Ok so i have finally decided to make my Home Assistant install accessible remotely.
Being a paranoid guy… I have been reading up on securing my Home Assistant install here and around the web but i seam to be hitting a brick wall.
So far i have set up a DDNS with DuckDNS pointing to my Public IP. (Working fine)
My HA install runs in a docker on a Synology NAS i decided not to go the certbot/lets encrypt root and bought a SSL certificate for the DuckDNS domain.
I authenticated and installed the certificate on my Synology NAS nievely thinking id just force HTTPS and everything would now be encrypted.
This is where i hit the wall I’m confused as to weather i need to set my Synology to serve over SSL for my HA port somewhere in the Synology GUI?(Cant find this option) OR use the http component in HA to serve using the certificate OR both.
I have tried using the HTTP component but HA fails to load afterword. Not being 100% sure where the certs reside and which one listed to use doesn’t help. Browsing using SSH shows a cert folder with a whole bunch of files.
I also tried exporting the certificate using Synology and storing them in an easy accessible folder then pointing HA HTTP component to it but this had the same effect. With bot CA and Server certificate.
Id like to use the certificate i have purchased and installed on my Synology to serve my HA installation and Mosquitto instance over SSL. Is this possible or am i looking at it all wrong?
When you bought the certificate, then you should have received two separate files.
the certificate itself
the key file helping to identify your certificate
You need both of these in a place where HA can read them. I do not think it actually matters where you put them, but HA must have read access to them. (And naturally no one else)
So what you need to do:
(You can putty / ssh for all these)
Find out under what user your ha install runs. (ps axu | grep python) Find the line where it says hass* then the first column should give you the username.
Copy the files somewhere on your synology. Lets say /var/opt/ha/certs
Add read access to the files for the user you got from 1.
In your configuration.yaml you should reference the correct path:
ssl_certificate: /var/opt/ha/certs/your.domain.certificate.crt (or .pem if you received a pem format certificate)
ssl_key: /var/opt/ha/certs/your.domain.keyfile.key (or .pem if you received a pem format keyfile)
then you should start hass daemon in foreground to see if everything went ok.
First time I did it I got “invalid config fot [http]: not a file or dictionary value @
data[‘http’][‘ssl_key’]” This meant that HA could not read my ssl key file. And it did not load the interface at all, because of the ssl error.
But you do not need to buy a ceritificate and key file, you can easily generate a self signed certificate in one line, and then copy the files to some place.
the command is:
openssl req -new -newkey rsa:2048 -sha256 -days 365 -nodes -x509 -keyout server.key -out server.crt
where days 365 is the validity period. If you change it to eg. 3650, then your certificate will be valid for 10 years.
server.key will be your key file, which could be named as mydomain.duckdns.org.key
server.crt will be your certificate file, which could be named as mydomain.duckdns.org.crt
for easy identification. During the generation of certificates you need to fill in some sensible information: Country code, organization, email address, common name. What you should pay attention to is that the common name should be mydomain.duckdns.org., the other values are to your liking.
Last but not least I am not familiar with the operating system on a Synology, but taken these from a standard ubuntu, hopefully your NAS has somekind of an embedded linux so all these will work.
In a lot of cases I’m just using a SSH tunnel to get access to an unsecured web interface. This doesn’t play nice with smartphones but saves me the hassle of handling TLS certificates and investing time in securing the webserver itself.
Thanks you very much for the replies @vdarkobar@towme and @fabaff much apreciated. I started to follow toms instruction and fell at the first hurdle, convinced myself this was due to running in docker and steered of course trying to get Home Assistant to run directly on the Synology.
Long story short i’m back to running in docker now and Ill be looking more into this.
i am still lurking in the HA forums, and have no real automation of anything relevant built and HA yet.
HOWEVER, my setup is very much similar to the OP system (HA running on docker on a synology NAS).
I am also a little paranoid with the security, and what make me fell safe is VPN.
In my case, i do have a separate PFSense box (OP, if you dont have it you should check it out), i installed OPENVPN on it. so the only way to access my home network is via VPN… feels very safe in my case.
that means, all notifications and messages that START INSIDE my network will reach my cell phone.
If someone wants to access my entire network, it is only possible using the VPN, so no need to do port forwarding or anything else…
In PFsense, i create an own network and i can manage the access from it.
this means there is a typo in your config line ssl_key.
