Privacy is important in the smart home, and one of the primary reasons to use Home Assistant is because it is totally under control of the user, on your own network. Since writing these posts, setting up encryption with Hass & Node-Red has been the number one question I’ve been asked about my setup. So after being lazy and just leaving my software behind a VPN and firewall, I finally git around to setting up SSL support for both Home Assistant and Node-Red.

Read below for a guide to securing your smart home with Let’s Encrypt.

ASSUMPTIONS

I am using Home Assistant on Hass.io. I have my own domain name, and my internet connection at home has a static IP address. My LAN is behind a standard consumer router . If you are using DuckDNS this will be a little different, but not much, see the Smart Home Hobby link below for DuckDNS specific instructions. Another important thing to watch out for – Let’s Encrypt will not work if other services are running on either port 80 or port 443. If you are clicking “Start” in Let’s Encrypt and nothing is happening, this is probably the issue (for me, Pi Hole was running on port 80).

Many thanks the Smart Home Hobby blog and Reddit user Wwalltt for helping pull the pieces together to make this happen.

ROUTER CONFIG

In your home network router, you will need to forward some ports. Forward 80, 443, 8123, and 1880 from the external internet side to the IP address of your Pi on your internal network (ie. 192.168.0.xxx). This should be all that is necessary on the networking side, if not check to see if “NAT loopback” is an enabled option in your router settings.

80 and 443 are used by Let’s Encrypt, 8123 is Home Assistant, and 1880 is used by Node-Red.

SETTING UP LET’S ENCRYPT

From the Hassio menu, you will see Let’s Encrypt in the default addon store.

In the options for Let’s Encrypt, enter your email and domain name

{ "email": "brad@myemail.com", "domains": [ "hass.mydomain.com" ], "certfile": "fullchain.pem", "keyfile": "privkey.pem" }

Save the settings and hit “Start”. If everything went well, you will see the success message in your logs. If not, check to make sure port 80 is not already in use, and that you forwarded the ports listed above.

HASS CONFIG

Now that we have the certificate set up, we need to tell Hass to use it. Because the certificate is only valid for the fully qualified domain name we entered in the Let’s Encrypt options (hass.mydomain.com), all encrypted communication must make use of this domain. In Home Assistant’s configuration.yaml file we need to change our base URL to the FQDN and tell it where the certificates live.

http: api_password: !secret http_password base_url: hass.mydomain.com:8123 ssl_certificate: /ssl/fullchain.pem ssl_key: /ssl/privkey.pem

Restart Home Assistant, and you should be able to access it via https://hass.mydomain.com:8123

NODE-RED CONFIG

While we’re at it, we might as well enable encryption for Node-Red as well. In the Node-Red options:

Note that I have included passwords for both the Node-Red UI and the HTTP Node – since we are exposing this service to the internet, we definitely want to set a password, otherwise anyone will have access to Node-Red.

With that done, restart Node-Red and you should be able to access it at https://hass.yourdomain.com:1880

Now Home Assistant and Node-Red are both using encrypted connections. We just need to tell the Home Assistant nodes to connect using the new encrypted connection.

In Node-Red, edit any Home Assistant node and go to the settings for your server.

The Base URL must match the Let’s Encrypt FQDN. Remember to use HTTPS at the beginning.

Save the settings and hit “Deploy” in Node-Red. If all was successful, you will see the HA nodes in your flows show “Connected” with a green indicator. Now our communication is encrypted.

ROUTING TRAFFIC LOCALLY

Now, you are probably thinking, “If I have to use the fully qualified domain name to connect – the external one – does this mean my connection is dependant on the internet being up?” and you would be right. As set up like this, if your internet goes down you lose the connection to Hass & Node-Red even if the local network is up. This is because Let’s Encrypt must use the publicly facing domain to verify your certificate – hass.mydomain.com – which resolves to your public internet IP.

We can solve this by setting up our LAN clients to resolve the domain name to the local, private LAN address instead. If we were on a traditional Home Assistant install on Linux, this could be accomplished by editing the /etc/hosts file on the client. Another option that might work is to check your router settings, and see if it has DNS features for adding custom entries.

Neither of those options were available to me, but I am running Pi Hole. Since Pi Hole is acting as the DNS server for my local network, I can add a custom host entry for my domain name. Now, all the clients on my LAN will resolve hass.mydomain.com to the private IP instead of the public one:

"hosts": [ { "name": "hass.mydomain.com", "ip": "192.168.0.6" } ]

Inside the network – I get the 192.168.0.6 IP. Outside on the public internet, the domain name resolves to my public IP. Either way, the connection is encrypted.

If you’re not using Pi Hole, another easy way to accomplish this in Hass.io is to use the DNSmasq addon. More advanced users may want to take a look at handling SSL through an nginx proxy.

To verify it’s working, run a traceroute from the command line:

brad-laptop:~ brad$ traceroute hass.mydomain.com traceroute to hass.mydomain (192.168.0.6), 64 hops max, 52 byte packets 1 hass.mydomain.com (192.168.0.6) 1.112 ms 0.982 ms 0.884 ms

This confirms that the traffic is going straight to my server on the local network, and not being routed through the internet. If you don’t get a trace like that, verify that your DNS server (Pi Hole, dnsmasq) is listed as a nameserver in your router settings and that your DHCP clients have refreshed their leases to get the new configuration.

192.168.0.6 is my Home Assistant Pi running Pi Hole as a DNS server. 8.8.8.8 is the public Google DNS server. My server needs to come first, so it will look there before asking Google’s server.

FINISHING UP

If you want to add Node-Red to your Home Assistant sidebar, add this to your configuration.yaml

panel_iframe: nodered: title: 'Node-Red' icon: 'mdi:shuffle-variant' url: 'https://hass.yourdomain.com:1880/'



