Letsencrypt Solution starting from Hassbian 1.1 image

I had difficulties setting up Letsencrypt using the Home Assistant Doc called Let’s Encrypt (detailed)
It instructs you to run certbot-auto in the homeassistant user account. The system asks for a password to run
for which there is none by design of the Hassbian configuration. (I may be wrong but) I think the pi account should be used for all installs and running of programs other the “hass”
I ran the same commands in the pi user account and then fixed up the permissions to get hass to run with
ssl_certificate: and ssl_key: added to configuration.yaml

cd /etc/letsencrypt
sudo chown root:homeassistant live
sudo chown root:homeassistant archive
sudo chmod 750 live
sudo chmod 750 archive

I found these permission steps in this Blog, see kuno2001

I was successful accessing Home Assistant over my cellular iphone LTE (data) service. The iPhone does not permit unsecure connections like https://192.168.1.65:8123 (Chrome on my PC does if you force it.) I don’t want to use my cellular data while at home connected to WIFI so I have comment out the ssl_certificate: and ssl_key: lines and restart the Home Assistant service. I plan to enable the ssl_certificate: and ssl_key: lines only when on vacation and want to check what’s going on in the house.
If anyone has a more convenient method, please comment.

If you do not have a password for hass user you can still use the guide I wrote using either of these methods:

  1. Set a password for the hass user
  2. When switching to the hass user, use the sudo command
$ sudo su -s /bin/bash hass

I’ll add a note to the instructions to cover this use case, thanks for the feedback :thumbsup:

Also, unless your router/ISP does not support loopback, you should still be able to use the secure URL from your WiFi at home as stated in the guide, and leave the SSL enabled all the time.

I did it in a slightly different way by creating an ‘encrypt’ group and adding the users to that group as needed.
I think it’s a bit safer that way, since you can give an account access to the certs without it having access to the homeassistant files.

Fixing this will be dependant on what router you are using and if you can map the external domain name to 192.168.1.65 when you are inside the network.

if you have an Asus RT-N66U you can flash it with asuswrt-merlin and follow the instructions here to rewrite dns lookups to the the domain. That way the cert will match the domain name when inside the network.

Another solution would be to add a dns server in your network and use that to map your domain->local ip.

My attempt using a local DNS to solve local access to Home Assistant.

I installed dnsmasq and dnsutils to the Hassbian 1.1 image with partial success.
Added this to /etc/dnsmasq.conf

domain=raspberry.local
resolv-file=/etc/resolv.dnsmasq
min-port=4096
server=8.8.8.8
server=8.8.4.4
cache-size=1000
address=/lan.USERNAME.duckdns.org/192.168.1.65

On my iPhone local wireless connection I setup the DNS to be only 192.168.1.65.
DNS is running because if I stop it I cannot access any WEB page from my iPhone.

From my iPhone (iOS App or Safari) I can get to the Home Assistant login page using
https://lan.USERNAME.duckdns.org:8123
but after I enter my API password it says “Unable to connect”

I also found a DNS Host Mapping" feature on my ActionTec V1000H DSL modem.
I mapped USERNAME.org to 192.168.1.65 and added the routers IP address to the
list of DNS server in the iPhone wireless setup.
Using
https://USERNAME.org:8123
finds the Home Assistant login page but same “Unable to connect”

There must be something else to do to support an encrypted connection like
sudo apt-get install dnscrypt-proxy ???

Currently, I can only use the Home Assistant iOS app on an external WIFI connection or LTE data.
As soon as I get home and connect to my home WIFI network the IOS app and Safari cannot connect
to Home Assistant. My goal is:

  1. Use the Home Assistant IOS App at home or away with changing settings.
  2. Control Home Assistant entities over my local WIFI even if my DSL modem connection to www is down.

Addendum:
After reading how Letsencrypt works on their web site, I think that one must use an external certificate authority to get an encrypted https connection working. By commenting out the certificate lines in configuration.yaml, I can use the iOS app on my local WIFI with http://USERNAME.org:8123 that I set up on my router using the DNS host mapping feature and putting the router IP address in my iPhone’s DNS list. So a DNS server running on my Raspberry Pi is not needed.
I am not sure whether running a local certificate authority makes any sense?

Encryption itself is not the problem here, you need to be able to reach homeassistant from within the lan using the exact full dns name as you have registred with letsencrypt, so if the certificate is valid for lan.USERNAME.duckdns.org you need to add that to your dnsmasq config.