HA can not find a file, nor a directory named like you typed in your config.
You should give the exact path to your ssl key file
so if your ssl key file is named: my_ssl_key.pem, and it is located in /etc/ssl/certs, then the config entry should look like:
ssl_key: /etc/ssl/certs/my_ssl_key.pem
And don’t forget the yaml identation !
http: should not be idented at all, ssl_key: on the other hand should be idented 2 spaces. And ssl_certificate should start the same place where ssl_key starts.
Still having zero luck with this! Indentation is fine and i have tried numerous directories still with no avail.
Each time home assistant runs fine in Docker but just displays nothing.
Log file still saying
homeassistant.bootstrap: Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/XXXX/SSL/server.crt' not a file for dictionary value @ data['http']['ssl_key']. Got '/XXXX/SSL/server.key'
Or to that effect depending on directory.
I can’t help but think i am overlooking something stupid here. Each time i do a full circle and come back to permissions. But as i stated earlier during testing i have made the file available to everyone.
As an alternative, have you thought about just installing the VPN server package on your Synology and then using VPN to access home assistant? That’s what I’ve been using, I have a Synology DS1815+ running my VPN to get into my network and then just connect to the VPN on my phone to access HA which is running on a Raspberry Pi.
sorry to jump in but can you please make some guide on how to setup VPN (OpenVPN if possible), or at least point to some useful and easy to implement guide on the net.
There is no useful manual here on the forum on this topic…
The problem i have there is making it wife proof. I presume each time you want to sign into HA over the VPN you need to connect via a client on your device?
Anyway, I have fiddled a little bit with docker to try to reproduce your install environment. More I am into this docker thingy, the more I am convinced that docker itself is your problem.
First I tried this:
docker install
docker start
docker pull python
cd /
mkdir ha
docker run -d --name=“home-assistant” -v /ha:/config -v /etc/localtime:/etc/localtime:ro --net=host homeassistant/home-assistant
Which seemed to download more than 300 MBs, but in the end it did not start home-assistant, and didn’t even create anything in my /ha directory. So I gave up on this
Which resulted in openssl not found, so I tried to apt-get install openssl, but it could not locate a package named openssl. So I gave up on this as well.
So now I am stuck at the very first part: Installing HA!
I can’t really see what advantage docker gives you over running virtualbox and a virtual machine. But I have found a bounch of things that are hard to solve. Because docker seems to be using tiny linux which is a very stripped down linux flavor not supporting usual debian or centos commands or packages.
Maybe if you gave me couple of hints about reproducing your environment, I could help a little more
Indeed the WifeAcceptanceFactor! I really do very much appreciate the time your taking to help.
After failing multiple times installing HA natively on my “Synology” i opted to go down the Docker route like it seams many in my situation have.
My installation looks like this.
Docker installed via package centre
HA installed via the registry image home assistant/home-assistant:latest
Note: The image in the registry only seams to pull an older version for me so i do the pull of new releases via terminal using $docker pull home assistant/home-assistant
The HA docker container called home-assistant is set-up to run on port 8123 and the i add the following to the volume in advance settings.
File/Folder - docker/home-assistant/.ssh + Mount path /root/.ssh
File/Folder - docker/home-assistant/scripts + Mount path /scripts
File/Folder - docker/home-assistant/config + Mount path /config
This container is then started and my configs are within /volume1/docker/home-assistant
I have tried placing the SSL cert and key within a directory inside this folder and even adding it within the volume but still to no avail.
Inside my config folder i have my yaml config files split into multiple files with http/ssl residing in the main configuration.yaml along with some smaller entries. I also have some custom component entries in a custom_component folder.
This docker container is running with one other container “Home-Bridge”
Running in Docker isn’t really offering any advantages except maybe the ease of access to config files and easy start/stop/failed notifications from the GUI.
A downside to running in docker aside this is it is a fairly long process to perform updates of HA.
I am also using docker on synology.
in my case, it was a nightmare to use the synology docker GUI.
So I found easier to SSH into the NAS and run from CLI. also, to the best of my knowledge run via CLI is the ONLY way to have the Zwave stick to work.
what you can do after launch the container is to have a terminal session on it (go do docker, container, click on the HA container, click on details, click on terminal, click on create). selec the bash you just created and navigate (from inside the container) to the folder where the SSL files should be and check if they are really inside.
, but if you are that paranoid the best way is to go with the Tor Network.