SSL...am I doing this right?

Configuration
1

On our network, we have a public facing Apache server. So, 80 and 443 are occupied. Port 8123 forwards to a VM on Proxmox.

Our Apache server is at 192.168.1.100 and HA is at 192.168.2.100.

Our primary domain has been configured with a Let’s Encrypt certificate. In Virtualmin, the cert files are stored at:

/home/domain/ssl.ca
/home/domain/ssl.cert
/home/domain/ssl.key

In the root of the domain (/home/domain/) there are 5 files related to SSL:

  • ssl.ca
  • ssl.cert
  • ssl.key
  • ssl.combined
  • ssl.everything

None of these files are available to the Home Assistant VM at 192.168.2.100.

In the past, I have simply created a cron job that copies ssl.cert and ssl.key to the Home Assistant ssl folder which was located at /usr/share/hassio/ssl, then ran a rename script to change them to fullchain.pem and privkey.pem.

Now that I’m using a supported version of Home Assistant Core, it doesn’t appear that I’m able to access this location like I could when I had control over the host.

Since port 80 and 443 are already handled by the other host running apache, how would I go about securing my installation of Home Assistant without having to temporarily re-direct port 80/443 to the HA host?

2

It looks like Samba opens up access to the SSL folder. But, with the original question, is the simple copy/paste/rename a sufficient method?

3

Does this mean you have total control?

Cant you use apache as the reverse proxy and if so HA not need ssl cert access. Ssl access only needed by apache and you may http to backend server. But a lot of this depends on what “out network” means

4

I have total control.

I don’t quite understand reverse proxy, although I have made it work before, but never without using a subdomain and never without still needing to tack the port number to the end of the URL. i.e. https://subdomain.domain.com:8123, which seems to be counter intuitive.

Also, in that case, I’ve never been able to operate HA in an SSL environment without having the SSL keys duplicated to the actual HA SSL folder.

My basic understanding is that if I have Apache handling the SSL, then I don’t need to run SSL on Home Assistant at all…but I’m just guessing, and I don’t really know how it works at this point.

5

Port not needed with reverse proxy

Subdomain I believe is needed

6

Okay, I got the reverse proxy to work…now my HA UI loads with a secure lock on it.

Does this mean that I can turn off all of my add-on SSL setups because apache is doing the heavy lifting?

7

Yes

Between ha and apache there will be no ssl but after apache ssl will work

8

I take that back…it loads to the login screen, but I’m unable to login.

I get “unable to connect to Home Assistant”

9

Proxy misconfigured

I think there are example at ha website or search forum. Sorry but I discover nginx and never go back to apache

10

The proxy is configured correctly as far as I can see. But, when I look at the Core log in HA by accessing it via http instead of https (yes that works) I see a login attempt that’s failing using the main domain as the proxy address instead of the internal IP address of the HA host.

11

apache example at link

12

Been there. Console in Chrome throws all kinds of errors with this config in apache.

13

Have you checked the Nginx Proxy Manager addon? I would move it on the front and have it proxy ro HA and your apache. The proxy needs web socket enabled for HA to work.