So I’m on Nabu Casa for external access to my Home Assistant installation. The local installation is not using SSL (bare HA installation). What must I do to activate SSL for securing local connection to my installation and still have Nabu Casa for external access? Or is it better to always go through Nabu Casa even when connecting locally to the HA instance?
Thanks
I had time to give it a try so to answer my own question in case somebody else might be wondering the same thing in the future, I followed the DuckDNS/Lets Encrypt Hassio plugin info to create my SSL certificate and filled in the HTTP section in the configuration.yaml file. That’s all I needed to do. My Nabu Casa link still works and since I didn’t open the 8123 port to the outside on the firewall, when using the https://local_ipaddess:8123 URL when at home, I get a SSL warning because the certificate is tied to DuckDNS and not my local ip address but ignoring the warning, my connection still works and is now encrypted.
yeah! Thanks 
But what exaxtly is the benefit of your solution?! I mean beeing encrypted in your local network is necessary for what?
I came over your post because of enabling ssl in the grafana addon isn’t possible while having a open network port so i’m wondering if your way helps me out
Because I ran into this issue myself, I’ll answer. Some integrations (Neato Botvac, for example) require secure local access.
You can use your Nabu Casa URL for the Neato redirect URL. Just add “.ui.nabu.casa/auth/external/callback” to the end (.ui.nabu.casa/auth/external/callback).
See New Neato Integration Installation Guide (OAuth2 for HA version 2021.1) - #55 by Aaron_P.
It’s a shame one must follow DuckDNS setup steps and pass an SSL warning in order to get a local HTTPS URL for Home Assistant working, if you pay for Nabu Casa? Since HTTPS is preferable I would have expected this to work without relying on DuckDNS.
Is there no official way to use local HTTPS URL if you use Nabu Casa instead of DuckDNS?
I got it working using a proxy in front of HomeAssistant. I’ve set Apache in a proxy mod and used Letsencrypt to provide my SSL certificate and duckdns for my DNS name and auto private to public IP assignment.
To be able to use that URL from my local network, on my computers and cell, I’ve told them to resolve DNS names through my proxy server that’s also running a DNS Service. That service redirects my duckdns hostname to my HA local IP address.
I did the same thing to my WeeWX and Teslamate installation at home. I did something similar for my WeeWX and HA installations at the cottage. To control my cottage’s HA from NabuCasa, I’ve added the Remote Assistant integration and published the devices from the cottage that I want to control from home.
Everything is working great.