HOWTO - Configure Home Assistant app using "valid" self-signed certificates

Started by pankaj, January 08, 2022, 06:21:19 PM

Previous topic - Next topic
One of the main reasons I started using OPNSense is to isolate the ever increasing number of IoTs on a VLAN and also to be able to access the home LAN from outside using OpenVPN as opposed to forwarding a port on the firewall which is not as secure - https://forum.opnsense.org/index.php?topic=26204.0

I prefer to VPN into my home LAN and then use Home Assistant app like a native LAN client but the problem is that Home Assistant app needs a valid certificate which needs a FQDN. This HOWTO is about making Home Assistant Android application work with a self-signed certificate. The same steps can be extended to iOS, tablets and other applications (FreeNAS, Bitwarden etc). This HOWTO only covers Ubuntu, Android and Home Assistant (android app).

Pre-requisites:
openssl (Ubuntu: apt-get install openssl)
mkcert - download binary from https://github.com/FiloSottile/mkcert

Step-1
Make a directory "certificates" under your home directory or a preferred location. Move mkcert binary to this location and make the binary executable by following:
cd ~/certificates
chmod u+x mkcert


It is a good idea to generally familiarize yourself with the options of mkcert
./mkcert -help

Step-2
Generate your certificates with following command:

mkcert homeassistant 192.168.1.2

In the above, homeassistant is the host name of the machine running Home Assistant and the second argument is its internal IP address. Now you should see two files, homeassistant-key+1.pem and homeassistant+1.pem. The file name is based on the first name specified on the command line followed by a plus sign then a number representing how many other names are associated with this certificates. So you could have specified more names if you wanted to use this certificates for other services like NAS, Bitwarde etc.

To keep things easy, let us rename the files as:
homeassistant-key.pem and homeassistant.pem

Step-3
./mkcert -CAROOT

It will show the location of root certificates and the key for the root CA certificate, default location is:
~/local/usr/share/mkcert

In this directory you will see two very important files:
rootCA.pem
rootCA-key.pem


Note: rootCA-key.pem is super important, so don't ever lose it and once installation is completed move it to a safe place or preferably outside this system.

Step-4
./mkcert -install
This command will install the root CA certificate within the Ubuntu system folder from where all other applications like browsers will pick it up. You may get specific prompt about a browser (usually Firefox) if any extra steps are needed.

Step-5
Open a browser, say Chrome, go to settings ==> privacy & security ==> security ==> manage certificates. Under authorities, scroll down and you should see a certificate for "org-mkcert development CA" that you just installed in step-4.

Step-6
Go to servers tab and import the homeassistant.pem certificate from step-2

Step-7
Restart your browser and when you point to homeassistant or 192.168.1.2, the browser will show the certificate as valid!
Do not proceed any further if the certificate does not show up as valid, retrace your steps and fix the problem (if any).

Step-8
Install the Home Assistant app on your phone (tablet is quiet similar) and there are many ways you can upload the certificate to phone (as attachment on WhatsApp, Google Drive)but I find that connecting my Android phone via USB and copying it to Download folder to be the most reliable one. We need to upload following files:


rootCA-key.pem
rootCA.pem
homeassistant.pem


Step-9
On Android, go to settings ==> Biometrics & security ==> other security settings ==> install from phone storage

You should see the files uploaded in step-8, click in following order:

rootCA-key.pem
homeassistant.pem


And you should be done now with the certificates and be able to configure Home Assistant app using LAN address!

It is a good idea to delete the uploaded files as these are not needed on the storage anymore.

If you have other machines on the LAN then you need to copy rootCA-key.pem, rootCA.pem, homeassistant.pem to respective locations on those machines and follow from step-5 onward.

The set up for using this certificate for OPNSense is slightly different, I will post that next time.

OPNsense offers that functionality in the Trust section. So there is no need to install that binary. Just create a CA and a server certificate on OPNsense and download the required files.

Yes setting up self-signed certificate in OPNSense is super easy but that certificates shows up as invalid in browser. This tutorial is about installing a valid self signed certificate:

https://imgur.com/a/w8bJyzI

And the invalid certificate is not a huge deal for OPNSense except for the annoying warning screen but for apps like Home Assistant it is a deal breaker.

But glad you asked, I have updated the subject and would not advise anyone following this HowTo if all they need is a self-signed certificate for OPNSense and nothing else.

You need to download the root certificate and then you have to add it to the system trust.

There is a trust command on some distributions, some others have an update-ca-trust command.

im happy to say this works!
BUT how to make it work for TailScale as well?
my local HA Ip is 192.168.1.229
my TailScale HA ip is 100.60.2.9
what is the proper syntax at this line of your code?   mkcert homeassistant 192.168.1.229 tailscale 100.60.2.9
please confirm when you have time. thanks!

I've no experience with Tailscale so cannot comment. For my home I use OpenVPN, for accessing home LAN (including HA) from outside, which I installed using this tutorial:

https://www.youtube.com/watch?v=ocGAcZD8qYo

HTH