irwan.io

Tutorials for noobs… from a noob.

Set up Let’s Encrypt for Home-Assistant with your (sub)domain

It’s not that hard…. really it isn’t!

Just follow these steps and you will get your Home-Assistant secured with an encrypted connection.

create an a record

Assuming you already have registered a domain name and created a sub-domain, point this sub-domain to your public IP-address. You can do this in the DNS management of your webhosting provider.

Configure port forwarding on your router

Yes you have to do this!

How to do this depends on your router…

Forward the external port 80 for the ip-address of your Home-Assistant server to internal port 80. You need to do this for certbot that we will install later. There is a build in security with certbot that it only opens this port when it needs to renew certs. While configuring port forwarding, you can now also forward external port 443 (https) to internal port 8123 (Home-Assistant).

Let’s Encrypt

Log in with SSH (Putty) to your Home-Assistant server (raspberrypi).

Enter these commands to create a folder for certbot:

 

Get the certbot-auto script and modify permissions:

 

 

Run the certbot script to obtain a cert using a built-in “standalone” webserver. You may need to
sudo systemctl stop home-assistant@homeassistant.service to stop Home-Assistant. I forgot to do this but it worked fine.

 

During the installation, press A to agree Terms of service. Then press Y or N to share your e-mail, or not, up to you…

 

When that’s done, go to

Make a copy/ backup of this folder as it contains your account credentials. Do this once in a while.

Home-Assistant needs to access these files so change the permissions

Let’s Encrypt is now ready to be used with Home Assistant.

Automate renewel

Since Let’s Encrypt certificate’s last for 90 days, we can configure certbot to renew certificates auto-magically. Let’s make a cron-job for this.

Select which editor to use if you haven’t done this before. Choose Nano!

 

Add this line to the cron file, which will run the job at noon and midnight every day

Write out to the file (save) with CTRL-O followed by enter. Then CTRL-X to exit Nano.

configure home-assistant

Open up your configuration.yaml file and add the paths to your ssl certificate and ssl key under the http component. I would also advice a strong and long password and you might also consider to add ip_ban_enabled: True along with login_attempts_threshold: 10. How high the treshold has to be is up to you. This way, if attackers try to login by brute force, their ip will be banned.

 

Save your configuration.yaml and then restart Home-Assistant. After it has rebooted you then finally can use https://yoursub.domain.com

Have Fun

irwan.io

Next Post

Previous Post

Leave a Reply

© 2019 irwan.io

Theme by Anders Norén