Certificate for SSL/TLS via domain ownership

If your Home Assistant instance is only accessible from your local network you can still protect the communication between your browsers and the frontend with SSL/TLS. You can use Self-sign certificate but your browser will present a warning and some https-only features might not work.

:warning: This guide is aimed at users of Home Assistant Core.

Requirement for this guide

  • Your Home Assistant instance is not exposed to the internet.
  • You control a public domain name. The domain doesn’t have to point to a site. A domain controlled by a trusted friend will do. (A friend you trust not to MITM you)
  • Your home router supports custom DNS entries.

Run certbot

mkdir certbot
cd certbot
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
sudo ./certbot-auto --manual certonly --preferred-challenges dns -d "mydomain.com" --email [email protected]

:warning: For Rasbian systems or if you have certbot-auto issues - try these commands instead:

sudo apt-get install certbot
sudo certbot --manual certonly --preferred-challenges dns -d "mydomain.com" --email [email protected]
  • Agree to Terms of Service
  • Choose whether to share your email with Electronic Frontier Foundation.
  • Agree to your IP being logged

You will get the following text:

Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:
deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue
  • Deploy the value to TXT field using your domain registrar.
  • Go to a site that queries domain record. For example this one and look if it sees your brand new TXT field (Don’t forget to enter the full domain: _acme-challenge.mydomain.com)
  • Press Enter at certbot prompt.

Make mydomain.com point to your Home Assistant instance

If your router uses DNSMasq (for example DDWRT) add the following line to DNSMasq options:

address=/mydomain.com/<hass IP>

Edit your Home Assistant configuration to use your certificates

The http section must contain the full path to the needed files.

http:
ssl_certificate: /etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/mydomain.com/privkey.pem

Make sure the files are accessible by the user that runs Home Assistant.

The wget install option does not work anymore. You can install it on a HA OS install with
apk add certbot

This can be much simplified in 2023 with the Nginx Proxy Manager AddOn. It Supports to generate an SSL certificate via Domain Ownership for a lot of DNS Providers. So you can skip all manual the certbot and DNS stuff, the important step is just to redirect the local DNS as mentioned in the post:

You can use adguard dns rewrite to point your domain to your local ip address. And as mention above use nginx and letsencrypt for cert.