Why is the ssl / https topic so difficult with HA?

New to HA, trying to figure out https on HA. I looked around at docs and posts. I’m sure someone has already explained this but I’m still not understanding it.

  • I want to do https on my local LAN to ensure even internal traffic is encrypted
  • I have to use https to make the esphome addon work for programming ESP’s through USB connection.
  • My HA box uses internal private IP address and internal domain name that I do not expose to Internet (I run internal DNS server with personal zone). This domain is named like ha.subdomain.domain.com
  • On the Internet side, I have DNS domain and defined Arecord->WANip for the ha.domain.com and could port-forward it inside. I’ve not done that part yet – just defined the Arecord to get LE SSL cert.
  • I got Letsencrypt SSL cert for the ha.domain.com address by using the LE HA addon and changing the configuration.yaml file.
  • This works, but of course I get the invalid cert when I web browse to the HA device at ha.subdomain.domain.com . So what, fine with me.
  • But I am unable to use the HA mobile app because of the “certificate mismatch” error on the app when connecting to the local URL.

What am I supposed to do?


  • Access the HA box from “the outside in” through the ha.subdomain.domain.com name and routing. This creates a cloud dependency that is antithetical for use inside my physical home.
  • Create split-brain DNS off my internal DNS server so I can use ha.domain.com internally. But I have many other hosted services I use that are external and fall off the *.domain.com domain
  • Add the subdomain.domain.com to the external DNS database. This is yucky idea.

Guess I’ll just use the “Add the subdomain.domain.com to the external DNS database” idea for now. Works without error as ha.subdomain.domain.com inside and out.

In order for HTTPS to work you need 3 things. You need a SSL certificate and the private key which are stored on the home assistant server. Then you need a Certificate Authority Certificate which is stored on every device that will access the server.

I found that the only benefit to using a Public CA is that their certificates come pre installed on every browser capable device. Because of this I setup my own local CA.

Reverse proxy takes care of SSL

Internal dns on your lan can route your domain to your reverse proxy.

Add DNS over HTTPS for added flare.


Skip all this and use tailscale

1 Like

You need to add a “subject alternative name” to the certificate. The you can use both URLs

1 Like