How do I HTTPS-only on the local network, on port 443?

I installed the LetsEncrypt plugin and have successfully gotten a certificate for my Homeassistant (running on HassOs).

I updated configuration.yaml per this post here on the forum; after restart I see almost the behavior I want.

homeassistant:
  external_url: https://homeassistant.mydomain.net
  internal_url: http://homeassistant.local:8123

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5

What I want is to use my public dns name without a port number. I use Pi-hole and I split DNS so internally on my network the name will always resolve to a 192.168 address, and on the internet it will resolve to my router- I can port forward when I want remote access.

The problem is that with the configuration suggested above, Home Assistant kind of merges the two configurations so I end up having to use “https://homeassistant.mydomain.net:8123” to connect, but then certificate validation works normally.

I want to turn off http altogether, except when the LetsEncrypt plugin needs to configure to respond to challenges, and I want to stop using 8123 and only use 443.

As a side note, is there a reference for all settings in configuration.yaml and what they do?

Thank you,

efitz

1 Like

I’m sure you will get 100 different opinions on this one. I use the caddy addon:

Then just have a caddyfile that redirects your homeassistant.mydomain.net to homeassistant.local:8123 . Then you never have to worry about anything and caddy renews your cert for you. Caddy is very light weight, but learning the configuration file takes some time.

nginx proxy manager is also popular and has a GUI. Never used it.

3 Likes

Thank you! Do you still have to use the LetsEncrypt add-on with Caddy?

No, caddy and the nginx solution handles it for you and keeps it up to date automatically. It does the port challenge itself. Caddy (maybe nginx too) can also do a DNS challenge if do not want to have port 80 open, but it is a little more complicated as depends on your dns provider.

in the http section of your configuration.yaml you also need to tell assistant to trust your proxy

http:
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - 172.30.33.0/24
    - 192.168.1.XX (where xx is the local IP of your homeassistant/caddy)
  ip_ban_enabled: True

There is a caddy thread " Home Assistant Add-on: Caddy 2 on this forum with skeleton config files and the caddy forum can help if anything too crazy. getting an A+ security rating on the headers takes some tweaking, but good information in the thread above

1 Like

i just installed. could you please let me know what to put in here?

the add on page didnt even have instructions for configuration.
i only need local https://192.168.1.229:8123
as of now, i access my HA OS’s GUI via http://192.168.1.229:8123
i wont need to access the gui remotely or anything fancy like that

I saw your PM, but putting it here so others can see.

Caddy is the wrong tool for your requirements. It is designed for having a DNS, because it needs to give you a trusted certificate based on your domain name. Without a DNS service, you cannot get a trusted domain. There are work arounds (you can look on Caddy website) for untrusted certificated, but not worth it if only want local access.

If you just want SSL on your local network, make your own certificate and add it to home assistant. You’ll need to have your devices trust it. There are a lots of tutorials on this method:

https://community.home-assistant.io/t/certificate-authority-and-self-signed-certificate-for-ssl-tls/196970

If you choose caddy, you create a Caddyfile under /share/caddy and use the documentation from Caddy website. An easier option than caddy is https://github.com/hassio-addons/addon-nginx-proxy-manager , but still need DNS. It has a GUI which might be a better fit for you.

thanks for the link. that guide was really good. now my companion app on android tablet does not work. lol.
seems it refuses to work with self sign certificate. i followed the direction here after googling Add & remove certificates - Pixel Phone Help
imported the fullchain.pem file into the wifi certificate of tablet. it imported fine but the android companion app still does not work.

This this: https://companion.home-assistant.io/docs/troubleshooting/faqs/#using-a-self-signed-certificate-leads-to-a-blank-page-in-android

Do you have working solution for local ssl?

not with the OP method. i did get it working using this method as seen here: SSL self sign certificate, all local, for Home Assistant. - YouTube