Setting Up Let’s Encrypt with Node-Red & Home Assistant

ConfigHome AssistantNode-RedSmart Home

Written by:

Privacy is important in the smart home, and one of the primary reasons to use Home Assistant is because it is totally under control of the user, on your own network. Since writing these posts, setting up encryption with Hass & Node-Red has been the number one question I’ve been asked about my setup. So after being lazy and just leaving my software behind a VPN and firewall, I finally git around to setting up SSL support for both Home Assistant and Node-Red.

Read below for a guide to securing your smart home with Let’s Encrypt.

ASSUMPTIONS

I am using Home Assistant on Hass.io. I have my own domain name, and my internet connection at home has a static IP address. My LAN is behind a standard consumer router. If you are using DuckDNS this will be a little different, but not much, see the Smart Home Hobby link below for DuckDNS specific instructions. Another important thing to watch out for – Let’s Encrypt will not work if other services are running on either port 80 or port 443. If you are clicking “Start” in Let’s Encrypt and nothing is happening, this is probably the issue (for me, Pi Hole was running on port 80).

Many thanks the Smart Home Hobby blog and Reddit user Wwalltt for helping pull the pieces together to make this happen.

ROUTER CONFIG

In your home network router, you will need to forward some ports. Forward 80, 443, 8123, and 1880 from the external internet side to the IP address of your Pi on your internal network (ie. 192.168.0.xxx). This should be all that is necessary on the networking side, if not check to see if “NAT loopback” is an enabled option in your router settings.

80 and 443 are used by Let’s Encrypt, 8123 is Home Assistant, and 1880 is used by Node-Red.

SETTING UP LET’S ENCRYPT

From the Hassio menu, you will see Let’s Encrypt in the default addon store.

Hassio Let's Encrypt

Hassio Let’s Encrypt

In the options for Let’s Encrypt, enter your email and domain name

{
 "email": "brad@myemail.com",
 "domains": [
 "hass.mydomain.com"
 ],
 "certfile": "fullchain.pem",
 "keyfile": "privkey.pem"
}

Save the settings and hit “Start”. If everything went well, you will see the success message in your logs. If not, check to make sure port 80 is not already in use, and that you forwarded the ports listed above.

Let's Encrypt Success Message

Let’s Encrypt Success Message

HASS CONFIG

Now that we have the certificate set up, we need to tell Hass to use it. Because the certificate is only valid for the fully qualified domain name we entered in the Let’s Encrypt options (hass.mydomain.com), all encrypted communication must make use of this domain. In Home Assistant’s configuration.yaml file we need to change our base URL to the FQDN and tell it where the certificates live.

http:
 api_password: !secret http_password
 base_url: hass.mydomain.com:8123
 ssl_certificate: /ssl/fullchain.pem
 ssl_key: /ssl/privkey.pem

Restart Home Assistant, and you should be able to access it via https://hass.mydomain.com:8123

NODE-RED CONFIG

While we’re at it, we might as well enable encryption for Node-Red as well. In the Node-Red options:

Node-Red Config

Node-Red Config

Note that I have included passwords for both the Node-Red UI and the HTTP Node – since we are exposing this service to the internet, we definitely want to set a password, otherwise anyone will have access to Node-Red.

With that done, restart Node-Red and you should be able to access it at https://hass.yourdomain.com:1880

RELATED >>  Useful Sensor: Motion Last Seen & Meta Motion Sensor

Now Home Assistant and Node-Red are both using encrypted connections. We just need to tell the Home Assistant nodes to connect using the new encrypted connection.

In Node-Red, edit any Home Assistant node and go to the settings for your server.

Node-Red HA Node Settings

Node-Red HA Node Settings

The Base URL must match the Let’s Encrypt FQDN. Remember to use HTTPS at the beginning.

Save the settings and hit “Deploy” in Node-Red. If all was successful, you will see the HA nodes in your flows show “Connected” with a green indicator. Now our communication is encrypted.

