SSL Not Secure

From the screenshot I can see that the certificate is reported as “valid”.

Is this page loading resources over non secure connection (http links)?

Good point I glanced over that :stuck_out_tongue:

Not that I know. Now the odd part is I closed the browser and opened it again and now it shows all is good with Chrome

Highly recommend using a reverse proxy to secure outside connections into your Home Assistant rather than doing SSL on the HA side.

1 Like

I was thinking of that and have been trying a form of this if for no other reason Alexa lambda functions. Here’s my problem.

  1. I have Windows Essentials Server allowing me to remotely connect to computers at home. That runs on 80 and 443. Changing 443 is impossible or almost impossible.

  2. I need to expose HA on 443 for the Alexa integration because that’s all that Amazon supports. Right now having HA on 8123 it fails but going to 443 it works.

I kind of want essentials to be primary because it’s remoting in and the like and who knows what changing it would break. So I tried using ARR and URL Rewrite rules to make this work and it kind of did but after logging in would fail. Plus there are issues with SSL getting the browser to receive the right cert as I have one public cert for essentials another for HA.

Hi all - I am noticing the same thing after setting up duckdns & letsencrypt. When I visit my homeassistant from a browser, it complains that it is not secure.

I see an error that reads:

This server could not prove that it is 192.168.1.202 ; its security certificate is from XXXXXX.duckdns.org . This may be caused by a misconfiguration or an attacker intercepting your connection.

I clicked on ‘certificate’ but I cannot find what may be the culprit.

I see the following in chrome:


Do you open homeassistant via the IP or via the duckdns domain?
If you call homeassistant over the IP the message of your browser is correct, because the certificate was issued for the call over duckdns.

Is there an option to configure HA in such a way that SSL will be used only when connecting from outside (external domain), but not when connecting locally (local IP)?
I know that I can use Nabu Casa Remote, but I’m searching for an alternative.

Yes, don’t configure SSL in the Home Assistant configuration and use a reverse proxy for the outside connections.

@Flop2006 - correct, I was using the IP address on a local connection. If I connect via the duckdns address, I do not see this error. Is there any issue with connecting through duckdns.org instead of locally? it just seemed a round about way to get to my local box. Thanks!

Any materials for a newbie? :slight_smile:
Do I need some extra equipment for that? Right now I have dyndns setup on my router. HA is running on PI3.

EDIT: Found this: https://www.home-assistant.io/docs/ecosystem/nginx_subdomain/, but that is all very new to me.

You can install nginx on your Pi3 unless you’re using HassIO that’s a different beast, usually there’s a addon for that setup.

I’m using Hass.io (as I wrote I’m a newbie) but I found this: Home Assistant Community Add-on: Nginx Proxy Manager so it shouldn’t be that hard I guess :slight_smile:

That would be the addon you’d want. Enjoy!

Hmm… I seem to be able to connect externally to my home assistant now that SSL is installed with duckdns- but I have trouble connecting to my home assistant when in my local network… any thoughts would be helpful - thanks!

does your router support nat loopback/hairpin dns?

Hi @DavidFW1960 I’m guessing not(?) I’m stuck with an ATT arris router. I do have pihole running on another pi … maybe I could use that to resolve correctly?

I don’t use Pihole…

I am now able to access my home assistant externally with a duckdns domain… but, it only connects with http (not https). i have port forwarding setup on my router also.

I installed ‘Let’s Encrypt’ and it seems to be working based on the logs… not sure why i can’t connect with https… any thoughts?

[22:05:44] INFO: Selected http verification
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /data/letsencrypt/renewal/****.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certs are not due for renewal yet:
  /data/letsencrypt/live/****.duckdns.org/fullchain.pem expires on 2020-06-07 (skipped)
No renewals were attempted.
- - - - - - - - - 

You did set this in your configuration.yaml :

http:
  base_url: https://xxx.duckdns.org
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 3

And

/data/letsencrypt/live/****.duckdns.org/fullchain.pem

does not seem the correct place to put the SSL certificates