NEWBIE how to get https (ssl) without opening to the world

jebus · November 18, 2018, 9:37am

Hi Guys

I’ve started down this home automation rabbithole, have been playing with hass.io for a week now, got a few scrapers working, played with the lovelace interface, hooked into ios devices and got a few notifications working etc. I haven’t bought a single bit of kit yet to plug in other than installing a pi in a central spot in the house. Anyway…

I’ve noticed when I install addons, if they have a link to access thier configuration, clicking into them links to a https:// page usually (pi hole, grafana etc). Now as I understand it, I can only access https:// type addons if I have ssl set up.

If I got that right then following the docs, as I’m using hass.io I have to install duck dns and open my installation to the internet, which is the very last thing I want to do. I’m happy to run home automation, but I have no interest in controlling it over the internet and have some major tinfoil hattery going on around letting the world into my digital life.

What are my options?

Would it be a good idea if by default, this system created itself a local certificate and we didnt have to do anything else unless we want to?

I may have this all completely wrong - I’m only a week in - sorry if I have this all the wrong way round! I’ve been reading a lot and getting more and more confused! Anyway, thanks in advance for any help you guys can offer.

tom_l · November 18, 2018, 10:14am

Installing duckdns is an easy way to get ssl certificates but you dont have to open it up to the internet. Just dont do the port forwarding in your router. For extra security make sure UPnP is off as well.

The other way to do it is to install the Let’s Encrypt addon instead of duckdns.

github.com

home-assistant/addons/blob/master/letsencrypt/README.md

# Home Assistant Add-on: Letsencrypt

Let's Encrypt is a certificate authority that provides free X.509 certificates for Transport Layer Security encryption via an automated process designed to eliminate the hitherto complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites.

![Supports aarch64 Architecture][aarch64-shield] ![Supports amd64 Architecture][amd64-shield] ![Supports armhf Architecture][armhf-shield] ![Supports armv7 Architecture][armv7-shield] ![Supports i386 Architecture][i386-shield]

Setting up Letsencrypt allows you to use validated certificates for your webpages and web-interfaces.
It requires you to own the domain you are requesting the certificate for.

The generated certificate can be used within others addons. By default the path and file for the certificates within other addons will refer to the files generated within this addon.

[discord]: https://discord.gg/c5DvZ4e
[forum]: https://community.home-assistant.io
[issue]: https://github.com/home-assistant/hassio-addons/issues
[certbot]: https://certbot.eff.org
[reddit]: https://reddit.com/r/homeassistant

[aarch64-shield]: https://img.shields.io/badge/aarch64-yes-green.svg
[amd64-shield]: https://img.shields.io/badge/amd64-yes-green.svg
[armhf-shield]: https://img.shields.io/badge/armhf-yes-green.svg

This file has been truncated. show original

jebus · November 18, 2018, 10:20am

Thanks Tom - so config like this:

{
  "email": "[email protected]",
  "domains": ["hassio.local"],
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem"
}

?

tom_l · November 18, 2018, 10:36am

Hmm. maybe not.

Let’s encrypt will only work if you have a DNS entry and remote access is allowed.

jebus · November 18, 2018, 10:38am

and https://www.home-assistant.io/docs/ecosystem/certificates/tls_self_signed_certificate/ will only work if you’re not using hass.io

This is back where I started

tom_l · November 18, 2018, 11:47am

Just install duckdns and dont forward the port in your router.

jebus · November 18, 2018, 11:48am

ok tom - thanks for your help!

jebus · November 18, 2018, 12:37pm

Just a footnote to all this for any others travelling this route: you can’t set up a duck dns account without using facebook, google, twitter or reddit - so if you’re like me, you either need to forget hass.io or it’s impossible to run https (ssl) locally, which means lots of addons dont play nice.

So all that privacy / local control of your data stuff isn’t quite there yet. Heck I don’t even know who the people behind duck dns are. It’s hosted on amazon servers. Who knows.

Withouth doubt, my preference would be to enable hass.io to create a local certificate. My next move will be to try hassbian I guess.

Dixey · November 18, 2018, 1:02pm

I have the same issues. I run internally only so all this ssl stuff it just an annoyance. My default with addons is wherever I see “ssl” in the configuration, I set it to false and when I want to use the web address to access the function, I change the https:// to http://

klogg · November 18, 2018, 1:20pm

I hate to cross post but just as I finished posting here Google TTS and SSL I saw this.

