Let's encrypt, besy way to secure HA when running as VM on synology

Hi all,

I’m running Home assistant as a Virtual machine on my synology.
I like to secure the connection to home assistant using lets encrypt.

My setup is as following:
I own a domain name, and have setup the DNS rules there,
I have a synology running virtual machine manager, in there i have HA running as a VM.
The synology its self is using let encrypt certificate for a secure connect. (so when i’m connecting to synology over port 5001, the browser shows that the connection is secure) The certificate is renewed by the synology it self.

I like to do the same for HA.
But i’m running into a issue, with the add-on let’s encrypt it’s common that you also use the duck-dns addon, and forward also the correct ports, 80 and 443 to the HA internal IP.
I’m already using port 80 and 443 for other things, and don’t want to use duck DNS as i own a domain.

So what the best way to secure my HA connection?
(when i’m temporary forward port 80 to my HA internal IP, i’m able to get a certificate using the add-on but it’s not working for secure the connection, so also something goes wrong here)
I hope somebody can help with this setup.

1 Like

Then re-use your existing certificate on HA (configuration.yaml → http:ssl_certificate: / ssl_key, and forward, e.g. 5002 on your router to 8123 of HA.

Okay, that was easy, with your information and some google is came across this:

it was the guide i followed earlier:

only the path should have been differend:
based on the http integration information:

ssl_certificate string (Optional)

Path to your TLS/SSL certificate to serve Home Assistant over a secure connection. If using the Let’s Encrypt add-on this will be at /ssl/fullchain.pem.
And the same for the key.

So the secure connection is working, both internal and external over port 8123. Browser shown a lock.

So thanks for helping me out!

But is see that the normal http unsecure connection nolonger works, is this correct?

other thing is still how to automaticly update the certificate? without port 80/443?

Yes, it’s one or the other.

You mean copying from synology to HA? Up to you, really. This is very much dependent on your setup… SSH, Samba, …

Yes, it’s one or the other,
Understood!

Maybe i didn’t make it clear:
The certificate is valid for 90 days, So i have to run the add-on every 90 days for a new certificate,
So this has to be automated, the renewal process, But this also requires port 80 to be forwarded to my interal HA ip, (but i’m using 80 for something else already, and i dont want to swap ip’s for this port forwarding every 90 days, for the renewal of the certificate.
There has to be a better way to do this.

Oh, ok. I thought you just copied your existing synology certificate over to HA, as I suggested.
That’d be the “better way”, imo, or at least the simplest.

Can a other port be used for getting the certificate? now its port 80, but if something else could work that would be great, a automation that runs every 90 days to automaticly run the let’s encrypt add-on whould do the trick.(or based on the certificate expiry date, minus a couple of days)

That is a letsencrypt thing, and no, I don’t think you can use another port.
Letsencrypt also supports the “DNS” way of certifying you own the domain. I think the addon supports it.
That implies adding a specific “secret” to your DNS (assuming you have access to / manage your domain DNS).

Once again, as your already have a certificate managed by your synology, the easiest path is to copy it over.

I also use the Synology NAS, but running Home Assistant using a docker instead of a VM. Anyways, the way that I solved it was by using the buildin reverse proxy solution. An example of how to configure it can be found here: https://mariushosting.com/synology-how-to-use-reverse-proxy/ . Once the reverse proxy is configured you can attach the certificate to it in the Control panel, which is step 3, which means that you don’t have to export the certificate to Home Assistant.
This also means that most of the HTTPS stuff is configured in the Synology interface and not anymore in Home Assistant. Be aware, you still then need to add the reverse proxy parts in your configuration.yaml, see: HTTP - Home Assistant

1 Like