I’m no expert at this, I used dnsmasq on the router instead, but from what I can see you should use something like this:

/etc/dnsmasq.conf

no-dhcp-interface=
server=8.8.8.8
 
no-hosts
addn-hosts=/etc/dnsmasq.hosts

then in /etc/dnsmasq.hosts

192.168.1.65 lan.USERNAME.duckdns.org

Then make sure the router assigns the dnsmasq server as the dns server.
Test with a ping to lan.USERNAME.duckdns.org, if it pings the correct address from within the lan, then it should work.

More info here: How To: DNS spoofing with a simple DNS server using Dnsmasq - Philipp's Tech Blog

Thanks Chrio for the SOLUTION.
Here are detailed steps for anyone else wanting to use their iPhone on their home WiFi network to control Home Assistant:

DNS for Local WiFi Control of Home Assistant

##Installation
sudo apt-get update

#Install dnsmasq
sudo apt-get install dnsmasq

Install dns diagnostic tools, ie dig

sudo apt-get install dnsutils
##Configuration
# Stop dnsmasq while editing files
sudo service dnsmasq stop

# Added to /etc/dnsmasq.conf
no-dhcp-interface=
server=8.8.8.8
no-hosts
addn-hosts=/etc/dnsmasq.hosts

# Added to new file /etc/dnsmasq.hosts
192.186.1.65 USERNAME.duckdns.org

# 192.168.1.65 is the IP address fixed to my Raspberry Pi
# My username is redacted so replace USERNAME with your own.

# Checks /etc/dnsmasq.conf syntax
dnsmasq --test

# After edits
sudo service dnsmasq restart
#Testing
# Is dnsmasq running?
ps -eaf | grep dnsmasq

# This checks that the domain name is forwarded to your Raspberry Pi
# where Home Assistant is running
# 192.168.1.65 is the IP address fixed to my Raspberry Pi
dig @192.168.1.65 +short USERNAME.duckdns.org
> 192.168.1.65

# This should show fast (< 1 ms) packet return times from
# the IP address fixed to my Raspberry Pi
ping USERNAME.duckdns.org

#Test time for dns to get ip address from a domain name
dig USERNAME.duckdns.org | grep time

#This does it 30 times and calculates an average
for i in {1…30}; do echo USERNAME.duckdns.org; done | xargs -I^ -P10 dig ^ | grep time | awk /time/’{sum+=$4} END { print "Average query = ",sum/NR,“ms”}’

#Local Access from iPhone
Access your WiFi settings for your home wireless connection. (Click circled “i”)
Click on the DHCP tab, then in the DNS row
Copy what you had in case you want to revert.
Replace with:
192.168.1.65,8.8.8.8,8.8.4.4
where 192.168.1.65 is replaced with the IP address fixed to your Raspberry Pi.
The 8.8.8.8,8.8.4.4 are backup DNS from Google in case the Raspberry Pi is down.

#Access in Safari, Chrome, Home Assistant iOS App using
https:// USERNAME.duckdns.org:8123

#Goals Discussion

1.Use the Home Assistant IOS App at home or away with changing settings.

Partially Achieved.
I had to add :8123 to the end of the URL but I can leave the encryption lines in the configuration.yaml active. I decided to leave the Home Assistant IOS App set up for away use only since the Safari App works almost as well on my home WiFi network.

2.Control Home Assistant entities over my local WIFI even if my DSL modem connection to www is down.

Achieved.
I can disconnect the phone plug from my DSL Router and still be able to turn my lights ON and OFF from my iPhone. ( https://192.168.1.65:8123/states can be forced to work using the Chrome Browser on a Windows PC but this is not a portable solution.)

More info here: (repeated to be complete)

1 Like

After i set this up I lose the video feed of my Blue Iris security cameras. i also have them setup for outside access using my duckdns account but obviously using a different port.

Any idea what settings I have to change in my BI camera set up to regain the feed.

this is the yaml entry for the camera (one for example):

- platform: mjpeg
    mjpeg_url: http://MYDNSNAME.duckdns.org:81/mjpg/Droom?user=XXXXX&pw=XXXXXX
    name: Dining Room
    username: !secret cam_user
    password: !secret cam_pw
    authentication: basic

It works as long as I don’t use the DNS redirect on the Pi