Adding an SSL certificate to HomeAssistant

Leave a Comment / homeassistant, Open Source / By

In my previous blog post, I got homeassistant up and running, but without a TLS connection. Let’s fix that.

In this post:

  • FreeBSD 13.1 but that’s not relevant to the work being done
  • homeassistant-2022.8.7
  • creation of a certificate is not covered
  • the sysadmin.com guide covers this – it creates a self-signed cert
  • I’m using a Let’s Encrypt certificate
  • I have the application running from the command line. I stopped it before doing these steps. That’s most likely overkill.

Where is the cert

I put my certs in the /usr/local/etc/ssl directory, which I create. These are my certs.

root@homeassistant:/usr/local/etc/ssl # ls -l
total 102
-rw-r--r--  1 anvil  anvil          4399 Aug 27 17:29 ca.cer
lrwxr-xr-x  1 root   wheel            33 Jul 24 04:19 cert.pem -> ../../share/certs/ca-root-nss.crt
lrwxr-xr-x  1 root   wheel            33 Jul 24 04:19 cert.pem.sample -> ../../share/certs/ca-root-nss.crt
-rw-r--r--  1 anvil  anvil          2334 Aug 27 17:29 homeassistant.int.unixathome.org.cer
-rw-r--r--  1 anvil  anvil          6733 Aug 27 17:29 homeassistant.int.unixathome.org.fullchain.cer
-r--r-----  1 root   homeassistant  1676 Aug 27 17:31 homeassistant.int.unixathome.org.key
root@homeassistant:/usr/local/etc/ssl # 
root@homeassistant:/usr/local/etc/ssl #

NOTE the permissions on the .key file. This allows the homeassistant to read the SSL certificate key without owning the file. The user does not need to own this file. It just needs to be able to read it. If it can’t read it, you’ll get an error message like this:

2022-08-27 18:02:15.511 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: file not readable for dictionary 
value @ data['http']['ssl_key']. Got '/usr/local/etc/ssl/homeassistant.int.unixathome.org.key'. (See 
/home/homeassistant/.homeassistant/configuration.yaml, line 13). Please check the docs at 
https://www.home-assistant.io/integrations/http

An aside, I use anvil to distribute certificates. I wrote the software and it’s in the FreeBSD ports tree at sysutils/anvil. I have a few blog posts about it. That’s why you see files which are chmod anvil:anvil.

The configuration for homeassistant

Based on the sysadmin.com guide and a post within the Home Assistant community, this is what I did.

In the jail, become the homeassistant user.

root@homeassistant:/ # su -l homeassistant
homeassistant@homeassistant:~ $ cd ~/.homeassistant
homeassistant@homeassistant:~/.homeassistant $ ls -l configuration.yaml
-rw-r--r--  1 homeassistant  homeassistant  220 Aug 27 16:38 configuration.yaml
homeassistant@homeassistant:~/.homeassistant $ cp -p configuration.yaml configuration.yaml.before.certs
homeassistant@homeassistant:~/.homeassistant $ ls -l
total 126
-rw-r--r--  1 homeassistant  homeassistant       2 Aug 27 16:38 automations.yaml
drwxr-xr-x  4 homeassistant  homeassistant       4 Aug 27 16:45 blueprints
-rw-r--r--  1 homeassistant  homeassistant     220 Aug 27 16:38 configuration.yaml
-rw-r--r--  1 homeassistant  homeassistant     220 Aug 27 16:38 configuration.yaml.before.certs
drwxr-xr-x  2 homeassistant  homeassistant       2 Aug 27 16:38 deps
-rw-r--r--  1 homeassistant  homeassistant   23805 Aug 27 17:49 home-assistant.log
-rw-r--r--  1 homeassistant  homeassistant   23805 Aug 27 17:36 home-assistant.log.1
-rw-r--r--  1 homeassistant  homeassistant  221184 Aug 27 17:49 home-assistant_v2.db
-rw-r--r--  1 homeassistant  homeassistant       0 Aug 27 16:38 scenes.yaml
-rw-r--r--  1 homeassistant  homeassistant       0 Aug 27 16:38 scripts.yaml
-rw-r--r--  1 homeassistant  homeassistant     161 Aug 27 16:38 secrets.yaml
drwxr-xr-x  2 homeassistant  homeassistant       2 Aug 27 16:47 tts
homeassistant@homeassistant:~/.homeassistant $

This is what the file contained before I modified it:


# Loads default set of integrations. Do not remove.
default_config:

# Text to speech
tts:
  - platform: google_translate

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

These are the lines I added to the end of the file:


http:
  ssl_certificate: /usr/local/etc/ssl/homeassistant.int.unixathome.org.fullchain.cer
  ssl_key:         /usr/local/etc/ssl/homeassistant.int.unixathome.org.key

Invoking the changes

You can restart the application via the web interface. But if you’re done that, you’ve already transmitted your credentials in the clear. If that’s the case, I suggest at least changing your homeassistant password.

I have the application running from the command line. I stopped it first. Upon start, I was able to browse to this URL:

https://homeassistant.int.unixathome.org:8123/

where I was using this one before:

http://10.55.0.38:8123

With TLS firmly in place, I will continue with my homeassistant configuration.

Hope that helps.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive

Leave a Comment

Scroll to Top