Available for Windows, macOS, and Linux systems (including Raspberry Pi), the open-source Home Assistant software acts as a central hub for controlling all your smart devices for all your home automation needs.
If you want to access your Home Assistant server remotely, whether using DDNS or Cloudflare Tunnel, you must encrypt the source with an SSL/TLS certificate. Fortunately, you can use the free Lets Encrypt add-on to generate and configure the SSL/TLS certificate on Home Assistant and add it to your server.
Methods to Install SSL/TLS Certificate on Home Assistant
Let's Encrypt is a popular way of setting up free SSL/TLS on websites. We can also use Let's Encrypt to secure our Home Assistant server by following either of the following methods:
- HTTP Challenge: In this method, you use the free DDNS service and set up port forwarding (port 80) on your router.
- DNS Challenge: In this method, you register a free or paid domain and use a secure Cloudflare Tunnel. You don’t need to open any ports on your router and thus, it’s more secure.
Besides, the HTTP challenge method is much lengthier and more complex. The DNS challenge method with a secure Cloudflare Tunnel is easier to follow and deploy.
Thus, for this guide we will use Cloudflare and Let’s Encrypt to secure our Home Assistant instance and access it remotely over an HTTPS connection. However, if you still want to go with the DDNS method, follow the official Home Assistant guide.
Prerequisites to Generate SSL
To set up and deploy the SSL certificate on Home Assistant using the DNS challenge method for secured access, you will need the following:
- A Cloudflare account.
- A registered domain name. You can get a free domain from Freenom.com or register a new domain on any service provider, such as GoDaddy.
Once you register the domain, add it to your Cloudflare account and enable the HTTPS option under SSL/TLS settings in Cloudflare.
For now, choose Flexible. Once you deploy the SSL certificate on our Home Assistant server using Let’s Encrypt, you can enable the Full option for end-to-end encryption.
After enabling the HTTPS option, continue following the next steps to install Let’s Encrypt and deploy the SSL certificate on the server.
Deploy Cloudflare Tunnel
By deploying Cloudflare Tunnel, you can access the Home Assistant server remotely over HTTPS. Also, this will help complete the DNS challenge for installing the SSL certificates on our Home Assistant server. The steps are as follows:
- Visit the Cloudflared add-on link and click Open Link.
- Click Add to add the Cloudflared repository to your Home Assistant server.
- Now search and click on the Cloudflared add-on.
- Click Install. Wait for the installation to complete.
- After installing the Cloudflared add-on, click the Configuration tab.
- Click the three dots at the top-right and paste the following code.
additional_hosts:
-hostname: YourDomainName.com
service: http://HomeAssistantIPAddress:8123
external_hostname: YourDomainName.com
tunnel_name: homeassistant
tunnel_token: ""
nginx_proxy_manager: false
log_level: debug
warp_enable: true
warp_routes:
- 192.168.0.2/24
- Click Save.
- Also, add the following code to the configuration.yaml file.
http:
use_x_forwarded_for: true
trusted_proxies: - 172.30.33.0/24
- Save and restart the Home Assistant Server.
- After the restart, start the Cloudflared add-on and enable the Start on boot option for this add-on.
- Open the Log tab on the Cloudflared add-on page and copy the displayed web URL into your web browser. This will open the Cloudflare page.
- Log in to Cloudflare using your registered email account and then select the domain name.
- Click Authorize.
- Return to the Log section of your Home Assistant Cloudflared add-on and check if the authentication is successful. If so, it will create a secure tunnel to expose your Home Assistant server on the internet over HTTPS. However, it’s not end-to-end encrypted yet.
Get the Cloudflare API Key
You need the Cloudflare API to complete the DNS challenge required for deploying the SSL/TLS certificate on your Home Assistant server. The steps are as follows:
- Log in to your Cloudflare account and go to the https://dash.cloudflare.com/profile page.
- Click API Tokens.
- Click Create API token and then click the Use Template button beside the Edit zone DNS option.
- Choose the Specific Zone option and then select your domain name from the dropdowns under the Zone Resources section.
- Click Continue to summary and then click Create Token.
- Copy the generated API token and keep it safe. You will need this during the Let’s Encrypt configuration.
Install the Let’s Encrypt Add-On
On your Home Assistant server, follow these steps to install the Let’s Encrypt add-on.
- Go to Settings > Add-ons.
- Click the ADD-ON STORE button.
- Search for and click on letsencrypt.
- Click on the INSTALL button.
- Do not start the add-on yet.
Configure Let’s Encrypt
You need to add details of our domain and Cloudflare API in the Let’s Encrypt configuration file to install the certificate on the server. For this, follow the steps given below:
- On the Let’s Encrypt configuration page, click the Configuration tab.
- Click the three dots at the top-right and choose Edit in YAML.
- In the Options field, paste the following code. Make sure to replace YourDomainName.com with your domain name. Also, edit the email ID, Cloudflare email, and API token (you generated these in earlier steps, so paste them here).
domains: -
"*.YourDomainName.com"
email: Your.Email@gmail.com
keyfile: privkey.pem
certfile: fullchain.pem
challenge: dns
dns:
provider: dns-cloudflare
cloudflare_email: Your.CloudflareEmail@gmail.com
cloudflare_api_token: YWrT6HXwMn5hHYKor6B
- Click Save.
Generate the SSL/TLS Certificate
Once the information is saved, go to the Info tab of the Let’s Encrypt add-on on your Home Assistant server and click Start.
This will start the Let’s Encrypt add-on, which will use the information provided by you in the configuration file to complete the DNS challenge and install the required SSL/TLS certificate on your Home Assistant server.
This will take a while to complete. We strongly advise that you click on the Log tab and keep an eye on the logs (keep refreshing). If there’s any error, such as an invalid API or credentials, you can fix it and start the Let’s Encrypt add-on again to finish installing the SSL/TLS certificate on your Home Assistant server.
If everything goes well, the certificates will be generated and installed. The free certificate will be valid for three months. After three months or just before the third month ends, you can start the Let’s Encrypt add-on again to renew the certificates.
At this stage, you can log in to your Cloudflare account and turn on Full mode under SSL/TLS for end-to-end encryption.
Congratulations! You have successfully generated and installed SSL/TLS certificate on your Home Assistant server.
Free SSL and Remote Access
With this detailed guide on setting up SSL/TLS certificates on the Home Assistant server, anyone can quickly set up and install the certificates and secure their Home Assistant server instance. With Cloudflare Tunnel, your Home Assistant instance is also end-to-end encrypted. This also enables you to access your Home Assistant server and all your devices and local servers from anywhere in the world.