Using a private CA to generate ssl certificates

Installation
1

I am having issues getting my freeipa server signed certs to work on home assistant. When I more or less followed the lets encrypt or Certificate Authority and self-signed certificate for SSL/TLS as much as i can and have had no success.

when i put the key and cert in the ssl dir and tell home assistant about it the core wont load. errors on cant read key. any suggestions would be appricaited. I have added ips to the cert as well .

openssl req -sha256 -addext "subjectAltName = IP.1:10.1.x.x, IP.2:10.1.y.y, DNS.1=homeassistant.local, DNS.2=homeassistant.<domain>.com" -newkey rsa:4096 -nodes -keyout hassiokey.pem -x509 -days 730 -out hassio.csr

that is the censored version of my request genration.

I have also tried more generic

penssl req -newkey rsa:4096 -nodes -keyout hassiokey.pem -x509 -days 730 -out hassio.csr -config requ.conf

im able to sign them on my fipa server and when i put them on home assistant it pukes.

2

What are the actual errors?
Not sure why you are showing your CSR. It’s the signed certificate and private key that you provide to HA.

1 Like
3

when i add the following to the /homeassistant/configuration.yaml home assistant fails to properly load up.

http:
  ssl_certificate: /ssl/hassio.pem
  ssl_key: /ssl/hassiokey.pem

When I have the wrong file names as directly copied from the lets encrypt doc the check config errors. when I have this which is correct I get the green light for restarting.

Recovery Mode Activated.

is what I get when I restart the server.

Per the logs

Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 425, in _create_ssl_context
context.load_cert_chain(self.ssl_certificate, self.ssl_key)
ssl.SSLError: [SSL] PEM lib (_ssl.c:3896)
The above exception was the direct cause of the following exception:
Traceback (most recent call last):
File "/usr/src/homeassistant/homeassistant/setup.py", line 333, in _async_setup_component
result = await task
^^^^^^^^^^
File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 202, in async_setup
await server.async_initialize(
File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 342, in async_initialize
self.context = await self.hass.async_add_executor_job(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.12/concurrent/futures/thread.py", line 58, in run
result = self.fn(*self.args, **self.kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/src/homeassistant/homeassistant/components/http/__init__.py", line 428, in _create_ssl_context
raise HomeAssistantError(
homeassistant.exceptions.HomeAssistantError: Could not use SSL certificate from /ssl/hassio.pem: [SSL] PEM lib (_ssl.c:3896)
4

Does /ssl/hassio.pem contain the full chain of trust?
You have to put in here your signed certificate + the certificates of the CA and intermediate CA’s in reverse order (ie certificate / intermediate / CA)

5

probably not as I took that pem straight from the signing. in my case the root ca for freeipa was the one that signed so I would need to append that to the end of the pem file if I understand you corretly?

To combine these into a single file that EFT Server supports, use the following commands in OpenSSL:

c:\> openssl x509 -inform PEM -in "hassio.crt" -text > hassio.pem

c:\> openssl x509 -inform PEM -in "Domain.crt" -text >> hassio.pem
6

Yes.

It’s quite rare that a “leaf” certificate is directly signed by the CA, though (usually, there are intermediate CAs as well), but it’s technically valid.
The CA surely documents that extremely common process somewhere.

7 
ipa cert-request --principal=host/homeassistant.>domain<.com hassio.csr --chain --certificate-out=hassio.crt

is FreeIPA’s method. one of my browsers is being stupid but thats a whole other story. I had to remove all extra bits for openssl but thats a freeipa thing no HA

1 Like