Local pages not secure

robb1 · April 29, 2022, 12:09pm

My Supervised HA has been loading pages securely from day 1 over 18 months ago just using the default 8123 port and inbuilt config. I.e. I knew nothing about security certificates and had not done anything beyond initial default config. I would enter the local IP address in any browser and the pages would load securely.
A few days ago I wanted to make a small change to an ESPHome device yaml file but the file would not install as it could not find the device wifi IP address despite HA controlling the device ok.
(Error resolving IP address: Cannot start mDNS sockets, is this a docker container without host network mode?, [Errno -5] No address associated with hostname)
Rather confused at this point as I did not (and still don’t) know what had changed.
After trying a few things with HA re-starts in between I decided to reboot the host Raspi4.
Out of the blue browser pages would not load securely! I would have to enter https://192.168.1.29:8123 to get the page to load at all and it then alerts that the page is not secure. If I recall correctly the message was Certificate not valid.
After a bit of research I decided that maybe my certificates had expired. I tried refreshing through an unused DuckDNS addon but could not get anything to refresh. I decided to uninstall the addon and re-install and found from the log that the certificates had now been refreshed but I had to copy them to the /ssl/ folder from /etc/letsencrypt folder location. I also changed what was probably an incorrect port forward so that ports 80 and 443 would forward to 8123 for this local IP address.
On re-starting I could get a secure page using mydomain.duckdns.org but still have no secure local page loading.
My Grafana charts also reports
“Unable to load iframes pointing at websites using http: if Home Assistant is served over https:.”

In configuration.yaml I have

http:
  base_url: https://192.168.1.29
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5

On security certificates I remain a noob and would seek some help getting back to what was reliable local page loading.
TIA

robb1 · May 1, 2022, 2:31am

I have learnt some more by restoring a backup in which configuration.yaml has the http integration lines commented OUT.

# http:
#   base_url: https://192.168.1.29
#   ssl_certificate: /ssl/fullchain.pem

and then I can get a page to load with http://192.168.1.29:8123 or just 192.168.1.29:8123 but is still not secure. In this state the Grafana chart pages load correctly. The duckdns.org address understandably does not load. An address using https:// does not load at all.
So the question now is can a certificate be generated that secures the local ip address and the duckdns.org address. If not what is the next option so that both addresses are secure?
Thanks

CentralCommand · May 1, 2022, 3:10am

Let me try to summarize:

You have a duckdns domain
When on your LAN you use the IP address
You have an SSL certificate you got from the Let’s Encrypt addon
You forward ports 80 and 443 to 8123 which is where HA is listening and serving up that certificate

So first of all let’s talk about this:

Am I correct in assuming what was there before was 443 was set to forward to 8123 and 80 was set to forward to 80? You’re probably going to want to revert the change you made to 80. By default the Let’s Encrypt addon requires you to forward port 80 to it since that’s how the http challenge works when you request a certificate. And you can’t use a dns-type challenge with a duckdns domain.

This sounds impossible so you’re going to have to explain it. It’s not possible to get a Let’s Encrypt certificate for an ip address. You can get one for a domain name (like a duckdns domain) but not an ip address. Especially not a local IP address like 192.168.1.29. You can generate a self-signed certificate that is valid for an ip address but it doesn’t seem like you did that.

So please clarify what you mean here. securely means when you visit https://192.168.1.92:8123 in the browser you do not get a warning screen about the certificate requiring you to click “Proceed anyway at your own risk” to get to the site. It means there is no warning screen and in the URL bar you see a lock icon to the left of the url that when you click on it simply says “connection secure”. So do you mean securely or do you just mean “it works once I tell it to the ignore the warning”?

No, not really. You can generate a self-signed one that does this but then you’ll see warnings everywhere anyway since no client will trust self-signed certificates. Kinda defeats the point.

Generally the recommended practice is this:

Set up a reverse proxy. The NGinx SSL proxy should be fine.
Tell your reverse proxy to send requests for your duckdns to Home Assistant (the add-on makes this trivial, other reverse proxy options will require additional configuration)
Change the port forwarding on your router so 443 forwards to whatever port the reverse proxy is listening on, not 8123
Set your reverse proxy to use the Let’s Encrypt certificate
Remove all SSL configuration from HA

Then what happens is this:

Outside your wifi you get to HA using https://mydomain.duckdns.org. This is secure, works great, it transparently goes through your reverse proxy to make it happen.
Inside your wifi you get to HA using http://192.168.1.29:8123. This is insecure but its also only visible to people on your wifi network so that’s probably ok.

If you really need true https secure traffic within your wifi network you can do it but it’s significantly more complicated. I can help you if you want but just be aware its a lot more involved. Step 1 is buying your own domain instead of using a duckdns one.

robb1 · May 2, 2022, 10:00am

Thanks so much for your detailed reply.
So I was chasing shadows expecting to load local pages securely. I don’t have any special needs requiring this so will chalk that up to experience and learning.
Looks like I need to set up the nginix addon and re-do my port forwards.

ThereAreManyLights · May 5, 2023, 11:43am

Hey, sorry to bump a year-old thread, but true https secure traffic within my local network is exactly what I’m trying to figure out right now, and this thread is the best lead I’ve found so far. Mike, would you still have the time and inclination to provide some guidance on that, if to someone other than the OP? No problem if not.

CentralCommand · May 8, 2023, 2:01pm

I forget whether I found this guide before or after I posted that but I would recommend following this:

It’s for vaultwarden but really the steps are the same.

They show using Caddy 2 as the reverse proxy because its very simple to set up with just a few lines of config. You can do that too if you want, there is a caddy 2 addon. But you might find it easier to get setup with the NGinx Proxy Manager add-on since that is fully GUI configurable and handles getting and renewing certificates as well.

Whatever you pick just replace localhost:8080 with homeassistant:8123 (or whatever port you choose for HA in its http config) in the reverse proxy settings. And if you have anything in the SSL settings of HA under http, remove it. HA should be listening on HTTP, the reverse proxy handles encryption.

If you really don’t want to buy a domain then there’s two other options:

Run a DNS server in your house and ensure every device on your LAN uses it. Then get fully setup for DuckDNS (or the dynamic DNS service of your choice) the normal way. Once you have that all working as an external URL, add a dns rewrite of <dynamic dns url> -> <local IP address of HA> to your DNS server. Then all your devices will stay within your LAN when talking to HA but see a valid cert
Make and use a self-signed certificate. For every device that needs to talk to HA, tell them to trust the certificate or add your self-signed CA you used to sign the cert to their trusted root certificates.

ThereAreManyLights · May 9, 2023, 12:47am

Brilliant, thank you very much!