Not sure if this is a bug or intentional.
I’m having a problem with TTS every since I went to https and found many other people had the same issue.
I have a cert that covers my IP address and hostname but I can’t add the IP in the internal address with https enabled. (settings/system/network)
Is that intentional? What would be the reason for not allowing IP there?
1 Like
Yes. What that dialog is now saying is. Look when you ping my https endpoint I don’t care what IP address you’re trying to hit, I’m only going to ANSWER for https://foo.com and I gonna say anything else I’s an invalid SSL request (the url in your certificate) because that’s how SSL works. It’s not setup to differentiate between normal http internal and SSL external.
You would then usually the use ‘stupid DNS tricks’ (read split DNS or something similar) on the internal DNS resolver to ensure when you resolve https://foo.com it uses the internal ip address instead of the external.
You could also just use the external ip address everywhere and ensure your perimeter router supports hairpinning. (most do)
Yeah, tried both of those suggestions and no good.
I’m guessing the Home Mini is using either DoH or DoT and getting around my firewall rules but that’s just a guess right now.
Can’t use the external address since I don’t have any ports open and don’t plan to.
No other way to “trick” TTS into using http?
Is the certificate publicly trusted? TTS may not like it otherwise.
Also, regarding the error on the screenshot, make sure that your certificate covers that IP. But if it does, then most likely it’s not a public cert and you may still have problems with TTS.
1 Like
It’s not. Just a self signed for local use.
It does cover my IP, that’s the smaller pic that kinda got bundled with the first one. It shows my browser as secure to that IP address. Should’ve captured a bigger image to show that better but just grabbed the address bar.
That link says to use the external url in the cert, does that still require open ports?
It also says " Ultimately, your option may be to serve files to local devices as http:// rather than https:// ." How can I use http just for the TTS?
Simply issue the certificate again but covering the HA hostname. You may have to install the CA of the certificate in the devices where you want to do TTS. But even so it still may not work.
A couple of options:
- Ditch https.
- Get a publicly trusted certificate from Let’s Encrypt.