Local HTTPS for SSL/TLS

Greetings all,

I have my HA implementation chugging along splendidly. I have remote access configured via a NabuCasa subscription however my question was geared toward having local network SSL/TLS.

Searching the internet and the more specifically the forums has left me without a clear answer on how or even if it is possible run local SSL/TLS for my browsers and mobile apps when on my home network.

Is the only real solution to abandon NabuCasa and roll my own remote access to handle the certs that way ?

Any insight you all can provide is greatly appreciated.

Yes you can.

The “gotcha” is that the SSL has to be from a legitimate issuer, trusted by all your devices, and has to be for the hostname you’re using to connect to the host with.

There are various ways you can solve this, but if you have any Google Cast devices then you will require your router to support NAT reflection (or you’re going to have to have a setup that allows you block access to Google’s DNS servers at the IP level).

My suggestion would be:

  • LetsEncrypt or your chosen SSL provider
  • DuckDNS or any other suitable DNS service
  • Local DNS server that can also resolve your hostname to the LAN IP
  • A proxy server to handle the SSL (so that while working on this you don’t break anything)

You can leave NC running if you want.

1 Like

Thanks for the input !

I think I’m just going to access my HA instance exclusively through NC. My browsers, my mobile apps, etc will just run through NC whether I’m on my local network or not.

Thanks for the help !

Thanks this helped me a lot! I already used LetsEncrypt + DuckDNS + AdGuard Home and the missing piece was local DNS server. I found out about AdGuard Home’s DNS rewrites and it worked perfectly.

Hello, do you mind expanding how you configured the DNS rewrite in AGH?

I’m trying to achieve the same thing (local HTTPS) but I’m using Wireguard + AGH instead of DuckDNS + LetsEnrypt + AGH.

1 Like

Hey sure!

  1. Open the AdGuard add-on web UI
  2. Go to Filters → DNS Rewrites
  3. Add an entry for “your.ha.domain.com” to your HA IP on your home network, like 192.168.1.111
4 Likes

Quick question for you - I’m trying to set up local SSL for my Home Assistant server that runs in an IoT VLAN (and 2-way communications to other VLANs on the network isn’t allowed) and I’m trying to determine if I’ll need a proxy manager on each host that needs this solution, a single proxy manager in each VLAN to serve all the hosts on that subnet (in this case, it would be the HomeAssistant server for the IoT VLAN) or a central proxy manager for all VLANs and then I pipe traffic to/from it, accordingly.

I’d also like to enable this local HTTPS/SSL solution for my Unifi management server that sits in another VLAN (and won’t be able to talk to the HA server in the IoT VLAN) so I’m trying to figure out just how many proxy servers I’m going to need and if I need to be prepared to install a proxy server on each and every host needing this functionality or if there is a better way.

Thank you!

Adding all those proxy servers sounds very complex. I’m not sure why you’d want to do that?

Set up a DNS server and do that instead.

DNSMasq is a free add-on to Home Assistant that can do this quite easily.

At most you need one proxy server (per subnet hosting services you want protected by SSL) - if you want to use proxies. The proxy handles the SSL for the service you’re protecting with SSL, not the clients.

I’m not sure I understand what you’re trying to do though, it sounds like you’ve got an overly complicated setup.

1 Like

@Tinkerer - that answers my question - thank you!

I have a local DNS server, I have the registered domain and I can get the required certificates - I just didn’t understand what the high-level architecture for the Proxy was supposed to look like. Many of the tutorials on YouTube talk about the Proxy like it is locally-installed on the device running the service being proxied for, so I was fearful I’d have to be running proxies everywhere I wanted to utilize this functionality.

My setup isn’t very complex - I run a few different VLANs on my home network (one for security cameras, one for IoT devices, one for sandbox devices) and I firewall them all off from each other. This is my first foray into the Proxy setup (and my first Home Assistant install, as well) so I was getting stumped on an assumption that I didn’t know was valid or not.

Thank you!

That’s typically the case on small setups, just for ease of use. Larger setups and commercial deployments typically run centralised proxy servers.

The flip side is that communication is (usually) only encrypted between the client and the proxy, and not the proxy and the service. There are ways of dealing with that, but running the proxy on the same host as the service is the simplest way.