Once and for all I want to set up my HA instance correctly and get rid of issues related to SSL. I have done lots of research but there are so many obsolete, incomplete or conflicting guides I am having trouble making sense of it all.
My setup:
No ports exposed to outside world on my UDMP router
Nabu Casa subscriber
I own a domain I can use (a subdomain already points back to my IP)
HA runs in a Proxmox VM on an i7 TinyPC
What I have already configured / tried / botched:
I have a DuckDNS domain pointing back to my IP updated by the DuckDNS HA add-on. The Let’s Encrypt portion is also configured. I may have multiple certificates as I went through several iterations of SSL config and it is unclear to me where the master one should be and how to configure everything to use those files.
NGNIX Proxy Manager installed but it is not configured to do anything right now. On a side note, if I click on open web UI it takes me to the NC URL on port 81 which fails to open as I do not have port forwards on my router. The only way I can access it is using http://ip:81 but don’t know how to make that “Open Web UI” point to the right place (or simply work without exposing my systems to the internet).
I can access HA via https://homeassistant.local:8123/ but the https is crossed out as the SSL certificate doesn’t work on internal url… but that is normal. In many cases this URL does not work and I have to key in the IP instead. Honestly, I really DO NOT care to access HA using SSL on my internal network. I prefer to simply NOT have it to simplify access. If someone is on my network trying to break into stuff, HA is the last of my worries.
I did configure SSL in configuration.yaml and would love to just get rid of it as long as I can do it without breaking other things. I tried and set it back up as I ran into issues and did not have the time to try to fix them. Some add-ons seem to want to talk to HA via SSL… all mine run in the same VM as HA so I really don’t care or want SSL. I run into weird stuff like not being able to see “Smart Start” (Provisioning Entities) in Z-Wave JS UI when accessing via Nabu Casa URL but I can when using the local one… why??
On my mobile (Android) I can only access HA via the Nabu Casa URL. If I try to configure my internal SSIDs and give it the local IP to access HA directly it doesn’t work anymore.
Goal:
Outside of home network - access HA via SSL
Inside of home network - access HA without SSL (http)
Add-ons - All without SSL to simplify comms with HA. They are all in the same VM. I use HA OS, and the add-ons are added via HA so no special setup.
Mobile app - access HA via SSL on anything other than internal wifi
I do not want to set things up in such a way that if say NGINX stops working I lose access to everything. I prefer the certainty of access to the SSL “security” layer for stuff that only operates on my internal network.
Hopefully this thread can become a resource for all those confused on the appropriate way to configure HA without getting to tin foil hat extremes.
You wanted to use a proxy for SSL, in this case NGINX Proxy Manager will do what you want.
You don’t want to configure SSL directly in HA.
Because HA has an SSL certificate, and you’re not using the hostname in the cert to connect (but the https is crossed out as the SSL certificate doesn’t work on internal url).
@Tinkerer I believe I broke my system by removing SSL from configuration.yaml - any suggestions on the proper process to get rid of it without losing access to stuff or breaking integrations etc.?
@Tinkerer Ok, removed from configuration.yaml and before running rebooting I ran the command which after a bit said all ok. I found that the internal links that included https no longer worked unless I removed the s.
I now get 401: Unauthorized if I try to access Z-Wave JS UI when on http. When using the Nabu Casa link I can access it but I can no longer see the entries in the Smart Start tab.
Same thing goes for InfluxDB, Node-Red and likely many more… I can only access it via the Nabu Casa link. How to I restore access to all the add-ons (I did not test them all yet) when on my internal network?
I don’t know… I don’t recall doing anything special. I see the cert file names but auth / ssl is off, yet I still get the 401 error. Strangely everything works on my mobile - and I have already told the app what the local SSID is and configured the local URL.
There’s a bunch of conflicting information in your post but if all you want is https access outside your network and http inside then remove DuckDNS and NGINX and just use your Nabu Casa subscription.
@tom_l That is the issue… while I understand the basics of SSL for stuff traversing the Internet, I don’t get how to configure all the local stuff to be able to talk without SSL. As mentioned above, now that I pulled the SSL config from configuration.yaml I can no longer access the add ons unless I use the NC link. How do I fully eliminate the SSL requirement for everything internal? Should I delete the cert file names from the configs even though the SSL toggle is already off?
This is what I get when trying to access Node-Red and other addons on my PC:
Edit: I turned off DuckDNS and NGINX add-ons without removing them or any SSL files that may be somewhere. I still can’t access any of the addons when on my local network IP.
@tom_l I tested another browser and I don’t get the 401. I tested Chrome in Incognito and I no longer get the 401… I tried Chrome in normal mode and I do… something must be cached. I am dreading clearing the cache due to a lot of work-in-progress tabs but I am guessing that will resolve the issue.
EDIT: I followed your instructions on the other thread. I also nuked the contents of the ssl folder that still had over 4k files certs and NGINX stuff from HA.
But only after clearing cookies did it restore access to the add-ons without giving me the 401 Not Authorized error.
Hopefully I did not break anything else in the process…
Thanks for this thread and pointint to @tom_l 's solution. I was stuck in the halfway-between situation also and didn’t want to break anything. Now local access is back to simple http & the .local address, and Nabu Casa is giving me remote access on mobile. Nothing broke (so far).