Let's Encrypt

Setting Up Let’s Encrypt with Node-Red & Home Assistant

Privacy is important in the smart home, and one of the primary reasons to use Home Assistant is because it is totally under control of the user, on your own network. Since writing these posts, setting up encryption with Hass & Node-Red has been the number one question I’ve been asked about my setup. So after being lazy and just leaving my software behind a VPN and firewall, I finally git around to setting up SSL support for both Home Assistant and Node-Red.

Read below for a guide to securing your smart home with Let’s Encrypt.


I am using Home Assistant on Hass.io. I have my own domain name, and my internet connection at home has a static IP address. My LAN is behind a standard consumer router. If you are using DuckDNS this will be a little different, but not much, see the Smart Home Hobby link below for DuckDNS specific instructions. Another important thing to watch out for – Let’s Encrypt will not work if other services are running on either port 80 or port 443. If you are clicking “Start” in Let’s Encrypt and nothing is happening, this is probably the issue (for me, Pi Hole was running on port 80).

Many thanks the Smart Home Hobby blog and Reddit user Wwalltt for helping pull the pieces together to make this happen.


In your home network router, you will need to forward some ports. Forward 80, 443, 8123, and 1880 from the external internet side to the IP address of your Pi on your internal network (ie. 192.168.0.xxx). This should be all that is necessary on the networking side, if not check to see if “NAT loopback” is an enabled option in your router settings.

80 and 443 are used by Let’s Encrypt, 8123 is Home Assistant, and 1880 is used by Node-Red.


From the Hassio menu, you will see Let’s Encrypt in the default addon store.

Hassio Let's Encrypt

Hassio Let’s Encrypt

In the options for Let’s Encrypt, enter your email and domain name

 "email": "brad@myemail.com",
 "domains": [
 "certfile": "fullchain.pem",
 "keyfile": "privkey.pem"

Save the settings and hit “Start”. If everything went well, you will see the success message in your logs. If not, check to make sure port 80 is not already in use, and that you forwarded the ports listed above.

Let's Encrypt Success Message

Let’s Encrypt Success Message


Now that we have the certificate set up, we need to tell Hass to use it. Because the certificate is only valid for the fully qualified domain name we entered in the Let’s Encrypt options (hass.mydomain.com), all encrypted communication must make use of this domain. In Home Assistant’s configuration.yaml file we need to change our base URL to the FQDN and tell it where the certificates live.

 api_password: !secret http_password
 base_url: hass.mydomain.com:8123
 ssl_certificate: /ssl/fullchain.pem
 ssl_key: /ssl/privkey.pem

Restart Home Assistant, and you should be able to access it via https://hass.mydomain.com:8123


While we’re at it, we might as well enable encryption for Node-Red as well. In the Node-Red options:

Node-Red Config

Node-Red Config

Note that I have included passwords for both the Node-Red UI and the HTTP Node – since we are exposing this service to the internet, we definitely want to set a password, otherwise anyone will have access to Node-Red.

With that done, restart Node-Red and you should be able to access it at https://hass.yourdomain.com:1880

Now Home Assistant and Node-Red are both using encrypted connections. We just need to tell the Home Assistant nodes to connect using the new encrypted connection.

RELATED >>  Location Aware Notification Lights with Node-Red and IFTTT

In Node-Red, edit any Home Assistant node and go to the settings for your server.

Node-Red HA Node Settings

Node-Red HA Node Settings

The Base URL must match the Let’s Encrypt FQDN. Remember to use HTTPS at the beginning.

Save the settings and hit “Deploy” in Node-Red. If all was successful, you will see the HA nodes in your flows show “Connected” with a green indicator. Now our communication is encrypted.


Now, you are probably thinking, “If I have to use the fully qualified domain name to connect – the external one – does this mean my connection is dependant on the internet being up?” and you would be right. As set up like this, if your internet goes down you lose the connection to Hass & Node-Red even if the local network is up. This is because Let’s Encrypt must use the publicly facing domain to verify your certificate – hass.mydomain.com – which resolves to your public internet IP.

We can solve this by setting up our LAN clients to resolve the domain name to the local, private LAN address instead. If we were on a traditional Home Assistant install on Linux, this could be accomplished by editing the /etc/hosts file on the client. Another option that might work is to check your router settings, and see if it has DNS features for adding custom entries.

Neither of those options were available to me, but I am running Pi Hole. Since Pi Hole is acting as the DNS server for my local network, I can add a custom host entry for my domain name. Now, all the clients on my LAN will resolve hass.mydomain.com to the private IP instead of the public one:

 "hosts": [
 "name": "hass.mydomain.com",
 "ip": ""

Inside the network – I get the IP. Outside on the public internet, the domain name resolves to my public IP. Either way, the connection is encrypted.

If you’re not using Pi Hole, another easy way to accomplish this in Hass.io is to use the DNSmasq addon. More advanced users may want to take a look at handling SSL through an nginx proxy.

To verify it’s working, run a traceroute from the command line:

brad-laptop:~ brad$ traceroute hass.mydomain.com
traceroute to hass.mydomain (, 64 hops max, 52 byte packets
 1 hass.mydomain.com ( 1.112 ms 0.982 ms 0.884 ms

This confirms that the traffic is going straight to my server on the local network, and not being routed through the internet. If you don’t get a trace like that, verify that your DNS server (Pi Hole, dnsmasq) is listed as a nameserver in your router settings and that your DHCP clients have refreshed their leases to get the new configuration.

Client DNS Settings for my LAN

Client DNS Settings for my LAN is my Home Assistant Pi running Pi Hole as a DNS server. is the public Google DNS server. My server needs to come first, so it will look there before asking Google’s server.


If you want to add Node-Red to your Home Assistant sidebar, add this to your configuration.yaml

   title: 'Node-Red'
   icon: 'mdi:shuffle-variant'
   url: 'https://hass.yourdomain.com:1880/'



  1. You don’t need NAT Loopback from your router. Mine doesn’t have it. And you can make it more robust with setup below.

    Use address http://hassio/homeassistant as Home Assistant server address inside Node-RED. That’s Hass.io API proxy address. Then your Hass.io and Node-RED communication isn’t dependent on IP stack, your router or your internet connection.


Leave a Reply

Your email address will not be published. Required fields are marked *