I absolutely love Home Assistant and if you follow me on Twitter then you will have probably seen me talking about various awesome things that I do with HA. This blog post is going to look at how I setup HTTPS on the HA web interface and just how easy it is!
HA is the absolute best home automation solution I've come across, and I've tried a few. You set it up on a little Raspberry Pi and it can integrate with basically any smart device in your home to give you centralised control of everything. There's literally nothing I have that it hasn't integrated with. I have Philips Hue lights, ColoLights, NanoLeaf lights, Govee LED lights, Shelly relays and switches, Xiaomi Aqara sensors and switches, my smart electricity meter, TP-Link switches and countless other things.
One thing that does bother me though, and it's not HA that's at fault here, is accessing the web interface in an insecure fashion.
Securing the web interface
There are actually two options, and I do both of these, which sounds odd so let me explain. HA has its own cloud access feature via Nabu Casa, and for a small $5/mo subscription they will take care of absolutely everything for you, including a secure way to access the web interface of your own HA instance, even remotely when away from home.
Of course, I'm going to look at setting up your own HTTPS certificate and then remote access is just a case of some port-forwarding and possibly DDNS, but for many people that $5/mo will be great value compared to the effort of setting this up yourself. I do use my own certificate internally but when away from home I do use the remote access via Nabu Casa because I mostly wanted to support the project with the $5/mo subscription because I think they deserve it for all the value I get out of HA. If you do want to setup your own certificate internally, or even for external use, then read on!
Setting up your own certificate
The first thing to do is install the NginX Add-on. Go to Supervisor -> Add-on Store -> Search "NginX" and install it.
You will need to update the domain you plan on using for your HA instance, but other than that the rest of the config can remain similar to mine.
Getting your certificate
As I've mentioned in other blog posts when getting a certificate for many other devices on my network, what certificate you get and how you get it are up to you! I'm using the acme.sh ACME client to get free certificates from Let's Encrypt, if you'd like some inspiration. For me, getting the certificate is as easy as running this command.
acme.sh --issue --dns dns_cf -d homeassistant.scotthelme.co.uk
This will have a certificate issued for my chosen domain of
homeassistant.scotthelme.co.uk and as you see here, I've been getting them for quite a while! The next step is to place that certificate on the HA server so it can be used to secure the web interface. You can edit files via the web interface with a file editor, use FTP to copy them over or like me you can use SCP to copy them over. Use whichever method comes easiest to you, but here is where the files need to go.
fullchain.pem needs to contain the leaf certificate and all intermediates while the
privkey.pem file needs to contain the associated private key. I use SCP to copy them over like this.
scp -i id_ed25519 chain.crt firstname.lastname@example.org:/ssl/fullchain.pem scp -i id_ed25519 private.key email@example.com:/ssl/privkey.pem
Once the files are in place, all you need to do is restart NginX to pick up the new files and start using them! You can do this through the web interface but I'm using a script to copy the files over and it automatically restart NginX for me.
ssh -i id_ed25519 firstname.lastname@example.org 'ha addons restart core_nginx_proxy'
Finally, you need to make sure your chosen hostname is resolving to HA. I have my own DNS server locally so I make sure that
homeassistant.scotthelme.co.uk is resolved to the correct IP address for all devices on my network, but you could just setup a local hosts entry for yourself to do the same thing. However you do it, once it's done, you can open up your web browser and navigate to your secure web interface!
I've loved tinkering with HA and automating countless things around my house, but I have a particularly big post coming about another security feature on HA very soon, so stay tuned for that!