How to manually set SSL certificates?

My question in short: How can I set the SSL certificates that Home Assistant OS uses?

In longer:

I am running Home Assistant OS on a Raspberry Pi. My domain setup is a bit complicated: I use DuckDNS in order to get a a subdomain name, let’s say it is example.duckdns.org.

My domain provider allows me to edit the nameserver (but sadly I cannot use Let’s Encrypt with the DNS challenge), so I set a CNAME entry to have a subdomain of my own domain point to example.duckdns.org, lets call it: myserver.example.org.

That is the reason why I cannot simply use the DuckDNS integration: I do not want an SSL certificate for example.duckdns.org, I want an SSL certificate for myserver.example.org.

For various other things, I have a local server running that obtains Let’s-Encrypt certificates for various other subdomains, and that works fine. I have set it up to also obtain an SSL certificate for myserver.example.com, and that also works fine.

Now, Home Assistant OS is running on a different machine.

How can I make it use these certificates? Can I copy them somewhere where they are found?

I find nothing on this in the documentation, it just says “use the DuckDNS add-on”…

1 Like

Alright, I found it. Basically: You need to tell Home Assistant in configuration.yaml in the http: section, like this:


http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

Then, I installed the SSH add-on, and on my main server I set up a routine that copies the SSL certificates over to Home Assistant via SCP, like this:

scp -i /path/to/private_key /etc/letsencrypt/live/myserver.example.org/cert.pem [email protected]:ssl/

1 Like

It seems if you update the cert in this manner you still need to restart the web server associated with HA to get the updated information read. Did you do something like “ha core restart” or something else?

Yes, you are right! I found that out later.

Unfortunately, since my issue is that the server obtaining the SSL certificates is not running on the machine that home assistant runs on, I cannot just issue the shell command “ha”, I need to do it remotely.

Originally, I tried to use ssh to send the “ha core restart” command. Turns out: You cannot just do it like that. You have to specify the “Supervisor token” in your ssh request or the command will fail. This appears to be a security feature.

While it is possible to get ahold of this supervisor token (it’s available inside a terminal session on the home assistant), it appears to be changed with every restart of the home assistant instance, so using it in a script on my server turned out not to be a functional way, because after a restart of the home assistant, the token will no longer be valid and the command will fail to restart ha.

I did, however, find a way: Using the REST api (see REST API | Home Assistant Developer Docs). As far as I can tell, this is also the recommended way of doing this, so I recommend using this.

If you issue a HTTP(S) request to your home assistant instance under the api sub-key, like this:

http://your.homeassistant.tld:8123/api/...

you can access various functions, and especially all services. From the command line/in a bash script on my server, I now do the following:

  curl -X \
    POST -H "Authorization: Bearer *LLA-TOKEN*"
    -H "Content-Type: application/json"
    https://your.homeassistant.tld:8123/api/services/homeassistant/restart

As you can see, you also need a token (where “LLA-Token” is), but this is a persistent one, it is a “long-lived access token”, and you can easily get one of these via the home assistant web gui - follow this manual here: Authentication - Home Assistant

Hope that helps!

Thanks for the information it’s very helpful. I run the supervisor version of HA on armbian which gives a lot more control over scripting on the HA box. At this point I’m running a script outside of HA, but still on the HA controller hardware to update the letsencrypt cert. I generate a wildcard cert, update HA and then push it to three other servers I have running on my home network. This enables the HA companion app to display the GUI for these services within a web card. Once you move HA to ssl any service you integrate with a web card also has to also use ssl. It kind of makes things a pain. I really wish on HA you could just restart the web interface, without restarting core. On the other three servers I have I just restart apache or tomcat. It’s the way all other products work. Not sure why HA doesn’t do something similar. It would be great if rest API had a restart-web command. It would also be great if I could tunnel the companion App access to other home services presented in the web card across nabu casa. Maybe some day. Once again thanks for the additional information. Now I’m on to building a whole home audio system. I needed this wildcard cert stuff working so I can provide direct access to the mopidy interface withing HA. That’s another thing that I find surprising about HA is that there is a very limited integrated capability for controlling a media player. I figure after basic light control and home security the next item a smart home should have complete control over is your home Audio and Visual services. There’s plenty of room for growth in the AV area for HA. Take care.