A reverse proxy most likely.
If you added the SSL certificate you made with let’s encrypt to HA directly and put it in the config for http then you have probably disabled lan only access. HA either requires all traffic be encrypted or none, it cannot do both.
Your options are:
- Use cloud. Then you get an external only https url and an internal only http url
- Set up a reverse proxy. Remove all SSL stuff from
httpin HA and move the certificate to your proxy. Map whatever port you expose on your router to the proxy, not HA. Then you get an external only https url that goes through the proxy and an internal only http url that goes directly to HA. This addon works well for this. - Set up an alternate tunneling system like cloudflared. Works the same as #1 in the end (since cloud is also a tunneling system)
- Use a VPN or tailscale/zerotier/etc. setup. Then HA isn’t exposed externally at all but you can only get to it from specific devices outside your LAN
- Set up a DNS server and have everything on your LAN use it. And a DNS rewrite entry for your duckdns domain to resolve to the LAN IP. Don’t change HA’s SSL config, the same url works in all cases but it resolved to different ips inside and outside your LAN
- Leave everything as is. Go to
https://<internal url>:8123when inside your url and your duckdns url outside. Tell all your stuff to ignore the scary SSL warning when on your LAN and hope all your stuff has a “don’t verify the certificate” option
IMO these are in order of least difficult to most difficult both in terms of initial setup and ongoing maintenance (like 3 might be more difficult to set up then 4 but once it’s setup you’re done). #6 is at the bottom mainly because it is by far the worst option IMO since it’s just as difficult to set up as #2 but also requires manually undermining security at each device after that. But pick whichever you prefer.