Just didn’t understand how to create the privkey + fullchain pem files. I’m running Hassio, so no direct access to OpenSSL.
I believe that the add on should create the files for you. Double confirm your config in the let’s encrypt add on.
Thank you!
Hi Redfish,
Thanks for pointer in right direction. I think I know have DuckDNS configured and working. Below are log files, however I really don’t want to access externally. I just wanted to add https:// to my local address. But I don’t know how to apply to my local 192.168.x.x:8123 via DuckDNS/Let’s Encrypt. Can you guide me on any config or is it supposed to happen automatically.
Net: The whole reason I want to set this up is to use Grocy add-in. Their scanning page requires https://
Thank you in Advance!
# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!
[15:50:29] INFO: OK
<IP Snip>
NOCHANGE
# INFO: Using main config file /data/workdir/config
+ Creating chain cache directory /data/workdir/chains
Processing <domain>.duckdns.org
+ Creating new directory /data/letsencrypt/<domain>.duckdns.org ...
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for <domain>.duckdns.org
+ 1 pending challenge(s)
+ Deploying challenge tokens...
OK + Responding to challenge for <domain>.duckdns.org authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
OK + Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
[15:55:47] INFO: OK
<IP Snip>
So once you have https enabled, in the app you don’t use a local address. You have to always Home Assistant URL and leave internal connection as blank. You will always connect over the internet then. Apparently you can make some changes on the router to fix this. Essentailly it tells the traffic to your URL to route locally I guess. I have not messed with this.
I enabled https for Grocy as well because I wanted the camera to scan barcodes. To be honest, it is a bit rubbish. I have ordered a barcode scanner and just waiting on delivery. Provides that works well with my little kitchen tablet, I might disable https and go back to using internal address only. I have quite the delay on my Kindle Fire 7 when trying to access and use grocy via the URL. I suspect this is due to the latency from tablet, to internet, back to HA. it is usable but pretty bad. Could be the tablet I am not sure. Before I invest in a better tablet, I will try to disable the whole internet thing and see if it speeds up.
OK. First, thank you for your help and fast response. Much appreciated.
I think I have a bit of hurdle. My DSL provider (Germany) is over IPV6, and I have never been successful exposing/publishing external ports. Believe they try and monetize publishing ports. It hasn’t been a real problem for as I’m not hosting anything from my home; leave that to cloud apps (Azure), etc.
Thanks for the advise about the bar-code scanner. I would be keen to understand how your testing goes. I’m tempted to buy a dedicated USB scanner, and I believe that requires another add-on to Grocy – Barcode Buddy?
Thanks again, and let’s keep in touch.
From my understanding, Barcode Buddy will pull in data about the barcode in question much like the MyFitnessPal app. But I think it can work to just accurately scan the code and get the number values. Currently I have been manually adding items by barcode. Tedious but it adds the data accurately. Amazon is quite slow on delivery right now and I have been waiting a month for this scanner. It does USB or Bluetooth so should work well with the tablet. That is the hope anyway. Grocy has really helped out in opening my eyes regarding expiration dates and just plain inventory and usage. I quite like it. Worst case, they do have a windows app if the HA just doesn’t work out. But so far it is tolerable. Now my Z-Wave stuff…whole other thread there lol. Good luck.
Hi Redfish,
If you haven’t solved your problem with connecting locally while having ssl certificates configured, maybe this will help:
https://support.google.com/pixelphone/answer/2844832?hl=en&visit_id=637249452706403987-3909602335&rd=1
I was facing the same problem after configuring the ssl certificates then I converted fullchain.pem to crt, copied it to my mobile, installed the certificate as per the guide and the apps connects now.
THanks I may try that. I really only added SSL to get camera option in Grocy which is quite terrible. But it is nice to be able to connect on the app from outside the network. Adding the interior connection may help with latency on my kitchen tablet. It is an old Kindle Fire 7 and runs a bit slow connecting to grocy via the web. Internal connection might help. Might just need to get a new tablet.
I’ve read this and many other posts but I feel the original question is not really answered.
On my PI I’m running HA 2020.12.1 and everything is fine out of the box. The PI is not exposed to the internet and I did not use any DuckDNS. When I switch to ssl, I create my own certificates and change the configuration.yaml file to
# Configure SSL
http:
ssl_certificate: /config/fullchain.pem
ssl_key: /config/privkey.pem
Now connecting via ssl through the desktop on the local network works well. Unfortunately, using the mobile app on Android doesn’t work anymore. The mobile browser on the same device works after confirming the self-signed certificate. So what exactly am I missing here?
2 Likes
I’ve followed @winston.s advice and created a .cert file using the command:
openssl x509 -outform der -in fullchain.pem -out ha.crt
Then I downloaded the file ha.crt to my Android 11 device and installed it as CA-Certificate. The HA app still doesn’t connect.
2 Likes
In my case I had to enable Hairpin (loopback) on port fowarding in my router settings and now it works on my android app locally calling external url.
You can read https://companion.home-assistant.io/docs/troubleshooting/networking/ or look at your router doc
ok so, breaking change to Neato. HTTPS to access Hassio becomes mandatory. I am running HassOs, so need to install Linux virtual machine because no openssl functionality on HassOs.
I eventually got the https working! But then noticed that mobile app doesn’t work anymore. Should I ditch Neato or Mobile, because it appears you can’t have both anymore?
Ok, so I can have both! Installed NGINX Home Assistant SSL proxy addon and configured it on local network. It appears that now the mobile is able to access without need for certificate and Neato integration remains satisfied with HTTPS being enabled. Can’t say its pretty on any grounds, but guess thats how the world intended it to be.
@mota I think the proposed solution (hairpin) will not work if there is no internet connection. That’s because you will need the internet connection to reach the DuckDNS host and solve your real IP address. Is this correct?
this could be an issue in some situations
Thanks in advance,
Luca
How do I copy the fullchain.pem to android?
I used this URL to install on android.
https://support.google.com/pixelphone/answer/2844832?hl=en&visit_id=637249452706403987-3909602335&rd=1
It is stored under ssl in home assistant, but the problem I is how can copy/download it to Android from homeassiatant? I can’t find ssl folder in Samba share of homeassiatant.
to download files from Homeassistant to Windows using SSH/SCP
- Download WinSCP from WinSCP :: Official Site :: Download
- Install WinSCP using typical setting.
- Use your SSH username and password from SSH & Web Terminal configuration.
- download whichever file you need. In my case, it ws Ha.crt
I was able to successfully download the certificate using WinCP , and upload it to android via airdroid. Installed the certificate in Samsung galaxy S8 but I still can’t access homeassistant via the android app, even though I can easily accessit through chrome on Samsung galaxy S8.
=============
My current status is still unable to access HA from the android app after installing certificates.
configuration.yaml