Not exactly the same issue but closely connected, so if anyone can help get Google TTS working with SSL I’d be grateful. Again apologies for the cross post.

jebus · November 18, 2018, 1:22pm

I tried the same, but found the http:// versions timed out for me. Maybe I’ll give that a go before ditching hass.io. Will post again with the outcome…

Dixey · November 18, 2018, 1:25pm

When browser accessing the addon, also pay attention to the port number (even internal) which is usually different between https and http access.

jebus · November 18, 2018, 1:40pm

So as a for instance, I just installed the log viewer.

{
  "log_level": "info",
  "username": "theusernameimusing",
  "password": "thepasswordilike",
  "ssl": false,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "filters": [
    {
      "keyword": "ERROR",
      "style": "color: red; font-weight: bold;"
    },
    {
      "keyword": "WARN",
      "style": "color: yellow;"
    },
    {
      "keyword": "INFO",
      "style": "color: limegreen;"
    },
    {
      "keyword": "DEBUG",
      "style": "color: cyan;"
    },
    {
      "keyword": "TRACE",
      "style": "color: blue;"
    }
  ]
}

Is the test config. I start the instance, get the following in the log section at the bottom of the page:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 00-banner.sh: executing... ----------------------------------------------------------- Hass.io Add-on: Log Viewer v0.3.0 Browser-based log utility for Hass.io

The addon shows a green light and is started.

Interestingly, on this addon, the “web ui” link leads to “http://hassio.local:4277” e.g. without the SSL - and the port is just the same as the port entered into the port setting box.

Which port should I use if not that one?

I just get the following when hitting the link:

The connection was reset

    The connection to the server was reset while the page was loading.

        The site could be temporarily unavailable or too busy. Try again in a few moments.
        If you are unable to load any pages, check your computer's network connection.
        If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

Dixey · November 18, 2018, 1:56pm

I always wanted to give that addon a shot. Thanks for the motivation.
Okay, I got mine running after what I call de-frencking the configuration. That involved:
set ssl to false
enter a login and password
add the option: “i_like_to_be_pwned”: true,

Here’s mine:

{
  "log_level": "info",
  "username": "i-used-my-local-generic-one",
  "password": "anything-you-want",
  "ssl": false,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "filters": [
    {
      "keyword": "ERROR",
      "style": "color: red; font-weight: bold;"
    },
    {
      "keyword": "WARN",
      "style": "color: yellow;"
    },
    {
      "keyword": "INFO",
      "style": "color: limegreen;"
    },
    {
      "keyword": "DEBUG",
      "style": "color: cyan;"
    },
    {
      "keyword": "TRACE",
      "style": "color: blue;"
    }
  ],
  "i_like_to_be_pwned": true
}

It’s working here now.

jebus · November 18, 2018, 2:05pm

For me i still get “connection reset”.

"i_like_to_be_pwned": true

should just skip checking if the user/pass is in the “have i been pwnd” database. my install just plain refuses to serve the page. I dont even get to authentication. Wondering if I have other problems outside of this issue.

Dixey · November 18, 2018, 2:11pm

Probably other issues. After defrencking it fired up. I went to the web page (http://pi3:4277) and was greeted by a login screen and then taken to an idle, black web page.
My network is rather generic. Two subnets of 192.168.1.0 and 192.168.100.0 on two off the shelf wifi routers (upstairs, downstairs), no additional firewall rules.

jebus · November 18, 2018, 2:17pm

Mine is the same. One less router, traffic all hard wired between main pc and hassio.

defrencking?

Dixey · November 18, 2018, 2:56pm

try http-ing to the ip address or the host name. I have seen issues when folks try the generic hassio.local thingie.

jebus · November 18, 2018, 4:43pm

I decided to save out my config files and reinstall hass.io, being careful along the way - installed, installed samba, tested, all ok, saved a snapshot. chose a new hostname in the menu, checked the log, all looked ok, rebooted the pi, now it refuses to auth, either with the new host, or the ip. Honestly this stuff should be really straight forward, basic and easy functionality. I must be the worst HA user here

Dixey · November 18, 2018, 4:49pm

Try this in your config to bypass the whole login thing:
add this option, “leave_front_door_open”: true
I tried it and no longer even needed login/password nor pwnd stuff.

and no, we’ve ALL gone through this kinda hair pulling at one time or another. So you are only the second worst HA user here.