Hope someone can help me out or clearify how to set up the following:
I have a real ssl certificate on the outside of my subdomain. I can access HA outside via ssl and basic caddy setup reversing to 8123 ( portforwarding on router 443 > ha ip 8123 )
Now i like to have internal access also via ssl, needed for tts/speech/voice
I read into nginx, duckdns/lets encrypt but i am a bit lost with all the documents.
When i follow a duckdns lets encrypt howto, it broke the outside method via real ssl certificate ( i followed this setup https://youtu.be/3taXuYow57A?si=k9x7KE1HOW5U3wBa )
Do i miss any steps? Do i need to setup anything differently?
Hope someone can give my some guidance how to set this up ( if possible in my situation )
@Neil_Brownlee well tried working my way with the nginx proxy manager, but i really find it hard to understand…
i just like to add internal only traffic via lets encrypt to 8123 and do not touch the internet site traffic which already is encrypted with caddy.
I do understand a bit of networking but this is, to me , not a real how to🥵
yes i do mean ha voice assistant.
By enable voice assistant, ha must be running https and it isn’t from the inside.
only outside 443 is now reverse proxied via caddy as valid https and goes to http://homeassistant.local:8123.
I find it hard to get both external and internal getting all over to https with 2 different certificates/encryption methods
Please point to the exact documentation requiring https in your context.
I run HA with a reverse proxy, like you do, with no HA ssl, and I have no issue.
Thats because without an SSL terminating proxy like the post earlier or your cert listing all the distinguished names (url MUST match) you can’t.
Thats why you have to get a new cert from Nabu Casa if you turn on thier ‘use my own domain alias’ option. It has to write the new dn into the cert as an additional one and reissues it.
You might be able to get away with a wildcard cert like *. domain name.foo if you’re not using split DNS and your internal name space matches external. but AFAIK I don’t know any public CA registrar’s that issue a wildcard without a ton of money. And if you don’t want to build a proxy you don’t want to build your own cert authority.
I also wonder if https is actually required on HA itself, more likely internal connections may need https, which in most cases means routing internal connections through caddy should suffice.
First, is the following correct:
Environment:
Example “real ssl cert” hostname: my_ha.mydomain.com
Example duckns name: my_ha.duckdns.org
Example External Router IP: 222.222.222.222
Example Internal Router IP: 192.168.0.254
Example Caddy IP: 192.168.0.100
HA IP: 192.168.0.200
Assumptions:
By “real ssl cert” you mean a cert purchased from something like godaddy, ssl.com, digicert, etc. Otherwise the caddy 2 auto gen cert is just another acme protocol cert from zerossl instead of letsencrypt. (But they are all “real”)
The “real cert” is installed on the Caddy proxy. Caddy handles all encryption and forwards the unencrypted traffic to HA at 192.168.0.200.
The router fowards 443 to Caddy at 192.168.0.100
You followed the linked video and installed dnsmasq addon, changed dns on the router to point to the HA box, and internal resolution works correctly, ie “ping my_ha.duckdns.org” from the internal net returms “Reply from 192.168.0.200 …”
Possible solutions:
My first try would be to keep HA non-ssl and send all local and remote traffic through caddy. 1: Remove/comment out the http: section in configuration.yaml. 2: In dnsmasq config, change the “- host: my_ha.duckdns.org/ip:192.168.0.200.” to “- host: my_ha.mydomain.com/ip:192.168.0.100” so that all internal queries route through caddy with the correct hostname.
Skip caddy altogether. 1: In dnsmasq config, change the “- host: my_ha.duckdns.org/ip:192.168.0.200.” to “- host: my_ha.mydomain.com/ip:192.168.0.200”. 2: Put the “real cert” directly on HA and skip caddy altogether with a simple port forward at the router directly to HA.
Keep existing duckdns config and change Caddy configuration to “–to: https://my_ha.duckdns.org:8123” so that it speaks https to the backend. Check docs of proper syntax for caddy to rewrite the header. This is my least favorite option.
There are other ways to mix and match the above basics.
Remove the HA app from phone, restart the HA server
and reinstall HA app and follow instructions ( configure internal first )
This way caddy uses the real ssl certificate for domain.com and generates a selfsigned certificate for local https traffic/access AND rewrites http access to the internal_ip to https://internal_IP
Well it works for a couple minutes/hours and than the company app says ‘a host is pretending to be internal_ip’
Still either one of them works, for now i settled for two entries in my companion app with one as internal and one as external home assistant server and have to switch manually
