System

Secure Connection with ACME

I’ve been using DuckDNS add-in for https connection to Home Assistant. Configuring this add-in was relatively straightforward and I described this in my post “Accessing Home Assistant from the Internet”. However, the obvious drawback of this method is that I’m tied to using DuckDNS for distributed DNS service.

Enters ACME, an IETF standard for Automated Certificate Management Environment. It allows me to use encryption with other dynamic DNS service provider. In this post, we’ll look into using ACME client to generate certificate and key file for use with Dynu Systems.

  • Create a free account on dynu.com. Choose a base domain, eg. dynu.net, and create a sub-domain name
  • Associate the sub-domain with Home Assistant server IP address
  • In the dynu.com Control Panel -> API Credentials, click the Reset Credentials button and take note of Client ID and Secret 
  • Install Acme client and generate certificate as follow. Replace the Dynu_ClientID and Dynu_Secret with those from the previous step:
curl https://get.acme.sh | sh
export Dynu_ClientId="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
export Dynu_Secret="yyyyyyyyyyyyyyyyyyyyyyyyy"
cd .acme.sh
./acme.sh --issue --dns dns_dynu -d <sub-domain>
  • Once the verification process is finished, the certificate and private key files will be generated in the sub-directory name with the sub-domain name
  • Change the permission of these files to r/w for root only, and copy them to Home Assistant ssl folder:
cd <sub-domain>
sudo chmod 600 fullchain.cer <sub-domain>.key
sudo cp fullchain.cer <sub-domain>.key /usr/share/hassio/ssl
  • Add the following section in configuration.yaml and restart Home Assistant
http:
  base_url: https://<sub-domain>:8123
  ssl_certificate: /ssl/fullchain.cer
  ssl_key: /ssl/<sub-domain>.key

Update: Using Dynamic DNS (ddnss.de) as DDNS provider

  • Register for a free account at https://ddnss.de/user_new.php
  • Create a new host (Dyn DNS call them vHost) and on the vHost definition page check “TXT Record” and “Wildcard”
  • Back on the User Dashboard, copy the Update Key to be used in the next step
  • Follow the instructions above but replace the two export and the ./acme.sh commands with the following:
export DDNSS_Token="Update key"
./acme.sh --issue --dns dns_ddnss -d <sub-domain>

Leave a comment