jeans/home-assistant.io
jeans/home-assistant.io
1
0
Fork 0
mirror of https://github.com/home-assistant/home-assistant.io.git synced 2025-05-09 04:29:03 +00:00
Code Issues Packages Projects Releases Wiki Activity
home-assistant.io/source/_cookbook/tls_domain_certificate.markdown
Andrey 6116ee55c3 Add cookbook entry for generating TLS by owning a domain. (#2077) 
* Initial file for getting TLS certificate

* Write instruction

* Fixes
2017-02-19 18:19:34 +01:00

66 lines
2.6 KiB
Markdown
Raw Blame History

---
layout: page
title: "Certificate for SSL/TLS via domain ownership"
description: "Configure a certificate to use with Home Assistant"
date: 2017-02-17 08:00
sidebar: true
comments: false
sharing: true
footer: true
ha_category: Infrastructure
---
If your Home Assistant instance is only accessible from your local network you can still protect the communication between your browsers and the frontend with SSL/TLS. You can use [Self-sign certificate](/cookbook/tls_self_signed_certificate/) but your browser will present a warning and some https-only features might not work.
### {% linkable_title Prerequirement for this guide %}
* Your Home Assistant instance is not exposed to the internet. If it is - use [this guide]({{site_root}}/blog/2015/12/13/setup-encryption-using-lets-encrypt/)
* You control a public domain name. The domain doesn't have to point to a site. A domain controlled by a *trusted* friend will do. (A friend you trust not to MITM you)
* Your home router supports custom DNS entries.
### {% linkable_title Run certbot %}
```bash
$ mkdir certbot
$ cd certbot
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo ./certbot-auto --manual certonly --preferred-challenges dns -d "mydomain.com" --email your@email.address
```
* Agree to Terms of Service
* Choose whether to share your email with Electronic Frontier Foundation.
* Agree to your IP being logged
You will get the following text:
```text
Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:
deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue
```
* Deploy the value to TXT field using your domain registar.
* Go to a site that queries domain record. For example [this one](https://mxtoolbox.com/TXTLookup.aspx) and look if it sees your brand new TXT field (Don't forget to enter the full domain: `_acme-challenge.mydomain.com`)
* Press Enter at certbot prompt.
### {% linkable_title Make mydomain.com point to your Home Assistant instance %}
If your router uses DNSMasq (for example DDWRT) add the following line to DNSMasq options:
```
address=/mydomain.com/<hass ip>
```
### {% linkable_title Edit your Home Assistant configuration to use your certificates %}
```yaml
http:
api_password: YOUR_SECRET_PASSWORD
base_url: https://mydomain.com:8123
ssl_certificate: /etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/mydomain.com/privkey.pem
```
Make sure the files are accessible by the user that runs Home Assistant, eg. `homeassistant` for a HASSbian setup.
Reference in New Issue View Git Blame Copy Permalink