HASS, DuckDNS and Let’s Encrypt

When you want to make a local HomeAssistant (a home automation software I mentioned before) available from the Internet, you probably want to secure it with SSL. There’s an official tutorial on how to do that, but it has a few problems:

  • It uses the official certbot client, which is super heavy and does all kind of things you don’t need
  • It requires that port 80 is not used while refreshing certificates
  • It requires to forward port 80 from the internet to your internal HomeAssistant server

So here’s is how to do it differently:

  • we use the very lightweight dehydrated script (formerly known as letsencrypt.sh)
  • we use DNS-01 challenges to avoid needing any open ports

Set up DuckDNS

As in the official tutorial, we use DuckDNS as a dynamic DNS provider. This awesome free service makes the dynamic IP your ISP assigns to you available under a fixed domain.

So first go to https://www.duckdns.org, register an account and create a domain name. For the rest of the tutorial I will use myhome as domain name, resulting in myhome.duckdns.org pointing to my ISP assigned IP address.

Once you’ve done that, follow their official instructions on how to make your router auto update the IP address.

You probably want to set up a port forwarding to your HomeAssistant server. Eg. in my router I set a forwarding for port 8123 to the internal IP on port 8123, because that’s where my HomeAssistant GUI is running.

Before continuing, make sure your HomeAssistant is now available via http://myhome.duckdns.org or whatever domain you set up.

Setting up Dehydrated

I’m doing the whole setup as homeassistant user on my hassbian based Raspberry Pi. The whole thing should also work as user pi, you will just need to adjust a few paths below.

First get a copy of the current dehydrated script. I’ll clone the repository with git, because that makes updating easier later on, but you could also just download the zip from github and unpack that:

Now change into the new dehydrated directory and create a new domains.txt file containing your duckdns domain name:domains.txt

We also need a config file containing the following:config

Next we need a hook that will do the DNS challenge for us and will restart HomeAssistant when the certificate has changed. Create a hook.sh file with the following content:hook.sh

Be sure to change the token and domain at the top of the script. Also make the hook script executable:

Generating the Certificate

Time to run dehydrated.

First, register a new private key with letsencrypt:

Then generate the certificate:

That’s it. We now have a valid certificate!

Automate Renewing

Let’sEncrypt certificates expire after 90 days, so we need to automatically renew them. We simply call dehydrated via cron on every 1st day of the month:

Reconfigure HomeAssistant

Edit your configuration.yaml and add the new certificate to the http section:configuration.yaml

Finally restart HomeAssistant

Your HomeAssistant should now be available via https://myhome.duckdns.org:8123.

Leave a Reply

Liên hệ

Hãy gọi cho chúng tôi ngay hôm nay:

Gia Lương - Việt Hùng - Đông Anh - Hà Nội

[email protected]
Select Language