i set up tailscale on my ha so i can access it from home assistant app, but that means that it must be http instance otherwise it doesn’t work for me.
I prefer that all communication to it will be TLS, from local network too.
I couldn’t find a working solution for this, perhaps i’m missing something.
I was able to come up with 2 working scenarios, and i’m wonder wether there are any solution for any of those disadvatanges or perhaps an alternative
Option 1
Set home assistant to be http (default)
Local network access is not secured (http), but! tailscale access from my phone is working
Option 2
home assistant is configured to https on local network, using let’s encrypt/duckdns integration. tailscale is configured too so i can connect to it with my phone, Accessing from the phone’s chrome is working but with certificate wanning (self signed). However Trying to access from home assistant app - i get an error that hostname certificate mismatch (let’s encrypt certificate doesn’t match the hostname), and i assume this is because the the certificate of the of the ha doesn’t match the tailscale domain?
I was wonder perhaps there is a way to use the tailscale certificates in ha when it’s confugured to https? in the http setting? i wasn’t able to find a way to get those keys, and there is another post saying “tailscale cert” doesn’t work and for me too so it’s a dead end
Perhaps there is a way to run ha in both https and non https? https will be used locally. non https will be used for the proxy of tailscale but the network is always https throught tailscale.
I prefer not to open the host to the world and access the tailscale domain from the local network as it’s less secured.
Certificates need for HTTPS only validates the hostname and not the IP, so you need to connect to an URL with a hostname.
DuckDNS will only point to your public IP address, so the certificate for the DuckDNS will be for the hostname for that public IP address.
This means if you want to use the DuckDNS internally, then you need to set up SplitDNS and overload the DuckDNS domain internally.
Overloading the DuckDNS domain will cause issues with contacting the real DuckDNS domain and you need that to update the public IP address, so it will have to be a partial overloading internally and then you will be out in some management mess.
The simple solution will be to get your own domain and the register it with a DynDNS service that provide DNS challenges for Let’s Encrypt.
This will give you a domain name that can be used internally without causing issues externally.
Thank you for your response
I don’t want to expose my ha instance to the internet because of the security risks it exposes so i prefer not to have my own domain.
Using tailscale allows to access my ha instance from phone using the tailscale app, and i could use the home assistant app and get notifications. However it means that logging in from inside the network forces me to use http / plain text and the data is insecure.
My HA is not exposed to the internet at all.
It is behind a private VPN connection.
Certificates can still work internally without opening up to the internet.
The Let’s encrypt can start up a HTTP service just for renewing the certificate, but you can also choose a provide that can support DNS challenges for Let’s Encrypt.
If you just leave the certificate for tailscale as is, then you just need a certificate for the internal network and because the internal network is controlled by you, then you can skip the DynDNS setup.
I use this setup and use Cloudflare for my public DNS with only the 2 standard name servers provided from Cloudflare as my only entries in the domain. This is just to show that domain is registered publicly, so I can use Let’s Encrypt and DNS challenges.
Internally I have my own DNS service where all hosts are registered on the same domain as registered with Cloudflare, which means I can use the Let’s Encrypt certificate internally.
Your router might do.
Mine can take the DHCP listed names and add them to the DNS and then add a default domain name to it.
Regarding domain name, then Cloudflare probably need to handle it, but you do not have to buy it through Cloudflare. You can just move it after having purchased it.