SSL cert with ASUS router

Hi all,
I use an ASUS router which has its own ddns client and encryption certs from LetsEncrypt.

I would like to open up Home Assistant to the outside world and was looking over the various steps.

Since the router is just going to port forward 443 to the HA server, do I copy the router cert to HA, or does the HA server need its own certificate?

Thanks.

Old thread, but with duckdns going down a couple times last week, I was curious about this as well. I did try just copying the cert files but unfortunately did not work. Anyone ever use the certs from asuscomm in ha? Or better question might be, how can i create a cert for HA that is not a duckdns.org url

I run Asuswrt-Merlin on an RT-AC88u and use a custom ddns script for cloudflare, but run a separate docker container for letsencrypt on my server, and use an Nginx reverse proxy for HA.

1 Like

Replying to my own comment for others in the future. So my asus router has the ability to get certs automatically from lets encrypt. It allows you to export those files.
key.pem
cert.pem

I just copied them into my Home assistant home directory and changed the appropiate entries in the
http:
section of my config.yaml to point to those files. and it’s all working as expected now

1 Like

just curious, does the cert from the router allow for subdomains/wildcards? or does everything have to be a subdirectory?

Its very easy, NO DuckDNS install need.

Copy the Asus Cert files in Home Assistant SSL folder

Only install NGINX Addon

Configure NGINX

domain: yourinfo.asuscomm.com
certfile: cert.pem
keyfile: key.pem
hsts: max-age=31536000; includeSubDomains
cloudflare: false
customize:
active: false
default: nginx_proxy_default*.conf
servers: nginx_proxy/*.conf

NETWORK 443 and 80

Start the Addon, and work in 1 minut.

Remember change the url in mobile app https://yourname.asuscomm.com
And Open Ports in your Router.

Enjoy!

FONT: Configuration for HA https access (Asus AC68U built in DDNS service)

2 Likes

I just did this the other day and could not be happier

Basically ngnix running natively on my router. I have my own domain on google domains. I’m using Cloudflare for dns. Cloudflare has an api that works with certbot.

Required a little bit of understanding of ngnix and dns.

wahOO!

thankyou for share!

Just to follow up. I’ll try to write a more definitive guide later on this. Would mostly plagerize from the article I posted but here are the basic things I did.

  1. Bought my own domain. I used google domains. $12 a year. No hosting, which is fine
  2. I pointed my google domain to cloudflare. Main reason is that google domains do not have an API for the DNS challenge required to get a cert. Cloudflare does. In the instructions above, the writer uses his provider for the DNS challenge. you can skip that.
  3. For the DDNS on ASUS I used a script from here. (There are other similar ones out there)
    https://github.com/alphabt/asuswrt-merlin-ddns-cloudflare/blob/a288696bdd8b55b7938abbcc15783e0cfb09885c/ddns-start
  4. For ngnix this was my config file
server {
        listen 443 ssl;

        root /config/www;
        index index.html index.htm index.php;

        server_name HASS.YOURDOMAIN.COM; (or whatever you name it)

#       include /config/nginx/ssl.conf;

        client_max_body_size 0;

        location / {
#               auth_basic "Restricted";
#               auth_basic_user_file /config/nginx/.htpasswd;
                proxy_set_header Host $host;
                proxy_redirect http:// https://;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
                proxy_buffering               off;
                proxy_ssl_verify              off;
#               include /config/nginx/proxy.conf;
                proxy_pass http://YOURIPHERE:8123;
        }
}                                                                  }            

The config file ends up being in
/tmp/mnt/entware/entware/etc/nginx/sites-enabled
So homeassitant.conf or whatever you name it.

I will say that these steps are a bit confusing, and I know I did not write everything out in order It was a couple days of back and forth, but it’s working perfectly now. I have a few sites behind NGNIX.

Oh I forgot, you need a cname in cloudflare for your HA instance. So for example if your domain is
stuff.com you need a cname for HASS, then hass.stuff.com will be your instance.

Here is what the asus ddns setting would look like too

ok, hope this stream of consciousness helps at least a little bit.
Having my own domain, not needing duckdns, and being able to have internal and external urls for HA have been nice. The fact it runs fully on my ASUS router is also pretty cool.

Thanks for sharing. Currently, I’m using DuckDNS and forwarding port 8123 to 8123 and I’m accessing my HA through https://duckdns.com:8123.

I have a few questions:

  1. How do you download the certificate files from Asus router?
  2. Do I have to forward port 443 and 80 in router?
  3. Will the certificate files expired?

Thanks in advance.

I don’t know if this thread is still alive but I have the same question !
What is the easiest way to retrieve certificates once it is expired.

Thanks

Many topics on the forum about built-in DDNS. And no one can answer…

Hi Clydde,

I am exactly on the same boat you were some months ago. But now the NGINX add on doesn’t allow to tweak the config file as before.
I guess that I should enter your parameters in the “Custom Nginx Configuration” box but I can’t figure out how to do it without raising errors.

As you did then I want to use my own CERTs (downloaded from the UI of the Asus router) instead of requesting new ones but I can’t achieve that through the UI of the addon. Can you help me?

A lot of time passed, but as I just went through the setup, let me bring this up and give the solution that worked for me, with some symptoms.

  1. router.asus.com (or your router IP address) → WAN → DDNS → Server Certificate - Export. It’ll download the *.tar file with key.pem and cert.pem. You need to put them in the /ssl folder in the Home Assistant. Important: in File Editor Add-On Configuration disable the Enforce Basepath option to be able to access this folder. Upload both pem files there
  2. You can forward 443 only. I did both during the setup, but once I confirmed everything works, I removed the port 80 forwarding and it didn’t break anything
  3. Yes, they expire every 90 days, so you have to update them manually.

One more thing: after you install the Nginx add-on, restart the Home Assistant. For some reason, I wasn’t able to use the Nginx add-on configuration page until I did that.

Also, don’t forget to add this to your configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Important: do not change the IP address. This is really odd, but even though my whole home network is in the 192.168.x.x range, Nginx server chose to use the 172.30.33.x address.

2 Likes