ROUTING TRAFFIC LOCALLY

Now, you are probably thinking, “If I have to use the fully qualified domain name to connect – the external one – does this mean my connection is dependant on the internet being up?” and you would be right. As set up like this, if your internet goes down you lose the connection to Hass & Node-Red even if the local network is up. This is because Let’s Encrypt must use the publicly facing domain to verify your certificate – hass.mydomain.com – which resolves to your public internet IP.

We can solve this by setting up our LAN clients to resolve the domain name to the local, private LAN address instead. If we were on a traditional Home Assistant install on Linux, this could be accomplished by editing the /etc/hosts file on the client. Another option that might work is to check your router settings, and see if it has DNS features for adding custom entries.

Neither of those options were available to me, but I am running Pi Hole. Since Pi Hole is acting as the DNS server for my local network, I can add a custom host entry for my domain name. Now, all the clients on my LAN will resolve hass.mydomain.com to the private IP instead of the public one:

 "hosts": [
 {
 "name": "hass.mydomain.com",
 "ip": "192.168.0.6"
 }
 ]

Inside the network – I get the 192.168.0.6 IP. Outside on the public internet, the domain name resolves to my public IP. Either way, the connection is encrypted.

If you’re not using Pi Hole, another easy way to accomplish this in Hass.io is to use the DNSmasq addon. More advanced users may want to take a look at handling SSL through an nginx proxy.

To verify it’s working, run a traceroute from the command line:

brad-laptop:~ brad$ traceroute hass.mydomain.com
traceroute to hass.mydomain (192.168.0.6), 64 hops max, 52 byte packets
 1 hass.mydomain.com (192.168.0.6) 1.112 ms 0.982 ms 0.884 ms

This confirms that the traffic is going straight to my server on the local network, and not being routed through the internet. If you don’t get a trace like that, verify that your DNS server (Pi Hole, dnsmasq) is listed as a nameserver in your router settings and that your DHCP clients have refreshed their leases to get the new configuration.

Client DNS Settings for my LAN

Client DNS Settings for my LAN

192.168.0.6 is my Home Assistant Pi running Pi Hole as a DNS server. 8.8.8.8 is the public Google DNS server. My server needs to come first, so it will look there before asking Google’s server.

FINISHING UP

If you want to add Node-Red to your Home Assistant sidebar, add this to your configuration.yaml

panel_iframe:
 nodered:
   title: 'Node-Red'
   icon: 'mdi:shuffle-variant'
   url: 'https://hass.yourdomain.com:1880/'

 


11 Replies to “Setting Up Let’s Encrypt with Node-Red & Home Assistant”

  1. Derek McFarland says:

    The duckdns addon includes the letsencrypt feature now.

  2. Drogfild says:

    You don’t need NAT Loopback from your router. Mine doesn’t have it. And you can make it more robust with setup below.

    Use address http://hassio/homeassistant as Home Assistant server address inside Node-RED. That’s Hass.io API proxy address. Then your Hass.io and Node-RED communication isn’t dependent on IP stack, your router or your internet connection.

  3. MastroPino says:

    Thanks mate, this help me 🙂

  4. poldim says:

    How are you running your various components? Are they on bare metal? VM? All on one system or virtualized?

    Did you say all this and I just miss it? Would love to see the overall architecture. I’m running into problems at my rental because I’m using HASSio on a Pi2 and it seems to be creating additional challenges for me due to it’s somewhat limited configurations.

  5. Chris says:

    How would you do this without Hassio but just regular Home Assistant in a Docker? I assume the steps are a bit different? Would be helpful for those of us not running Hassio.

  6. JesseWeb says:

    Thanks for the article. How can I get the root site (www.my-domain.com) to point to a local server that is not HA hosted? Most of my sites (HA, node-red, etc) run on Hassio but my personal website runs on a different box.

Leave a Reply

Your email address will not be published. Required fields are marked *