Hi, I’ve searched the forums and do not get answers that work for me. I have set up Cloudflared tunnel for access to my homeassistant from a remote location. This connection is secure as can be seen here.
When I access home assistant from within my home on the local network at homeassistant:8123 or localIP:8123 the connection is not secure as seen here. To work on homeassistant there are some add-ons warning you that the full use is limited due to the insecure connection.
Question is, how do I secure this local connection?
I am also using Cloudflared and in the cases that I get warnings about insecure connections (ESPHome does I believe, I assume this is what you’re referring to as well) then I simply access Home Assistant via my external Cloudflared URL.
Yes it means you leave the LAN and come back in but functionally it should be the same and it satisfies the secure requirement. This seems the easiest way to do this rather than messing around with Let’s Encrypt when you already have SSL for external access, IMO it’s not worth the risk of breaking Cloudflared.
I have ssl on local network. This solution might not be for everyone and has some drawbacks to it.
I bought a domain because, as I know, you can have up to 4 subdomains when using free domain.
I created nginx proxy host for a domain, that is ha, and every subdomain that I want to have ssl cert on it. My subdomains are containers for ie. adguard. I got my ssl certs for domain and all subdomains i created.
Domain and subdomains are not accessible over net. I use adguard dns rewrite to redirect all traffic going to my domain or mysubdomain back to my ha ip. On router I used custom dns to set up my ha ip as dns 1 and dns2 resolver.
Domain and all subdomains are using ssl cert and they are automatically renewed.
The thing I didn’t solve is how to access my container from outside my network if I need to ie. using nabu casa.
Perhaps my post wasn’t as clear as I had anticipated, but I only use the external URL WHEN required by ESP Home. Under normal circumstances I use the LAN URL which is unsecured. So yes for the most part, unless I happen to need to flash a device with ESP Home right as my internet is down, it is functionally the same.
This is just my suggestion based on the way I use my HA. It doesn’t seem work the complication to secure LAN connections.
See my post above, I mean only use the external URL when required. In my case, it was ESP Home flashing, which lasts all of 5 minutes. Any other time, use your LAN URL.
Home Assistant lacks the ability to respond to both HTTP and HTTPS at the same time - so either Home Assistant is secure, or it is not - OR you are using something else in the middle. EDIT: I see you are using nginx. That’s not the ask here.
Regardless, what you have just described is completely irrelevant for this discussion, since the topic is “SSL on local home network”, and that’s not what you are doing at all.
What are you on about? I can either access Home Assistant from homeassistant.domain.com or 172.20.0.60 on my LAN. No idea where you intepreted that I’m trying to use HTTP and HTTPS simultaneously.
OP says their add-ons are warning about an insecure connetion. The only add-on I know that does this is ESP home. In the case of ESP Home, you can access HA via the Cloudflare tunnel to secure the connection and prevent ESP Home from warning you. ANY OTHER TIME you can use the insecure HTTP connection when you’re accessing HA from the LAN.
Yes the topic is “SSL on Home Network” but for the purpose of bypassing addon warnings, using your external URL via Cloudflare is perfectly fine if you only need to do it for short periods.
Your comment about subdomains isn’t relevant to me, you’re referring to another poster. I have my own domain with Cloudflare that DOES host multiple subdomains. I think you’re getting us mixed up, as I also don’t use nginx.
Not once did I say I was trying to access them “at the same time”. You are familiar with how LAN and WAN routing works yes? Loading an addon page over a Cloudflare tunnel satisfies the secure requirement, removing the warning. The OP already uses a Cloudflare tunnel for secure access over the internet which would be a perfectly acceptable workaround for the purpose of bypassing addon warnings without making things more complex by trying to use local SSL and the Cloudflared addon at the same time.
I believe it is your reading comprehension that needs improving, given that you thought me and Daniel were the same commenter. I doubt you’ve actually read this thread thoroughly.
Perhaps you could provide an alternate solution to OPs issue? Why not put those systems consultant skills to use?
I agree with you, if you are a professional working on payed project.
Not here because most of the people here are not it professionals nor they are working in it industry.
This is a common issue. The certificate matches the domain name when you are accessing your HA via Internet. When accessing it from your local network the certificate is not valid as the DNS name is not the same. To avoid this make sure that the domain name for your HA is the same in both cases (access from your local network and internet). How to do that? On your router set a static entry on your DNS that points the domain name to the local ip. ie.
As I said here there is a way to do it. Probably this is not the best or right way but I was able to do it.
And yes I have a domain that I bought and created subdomains for it.
This setup is working over cloudflare tunnel but I don’t use it as I’m not sure that I done everything by the book.
I got certs in nginx for everything, just domain and subdomains are resolved back to my ha ip using adguard and certs are renewed automatically on expiration.
And that is it.
And yes ha is also accessible over http.
Domain and subdomains are not accessible over the net as there is no ip to which they can resolve to.
The way OP has their instance configured is via a Cloudflare tunnel with the Cloudflared addon. SSL is only applied if you’re proxied through their service, hence they are secured over the Internet but not on the LAN. To be clear, the HA server is not providing SSL per-se, but traffic that goes through Cloudflares proxy IS encrypted.
Despite the disagreement between exx and I about workarounds, I think what OP actually wants is the step prior to your solution, where they can configure SSL for LAN clients. I don’t know how to do this, hence suggesting a workaround, but I also doubt there are any solutions for SSL on LAN that are as simple as installing the Cloudflared Addon.
