Let's Encrypt certificates for the local network
I’ve Home Assistant with remote HTTPS access, but it’s not possible to reach Home Assistant on the local network without getting “Your connection is not private” error. This is because your local IP or URL is not listed in the SSL certificate. And it’s not possible to use the Home Assistant app for Android, because of the SSL error. I didn’t find good solutions on the internet, but found myself a simple solution for it, which will be described in this post. Of course you can use this solution for other applications than Home Assistant.
What you need is:
- You own domain with access to the DNS
- The (linux) server in your local network with root rights, in my case a Raspberry Pi.
Certbot install
The SSL certificates will be generated on the Raspberry Pi, login as user pi via SSH and install certbot:
$ sudo apt install certbotCheck if certbot is working well with:
$ certbot --versionInstalling acme-dns-certbot-joohoi
Because I don’t have a port 80 available on the network for ACME verification, I’m using DNS-01 verification. I’m using acme-dns-certbot-joohoi for this. This is how to install it:
$ wget https://github.com/joohoi/a,cme-dns-certbot-joohoi/raw/master/acme-dns-auth.py
$ chmod +x acme-dns-auth.py
$ vi acme-dns-auth.py
#!/usr/bin/env python3
sudo mv acme-dns-auth.py /etc/letsencrypt/Getting the certificates
We’re now going to generate a wildcard certificate on the subdomain home of your domain. I’m using the subdomain home and you’ll get the result *.home.example.com.
Now execute the generation of the wildcard certificate:
$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d home.example.comWith this script you’re getting the CNAME record for DNS validation and looks like this:
Output from acme-dns-auth.py:
Please add the following CNAME record to your main DNS zone:
_acme-challenge.home.example.com CNAME a14de1b9-e910-4d91-18bf-07a3763b88e6.auth.acme-dns.io.
Waiting for verification...Login into your domain provider and add the following records to your domain:
| Hostname | Type | Value |
|---|---|---|
| _acme-challenge.home.example.com | CNAME | a14de1b9-e910-4d91-18bf-07a3763b88e6.auth.acme-dns.io. |
| home.example.com | A | <YOUR_PUBLIC__HOME_IP_ADDRESS> |
| rpi.home.example.com | A | |
| extern.home.example.com | CNAME | home.example.com |
Explanation:
- _acme-challenge.home.example.com: for ACME DNS verification (for example: a14de1b9-e910-4d91-18bf-07a3763b88e6.auth.acme-dns.io.). Remark: this could be without a dot after dns.io
- home.example.com: The public IP of your router
- rpi.home.example.com: The local IP address of the Raspberry Pi (example: 192.168.1.5)
- extern.home.example.com: This is the external url to reach your application (example Home Assistant)
After you’ve added the DNS records, you maybe need to wait a while until the new DNS settings are propagated on the internet.
Now you can restart the certbot tool again and you will get the certificates successfully! If it isn’t successful yet, please wait and retry it again or check your DNS records. Maybe you made a mistake with the _acme-challenge.home.example.com record.
$ sudo certbot certonly --manual --manual-auth-hook /etc/letsencrypt/acme-dns-auth.py --preferred-challenges dns --debug-challenges -d home.example.comTesting
If you didn’t do this yet, you need to forward the ports from your router to the Raspberry Pi. For Home Assistant it is 8123/tcp.
Local network
Access Home Assistant now with in this example: https://rpi.home.example.com:8123 and the certificate is valid for the domain your using! Hurray!
External access via the internet
Access Home Assistant now with in this example: https://external.home.example.com:8123 and the certificate is valid for the domain your using again. Nice!