Secured Home Assistant access via WAN using SSL (decluttered)

basmeijer · December 29, 2021, 12:16am

With all due respect for the many that posted the long and extended explanations how to use SSL that I found here, so in other words access Home Assistant safely from a WAN using a https://… connection, most did not help me by far and actually just robbed a lot of time from me.
So I want to summarise and share just these basic steps what I did to get it working, hope some might find this useful. No add-on installs are needed and so this is also Core / Docker version compatible:

1 - Setup a DDNS service of your choice, e.g. through your router if it has this function (even just as a test), export the associated certificate so you have 2 files: cert.pem and key.pem

2 - Put these files in the same Config folder the file Configuration.yaml is of Home Assistant, regardless where this is on your host device.

3 - Speaking of which, locate and open Configuration.yaml and add this:

http:
  ssl_certificate: cert.pem
  ssl_key: key.pem

File names could need adaptation of course.
Next time you restart Home Assistant it will then expect a SSL connection.

4 - Access your router and add in the Port Forwarding section the external port 8123 of your host’s IP address on both protocols (TCP and UDP) and leave the internal port blank so it will be the same port. Not going to explain a lot more about port forwarding, there are plenty of resources to find out how to do this. Also make sure your host has a fixed IP address but that is rather obvious.

5 - Restart Home Assistant.

6 - Now the old unsecured non-SSL in other words http://… access will not work any more, so beware to adapt all clients.
Access of Home Assistant on the LAN:
https://<IP of your host>:8123

Access of Home Assistant using the WAN:
https://yournicesubdomainname.ddnsservicename.com:8123

You can even bypass the DDNS service in case you have not set it up yet or just want to test with a certificate with:
https://<IP of your WAN connection>:8123

7 - That’s it. Time to have a coffee, or think about more fancy stuff to automate certificate renewal and such if you need to have this. Anyway, hope this helps some with non-standard Home Assistant installs like I have or just to understand the basics first.

Prodigyplace · December 29, 2021, 12:25am

I think most people setting up Internet access to HA use a reverse proxy. I strongly doubt the HA web server is secure & robust enough to be safely exposed to the Internet even with an SSL certificate. People on the internet are good at exploiting any vulnerabilities in a system designed for just LAN use.

basmeijer · December 29, 2021, 12:49am

Thank you for that hint, that was my next step to look into.
My setup has a reverse proxy on board and I just realised it’s all well documented.
I started with Home Assistant not so long ago so I hope my current safety will last for a few days before I dig myself into this the following nights to come…

koying · December 29, 2021, 12:50pm

I’m afraid that’s a tad too “decluttered”, for people not wanting their time to be robbed, especially how to get the certificates.