Home Assistant in HTTPS with own domain

Home Assistant in HTTPS with own domain
Reading time: 3 min read
Link copied!

If you have Home Assistant running at your house, accessing by IP or domain without HTTPS, you’ve probably already seen the insecure connection warning.

In this post, I explain how I solved this without depending on DuckDNS, without running Certbot manually and without esoteric hacks.

My structure (so you understand if this post serves you)
  • brodt.com.br as domain
  • Residential fixed IP
  • Home Assistant OS running on a dedicated mini-PC
  • UDM-SE as router and firewall
  • Port 8123 maintained for Home Assistant
  • Let’s Encrypt as certificate issuer
  • External access via HTTPS with 443 to 8123 redirection
  • Automatic certificate renewal via automation
1. Install Let’s Encrypt via Add-on Store

Go to:

Settings > Add-ons > Add-on Store, search for “Let’s Encrypt” and install.

Don’t start yet, calm down. Let’s configure.

2. Configure the add-on to use port 8080

I needed to configure Let’s Encrypt HTTP for port 8080:

email: [email protected]
domains:
 , yourdomain.com.br
certfile: fullchain.pem
keyfile: privkey.pem
challenge: http
http:
  port: 8080
3. Redirect the ports

Access your router panel, create two port forwarding rules:

Rule 1, For certificate issuance:

  • External port: 8080 to internal port: 8080
  • Protocol: TCP
  • IP: of your HA (ex: 10.0.0.200)

Rule 2, For final access to HA:

  • External port: 443 to internal port: 8123
  • Protocol: TCP
  • IP: same scheme, the HA IP

Now you access https://yourdomain.com.br and everything is consumed from 8123.

4. Configure the configuration.yaml

In my case, the block looked like this:

http:
  server_port: 8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  cors_allowed_origins:
   , https://google.com
   , https://www.home-assistant.io
  use_x_forwarded_for: true
  trusted_proxies:
   , 10.0.0.200
   , 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5
5. Restart and issue the certificate

Save everything, restart HA and then start the Let’s Encrypt add-on. If everything is right, you’ll see the /ssl/fullchain.pem and /ssl/privkey.pem files created.

Test now: https://yourdomain.com.br

Automation to renew the certificate

  1. Go to Settings > Automations & Scenes > Create Automation
  2. Select Start with an empty automation

Trigger (When)

  • Trigger type: Time
  • Time: 03:00:00

Action (Then do)

  • Action type: Call service
  • Service: hassio.addon_restart
  • Data:
addon: core_letsencrypt

This restarts the add-on every day at 3 AM. If the certificate is close to expiring, it already renews. And you sleep peacefully.

  • HTTPS with own domain and fixed IP
  • No DuckDNS, no external scripts
  • Valid certificates renewing by themselves
  • Home Assistant still on 8123