. Maybe a level 5. But after 3 days, Iâve given up. I have my own domain through noip.com. I have a certificate from noip.com which I created with the included ddns subscription. I tried installing a reverse proxy, I read lots of outdated threads that said if I had a signed certificate from an authority all I had to do was put these 2 files in a newly created ssl folder and point to them in configuration.yaml.
ssl_certificate: /config/ssl/fullchain.pem
ssl_key: /config/ssl/privkey.pem
Whatever combinations I tried, it didnât work. The connection was not secure, not on Chrome, Firefox or Edge using Linux Mint. Not because it canât be done, but a level 5 like me just canât do it. I really want to connect with https. I use Nabu Casa so external connections are not my issue, but I want to have my phone and computers inside my network connect with https so that itâs consistent with my Nabu Casa connection. Why? Well, some integrations (Plex for HA, the new Music Assistant for HA) require it otherwise when I connect from Nabu Casa outside my home, it wonât allow those addons to run because it wonât allow an https connection over http.
So after days of trying to configure my instance to run on https, Iâve given up. Another great reason is voice. Voice is going to require that requests are in https, and Iâd love to start building some of the esp32 products that do wake-word.
I donât know what the solution is for me. Iâm just a level 5. But I agree wholeheartedly with the OP, there needs to be a way for non-networking-experts to have a secure connection over https.
I agree, enforcing HTTPS should at a minimum be an option. I understand that self-signed certs can be difficult and signed certs have a cost and external dependencies, but the lack of support for HTTPS has kept me away from Home Assistant for many years.
It only takes one infected device on your home network to start sniffing traffic. Since HA is unencrypted, itâs easy to grab credentials and access the console as admin, then install the ssh console addon, root the server, and grab all of the secrets and connection information to every connected service, such as google, apple, etc. Malware that targeted HA in this way could be a disaster.
I donât believe it would too difficult to generate a simple CA during the installation of a new HA server. From there you can generate a self-signed cert for the web interface off the root cert and provide the public key of the root cert for installation on any devices that need local access. This way you can freely rotate the web server cert without any maintenance on the end devices. A simple cron job to rotate the web cert every X days ensures you never need to worry about an expired cert.
1 Like
It is easy to generate a simple CA, but it is near impossible to get devices to trust that CA and it canât be done automatically. It is a manual process.
There is nothing wrong with self-signed certificates per se. lets think about the difference between a self signed cert vs no certificate. certificates are to encrypt, not for trust, there is a reason why many companies run their own PKI for sensitive connections, so they own the CA. The publicly signed certificates just outsource the trust. but even a self signed certificate is encrypted. Some might say âbut then you could be man in the middledâ. true, but itâs just as easy to man in the middle when no certificate is there. adding a certificate means that even IF the connection is man in the middled, the authentication credentials are not sent in the clear, and âonlyâ the mitm attacker, you, and the server will see the credentials. without a certificate anyone on the network can see the credentials.
Iâm going make what potentially could be a very annoying suggestion⌠did you turn it off and on again? 
I was having the same issue in that I used the LE add-on and my certificates were generated, but my Chrome connection to my remote domain was stating itâs not secure.
I fixed it by restarting HA (and not just doing a Quick Reload of the configuration, as I thought that would be enough, but it wasnât)âŚ