Using a private CA to generate ssl certificates

I am having issues getting my freeipa server signed certs to work on home assistant. When I more or less followed the lets encrypt or Certificate Authority and self-signed certificate for SSL/TLS as much as i can and have had no success.

when i put the key and cert in the ssl dir and tell home assistant about it the core wont load. errors on cant read key. any suggestions would be appricaited. I have added ips to the cert as well .

openssl req -sha256 -addext "subjectAltName = IP.1:10.1.x.x, IP.2:10.1.y.y, DNS.1=homeassistant.local, DNS.2=homeassistant.<domain>.com" -newkey rsa:4096 -nodes -keyout hassiokey.pem -x509 -days 730 -out hassio.csr

that is the censored version of my request genration.

I have also tried more generic

penssl req -newkey rsa:4096 -nodes -keyout hassiokey.pem -x509 -days 730 -out hassio.csr -config requ.conf

im able to sign them on my fipa server and when i put them on home assistant it pukes.

What are the actual errors?
Not sure why you are showing your CSR. It’s the signed certificate and private key that you provide to HA.

1 Like

when i add the following to the /homeassistant/configuration.yaml home assistant fails to properly load up.

  ssl_certificate: /ssl/hassio.pem
  ssl_key: /ssl/hassiokey.pem

When I have the wrong file names as directly copied from the lets encrypt doc the check config errors. when I have this which is correct I get the green light for restarting.

Recovery Mode Activated.

is what I get when I restart the server.

Per the logs

Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/components/http/", line 425, in _create_ssl_context
context.load_cert_chain(self.ssl_certificate, self.ssl_key)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3896)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/", line 333, in _async_setup_component
result = await task
File "/usr/src/homeassistant/homeassistant/components/http/", line 202, in async_setup
await server.async_initialize(
File "/usr/src/homeassistant/homeassistant/components/http/", line 342, in async_initialize
self.context = await self.hass.async_add_executor_job(
File "/usr/local/lib/python3.12/concurrent/futures/", line 58, in run
result = self.fn(*self.args, **self.kwargs)
File "/usr/src/homeassistant/homeassistant/components/http/", line 428, in _create_ssl_context
raise HomeAssistantError(
homeassistant.exceptions.HomeAssistantError: Could not use SSL certificate from /ssl/hassio.pem: [SSL] PEM lib (_ssl.c:3896)

Does /ssl/hassio.pem contain the full chain of trust?
You have to put in here your signed certificate + the certificates of the CA and intermediate CA’s in reverse order (ie certificate / intermediate / CA)

probably not as I took that pem straight from the signing. in my case the root ca for freeipa was the one that signed so I would need to append that to the end of the pem file if I understand you corretly?

To combine these into a single file that EFT Server supports, use the following commands in OpenSSL:

c:\> openssl x509 -inform PEM -in "hassio.crt" -text > hassio.pem

c:\> openssl x509 -inform PEM -in "Domain.crt" -text >> hassio.pem


It’s quite rare that a “leaf” certificate is directly signed by the CA, though (usually, there are intermediate CAs as well), but it’s technically valid.
The CA surely documents that extremely common process somewhere.

ipa cert-request --principal=host/homeassistant.>domain<.com hassio.csr --chain --certificate-out=hassio.crt

is FreeIPA’s method. one of my browsers is being stupid but thats a whole other story. I had to remove all extra bits for openssl but thats a freeipa thing no HA

1 Like