I am glad to report I can answer my own questions for the most part.
-
Yes. Concatenate the CRT file and the authority Bundle together into fullchain.pem. If I understand correctly the first certificate certifies my domain’s identify as confirmed by Let’s Encrypt (Bluehost obtains this certificate for its customers), and the second one certifies Let’s Encrypt’s identity as verified by the root authority (ISRG).
-
I still don’t know what 172.30.33.0 is, but the configuration works with that IP address.
To Summarize my steps to enable HTTPS access to my HA server with my own domain:
NOTE: This setup assumes you have a static IP address. My cable modem is given an IP address by comcast that is sort of static–it might change, but not often. If it changes, I will need to update the DNS record (see below), and wait for DNS changes to propagate, which can take a couple of days. In the mean time I will not be able to access my HA instance from the outside world. Using a dynamic DNS like duckdns.org eliminates that problem but I am not sure how well that would integrate with using my own domain name. Maybe great. I just don’t know.
In order to access my HA from the external world using my own domain name, secured by HTTPS, I took the following steps:
STEP ONE: Domain Configuration
-
Obtained a domain name from blue host (I had already done this a long time ago). For the purposes of these instructions we shall call this domain mydomain.com.
-
Added a subdomain (ha.mydomain.com). (I left the document root as /, i.e. ha.mydomain.com/)
-
Enabled Auto-SSL to get my certifcate (for Bluehost that was Advanced–>SSL/TLS Status). I then had to click an Update button to get AutoSSL to run. (In theory this can take 24-48 hours, but it only took a couple minutes for me). Other hosting companies will have other procedures for obtaining certificates. Or you can get a certificate on your own from letsencrypt.org (which is in fact where Bluehost gets theirs), but I am not familiar with the details.
-
Added a DNS record to point to my IP address so the world can find me via the (sub) domain name. (For bluehost, that’s Domains → Manage → DNS). To do this I added an “A” level record with Host Record = “ha” (my subdomain), and pointed it to my IP address (my home modem’s IP address as reported by whatismyipaddress.com, NOT my HA server’s internal IP address. If you use a VPN, make sure to turn it off while checking your IP address or whatismyipaddress.com will report your VPN’s IP address, not your modem’s IP address. Once you have your modem’s IP address, you can turn your VPN back on.)
STEP TWO: Server configuration
-
Assembled the certificate pem file. I just copied both the end user and root (“Authority Bundle”) certificates into a file called “fullchain.pem” (using the HA file editor). These certificates can be viewed on Bluehost via Advanced–>SSL/TLS Status–>View Certificate). The resulting file looked something like:
-----BEGIN CERTIFICATE-----
8jbTBaz+NzzY+qlTzayydKybcgMN+A8MQsbJdfeowwn99O4lK7jmOPTBHefq3VaO
....
ZcYvOrN1WxXHmRZBVlbXJ/TJ3eEobB9Hfihuu31q2hbxfi2QATtA3b3HMB4v2ofk
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAwTzELMAkGA1UE
....
EwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAwWhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQG
-----END CERTIFICATE-----
-
Copied the private key into the file /ssl/privkey.pem (using the HA file editor).
-
Installed the official NGINX Home Assistant SSL Proxy add on (via Settings → Add Ons → Add On Store on HA). Make sure you enable “Start on Boot” in the add on’s “Info” screen. In the configuration pane of the add on I specified ha.mydomain.com as the domain.
-
Updated configuration.yaml (as directed in the add on docs). I added this to my configuration.yaml file (via the HA file editor):
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.30.33.0/24
(Again, I presently have no idea what 172.30.33.0 points to, but it works)
- Restarted the HA server
STEP THREE: Modem configuration
- Using my XFi modem/router’s configuration app, I added a port forward from port 443 to “homeassistant” (the hostname of my HA server as recognized by the router. You could also use your server’s INTERNAL IP address, but the app just gave me a drop down list of hostnames instead). Different modems/routers will, of course, have different ways to add port forwards.
(Note that the NGINX SSL Proxy add-in will listen on port 443. Port 8123 can still be used for internal connections which is very handy in case something goes wrong).
STEP FOUR: Test and Wait
At this point you should be all set. But it can take up to 48 hours for DNS changes to propagate accross the internet. While this happens you may not be able to connect to your HA server from the outside world, and/or your connection may behave strangely due to domain name resolution confusion. It may help to flush your browser’s DNS cache.
In the mean time, you can do a few tests:
Test your HTTPS set up: SSL Server Test (Powered by Qualys SSL Labs) (This tool’s website seemed to discover my updated DNS record immediately. Not sure how. Magic I presume.)
From a command line you can also try:
openssl s_client -connect 99.99.99.99:443 -servername ha.mydomain.com
(Use your modem’s externally facing IP address and your actual hostname in the above command). This will spit out a bunch of information about the SSL hand shake if your configuration is correct.
After doing all that, the world looks sorft of like this from the perspective of an external web browser you are working at (where 99.99.99.99 would be your modem’s IP address):
Browser → https://ha.mydomain.com → DNS → 99.99.99.99:443 → Modem port 443 → HA Server port 443 → NGINX → Home Assistant app.
The beauty is that not only can you access your HA from the outside world, but all the data sent back and forth is enrypted by SSL/TLS so no one can sniff out your passwords, data, etc.
Note that it has only been a couple of hours since I added the DNS record for my subdomain on Bluehost, and after clearing my browser’s cache everything seems to already be working smoothly.
TO DO: This is working great. But what if someday I set up another server of some sort (maybe an RStudio server or something) that I want to access from the outside world? In that case I think I would have to set up an independent NGINX server to direct different endpoints (like www.mydomain.com/ha and www.mydomain.com/rstudio) to the appropriate servers. In that scenario, I think I would simply remove the NGINX add on from my HA server since my separate NGINX server would then just route traffic internally to port 8123 of my HA server and that internal traffic could be unsecured.