Method to add a real certificate when you don't want your HA instance exposed to the internet?

I want to be able to use the Android HA app (vs. having to use a web browser to access HA). However, I currently can’t use the App because I don’t have a “real certificate” installed. So because I want to maintain some basic security and I want encryption on all connections to my local networks (HA instance), I’m currently using a self signed certificate. The end result is I can’t use the Android App since it will not work with a self signed cert. (Which I can’t say I completely understand the logic behind the decision to not allow them with the App.)

My Home Assistant instance is only exposed to my internal network, which overall is much safer in the long run and much preferred. Currently if I need to get to it from outside my home network, I come in via my VPN.

Is there a way to install a real certificate (Lets Encrypt for example), without having to expose my HA instance to the world? I can setup port forwarding but don’t want my HA exposed at all. Preferably some solution that is not crazy complicated to setup and maintain. (I already own my own domain name that I could use for this and have a DDNS setup that can point to it.)

I’ve looked for a solution but haven’t found anything that looks like a good way to do this? Or am I missing something obvious? Can this be done (without jumping through too many hoops)?

I also have to wonder if I’m the only person that doesn’t want my HA instance exposed to the world?

setup your router to ‘spoof’ your domain name, and use let’s encrypt to generate your domain certificate…

maybe hairpin nat would also work (just bot sure if you need outside port forwarded for the hairpin to work)

What aceindy showed works great, I’ve done it before.

That being said it does involve running your own DNS server and using it for every device on your network that needs to talk to HA. Or having a router with a built-in DNS server and the ability to add custom routes. If you don’t have that and don’t want to set it up you can find an alternative approach here:

I know that is for Vaultwarden but really it applies to anything. You can also simplify it a bit for HA since you can use the Let’s Encrypt addon instead of setting up Caddy. Just configure the options in the addon to use the Cloudflare DNS challenge instead of the standard HTTP challenge (since that only works if HA is publicly accessible).

Caveat though - this approach isn’t free. Step one is purchase a personal domain. If you already have one then that’s not an issue. If you don’t then I guess factor that cost into your decision.

I used to use CertBot on windows, and then have any new certificate copied to samba share (task scheduler) worked great.

Just don’t need it anymore, as i use the let’sencrypt addon with hairpin now…

PS, i also have my own domain, recently moved it to TransIP, as my previous provider wasn’t supported by Let’sEncrypt…turns out TransIP is cheaper too…win win :yum:

Btw, there is also a dns server addon available for ha dnsmasq :wink:

You don’t need a certificate to use the companion app.

@nickrout We know, but that is what he asked for…

If it’s on a local network, what would encryption do?

Since I’m dealing with a IOT Vlan… With a ton of devices from many different sources… An encrypted connection IS important. I personally don’t trust devices to not “phone home” any information it might see on that network. I block them from my main network but they need access to the HA instance. As does the main, more secure Vlan. It’s a better practice.

Unencrypted is just a bad idea all around. Anytime you can encrypt… You should.

1 Like

AFAIK WiFi is encrypted if you have a password already.

From a quick search, it sounds like you can’t easily snoop on other devices’ traffic without doing something like arp poisoning.

Search more. And if that fails then search specifically for wireshark and give it a try.

On the same Vlan there are ways to see the traffic. And again, if you can encrypt you should.

1 Like

While wireless can and should be encrypted, things like WPA2 now has security issues and is being phased out heading towards WPA3. But a lot of older devices can’t support WPA3 so are forced to use the older, and no longer secure WPA2.

Most IOT devices won’t do WPA3.

Given your requirements why not create your own internal Certificate Authority and issue your own certificate? Adding a root CA to Windows/Linux/Android is pretty simple these days. No need for the hassle of 90 day certificate expiration.

That is an interesting idea. Never went down this road.

Any idea how difficult this process is to do? I’ve installed certs, don’t typically do much with cert authorities.

Not difficult if you have openssl installed. Here’s an article that steps through the process.

How to Create Your Own SSL Certificate Authority for Local HTTPS Development (deliciousbrains.com)

Just did a quick search. The process doesn’t look all that complicated.

We’ll see how this goes.

Thanks for the suggestion.

If you’re comfortable in the command line then isnt tough. But one thing to keep in mind - no device will trust your certificate by default. For each device you want to talk to HA you will have to add your CA certificate as a trusted CA on that device or force them to bypass warning screens about an untrusted certificate. This also isn’t possible on some devices which verify SSL certificates and have no way to upload a new trusted CA certificate.

Just something to keep in mind. If you just want to access HA from computers and phones then you should be fine. Those kinds of devices all have some way to upload and trust new CA certs. But if you have a bunch of IOT devices talking to HA on your LAN then you might run into some issues with a self-signed cert.

Yes… I did consider that, but still good to point out. I also already have a self signed certificate installed. Currently using a web browser to connect to HA and have to deal with that for every device that connects. But to run the App, it can’t be self signed.

In a perfect world… the APP allows self signed but I don’t see that happening.

You already mentioned you registered your own domain name, so CertBot would work for you generating your own SSL certificates.
You only need to find some way to automate the re-registration every 90 days, as Let’sEncrypt is only valid for 90 days.
I used to use TaskScheduler of my W10 host, and then copy new certificates to the (samba-)share on my HAos (VM)machine.

Not exactly. It has to be verifiable which is different. By default it won’t be however you can add your CA cert as a trusted root certificate to the device. Then the app will be able to verify your self-signed certificate and accept it. The process for doing this varies per device but its definitely doable. I ran like this for a bit and did it on macs, an android and an iphone. Although once I found out about the local-only Let’s Encrypt approach I switched to that because I found it easier since everything just worked and I didn’t have to muck with certificates on each device.

Sure that’s an option. Could also just use the Let’s Encrypt addon and make an automation to run it nightly like I do. But depends on your install method.