NEWBIE how to get https (ssl) without opening to the world

Hmm. maybe not.

Let’s encrypt will only work if you have a DNS entry and remote access is allowed.

and https://www.home-assistant.io/docs/ecosystem/certificates/tls_self_signed_certificate/ will only work if you’re not using hass.io

This is back where I started :smiley:

Just install duckdns and dont forward the port in your router.

1 Like

ok tom - thanks for your help!

Just a footnote to all this for any others travelling this route: you can’t set up a duck dns account without using facebook, google, twitter or reddit - so if you’re like me, you either need to forget hass.io or it’s impossible to run https (ssl) locally, which means lots of addons dont play nice.

So all that privacy / local control of your data stuff isn’t quite there yet. Heck I don’t even know who the people behind duck dns are. It’s hosted on amazon servers. Who knows.

Withouth doubt, my preference would be to enable hass.io to create a local certificate. My next move will be to try hassbian I guess.

I have the same issues. I run internally only so all this ssl stuff it just an annoyance. My default with addons is wherever I see “ssl” in the configuration, I set it to false and when I want to use the web address to access the function, I change the https:// to http://

1 Like

I hate to cross post but just as I finished posting here Google TTS and SSL I saw this.

Not exactly the same issue but closely connected, so if anyone can help get Google TTS working with SSL I’d be grateful. Again apologies for the cross post.

I tried the same, but found the http:// versions timed out for me. Maybe I’ll give that a go before ditching hass.io. Will post again with the outcome…

When browser accessing the addon, also pay attention to the port number (even internal) which is usually different between https and http access.

So as a for instance, I just installed the log viewer.

{
  "log_level": "info",
  "username": "theusernameimusing",
  "password": "thepasswordilike",
  "ssl": false,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "filters": [
    {
      "keyword": "ERROR",
      "style": "color: red; font-weight: bold;"
    },
    {
      "keyword": "WARN",
      "style": "color: yellow;"
    },
    {
      "keyword": "INFO",
      "style": "color: limegreen;"
    },
    {
      "keyword": "DEBUG",
      "style": "color: cyan;"
    },
    {
      "keyword": "TRACE",
      "style": "color: blue;"
    }
  ]
}

Is the test config. I start the instance, get the following in the log section at the bottom of the page:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 00-banner.sh: executing... ----------------------------------------------------------- Hass.io Add-on: Log Viewer v0.3.0 Browser-based log utility for Hass.io

The addon shows a green light and is started.

Interestingly, on this addon, the “web ui” link leads to “http://hassio.local:4277” e.g. without the SSL - and the port is just the same as the port entered into the port setting box.

Which port should I use if not that one?

I just get the following when hitting the link:

The connection was reset

    The connection to the server was reset while the page was loading.

        The site could be temporarily unavailable or too busy. Try again in a few moments.
        If you are unable to load any pages, check your computer's network connection.
        If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

I always wanted to give that addon a shot. Thanks for the motivation. :slight_smile:
Okay, I got mine running after what I call de-frencking the configuration. That involved:
set ssl to false
enter a login and password
add the option: “i_like_to_be_pwned”: true,

Here’s mine:

{
  "log_level": "info",
  "username": "i-used-my-local-generic-one",
  "password": "anything-you-want",
  "ssl": false,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "filters": [
    {
      "keyword": "ERROR",
      "style": "color: red; font-weight: bold;"
    },
    {
      "keyword": "WARN",
      "style": "color: yellow;"
    },
    {
      "keyword": "INFO",
      "style": "color: limegreen;"
    },
    {
      "keyword": "DEBUG",
      "style": "color: cyan;"
    },
    {
      "keyword": "TRACE",
      "style": "color: blue;"
    }
  ],
  "i_like_to_be_pwned": true
}

It’s working here now.

For me i still get “connection reset”.

"i_like_to_be_pwned": true

should just skip checking if the user/pass is in the “have i been pwnd” database. my install just plain refuses to serve the page. I dont even get to authentication. Wondering if I have other problems outside of this issue.

Probably other issues. After defrencking it fired up. I went to the web page (http://pi3:4277) and was greeted by a login screen and then taken to an idle, black web page.
My network is rather generic. Two subnets of 192.168.1.0 and 192.168.100.0 on two off the shelf wifi routers (upstairs, downstairs), no additional firewall rules.

Mine is the same. One less router, traffic all hard wired between main pc and hassio.

defrencking?

try http-ing to the ip address or the host name. I have seen issues when folks try the generic hassio.local thingie.

I decided to save out my config files and reinstall hass.io, being careful along the way - installed, installed samba, tested, all ok, saved a snapshot. chose a new hostname in the menu, checked the log, all looked ok, rebooted the pi, now it refuses to auth, either with the new host, or the ip. Honestly this stuff should be really straight forward, basic and easy functionality. I must be the worst HA user here :laughing:

Try this in your config to bypass the whole login thing:
add this option, “leave_front_door_open”: true
I tried it and no longer even needed login/password nor pwnd stuff.

and no, we’ve ALL gone through this kinda hair pulling at one time or another. So you are only the second worst HA user here.

Create a throwaway reddit/google account.

So instead of opening a throwaway account to get some ssl certificates you are going to run a local network without encryption. I hope you have no wireless network and VLANs are set up to segregate iot traffic.

The security risks you are paranoid about are commendable but are a bit scattershot.

Sorry for the late reply - I’m new here so had to wait 14 hours to post again. Dont mind though, these forums are cool.

Finally got an addon to work without https.
Two complete installs and a day of poking around in the guts of my network :blush:
Thanks for the help!

@tom_l Scattershot or not, I’d rather be able to generate a local certificate with minimum hassle and without involving companies like alphabet, and I don’t take the words verbatim written in a privacy statement when I can’t find the company that publishes them (and often when I can). It’s just how I feel about it, for better or worse. It’s ok to disagree sometimes though :smiley: Privacy is one of the things that drew me to this project.

2 Likes

Hi @jebus ,

i’m a bit late to this post but i’m struggeling with the same concerns as you did.
I’m a new HomeAssistant user and planning to use it only locally. I don’t want to depend on any online service or github, google, twitter or what else for authentication or ssl handling.

But then i found addons which require some kind of ssl connection to run properly (ESPHome, matrix, …).

I expected to be able to run this installation with a local machine with a self created certificate for internal ssl connections. I accepted that this seems not be very easy and accepted to leave my connection unencrypted within my network, but when those addons don’t run as i want them to is bad for me :confused:

Any ideas or experiences about this? To be honest i lost track in the discussion above :(…