Available for Windows, macOS and Linux systems (including Raspberry Pi), the open source Home Assistant software acts as a central hub to control all your smart devices for all your home automation needs.
If you want to access your Home Assistant server remotely, either via DDNS or Cloudflare Tunnel, you must encrypt the source with an SSL/TLS certificate. Fortunately, you can use the free Lets Encrypt add-on to generate and configure the SSL/TLS certificate on Home Assistant and add it to your server.
Methods of Installing SSL/TLS Certificate on Home Assistant
Let’s Encrypt is a popular way to set up free SSL/TLS on websites. We can also use Let’s Encrypt to secure our Home Assistant server by following one of the following methods:
- HTTP Challenge: In this method, you use the free DDNS service and set up port forwarding (port 80) on your router.
- DNS Challenge: In this method, you register a free or paid domain and use a secure Cloudflare tunnel. You don’t need to open any ports on your router, so it’s more secure.
Also, the HTTP challenge method is much longer and more complex. The DNS challenge method with a secure Cloudflare tunnel is easier to follow and deploy.
So, for this guide, we’ll be using Cloudflare and Let’s Encrypt to secure our Home Assistant instance and access it remotely over an HTTPS connection. However, if you still want to use the DDNS method, follow the official home assistant guide.
Prerequisites for generating SSL
To configure and deploy the SSL certificate on Home Assistant using the DNS challenge method for secure access, you will need the following:
- A Cloudflare account.
- A registered domain name. You can get a free domain from Freenom.com or register a new domain on any service provider, such as GoDaddy.
Once you have registered the domain, add it to your Cloudflare account and activate it. HTTPS option under SSL/TLS settings in Cloudflare.
For now, choose Flexible. Once you have deployed the SSL certificate to our Home Assistant server using Let’s Encrypt, you can activate the Full optional for end-to-end encryption.
After enabling the HTTPS option, continue with the following steps to install Let’s Encrypt and deploy the SSL certificate to the server.
Deploy the Cloudflare Tunnel
By deploying Cloudflare Tunnel, you can remotely access the Home Assistant server via HTTPS. This will also help with the DNS challenge for installing SSL certificates on our Home Assistant server. The steps are as follows:
- Visit the Cloudflared add-on link and click Open link.
- Click on To add to add the Cloudflared repository to your Home Assistant server.
- Now find and click on the Cloudy To add.
- Click on Install. Wait for the installation to complete.
- After installing the Cloudflared add-on, click on the Configuration tongue.
- Click on the three dots at the top right and paste the following code.
- hostname: YourDomainName.com
- Click on to safeguard.
- Also add the following code to the configuration.yaml case.
trusted_proxies: - 172.30.33.0/24
- to safeguard and restart the Home Assistant server.
- After the reboot, start the Cloudflared add-on and enable it Start at startup option for this add-on.
- Open the To register on the Cloudflared add-on page and copy the web URL displayed in your web browser. This will open the Cloudflare page.
- Log in to Cloudflare using your registered email account, then select the domain name.
- Click on To allow.
- back to Save from your Cloudflared Home Assistant add-on and check if the authentication was successful. If so, it will create a secure tunnel to expose your Home Assistant server to the internet via HTTPS. However, it is not yet end-to-end encrypted.
Get the Cloudflare API Key
You need the Cloudflare API to complete the DNS challenge required to deploy the SSL/TLS certificate to your Home Assistant server. The steps are as follows:
- Log in to your Cloudflare account and navigate to https://dash.cloudflare.com/profile page.
- Click on API tokens.
- Click on Create an API token then click on the Use the model button next to Modify the DNS of the zone option.
- Choose the Specific area option, then select your domain name in the drop-down menus under the Zone resources section.
- Click on Continue to summary then click Create a token.
- Copy the generated API token and keep it in a safe place. You will need it when setting up Let’s Encrypt.
Install the Let’s Encrypt add-on
On your Home Assistant server, follow these steps to install the Let’s Encrypt add-on.
- Go to Settings > Additional modules.
- Click it SHOP ADD-ON button.
- Find and click allows you to encrypt.
- Click on the INSTALL button.
- Do not start the add-on yet.
Configure Let’s Encrypt
You need to add our domain and Cloudflare API details in the Let’s Encrypt configuration file to install the certificate on the server. To do this, follow the steps below:
- On the Let’s Encrypt configuration page, click the Configuration tongue.
- Click it three points at the top right and choose Edit in YAML.
- In the Choice field, paste the following code. Be sure to replace YourDomainName.com with your domain name. Also edit the Mail ID, Cloudflare Email, and API Token (you generated them in the previous steps, so paste them here).
- Click on to safeguard.
Generate the SSL/TLS certificate
Once the information has been saved, access the Information the Let’s Encrypt add-on tab on your Home Assistant server and click Begin.
This will launch the Let’s Encrypt add-on, which will use the information you provided in the configuration file to complete the DNS challenge and install the required SSL/TLS certificate on your Home Assistant server.
It will take some time. We strongly advise you to click on the To register tab and keep an eye on the logs (keep refreshing). If there is an error, such as an invalid API or credentials, you can correct it and restart the Let’s Encrypt add-on to complete the SSL/TLS certificate installation on your Home Assistant server.
If all goes well, the certificates will be generated and installed. The free certificate will be valid for three months. After three months or just before the end of the third month, you can restart the Let’s Encrypt add-on to renew the certificates.
At this point, you can log in to your Cloudflare account and activate Full mode below SSL/TLS for end-to-end encryption.
Congratulations! You have successfully generated and installed the SSL/TLS certificate on your Home Assistant server.
Free SSL and remote access
With this step-by-step guide on setting up SSL/TLS certificates on Home Assistant Server, anyone can quickly set up and install the certificates and secure their Home Assistant Server instance. With Cloudflare Tunnel, your Home Assistant instance is also end-to-end encrypted. It also allows you to access your Home Assistant server and all your local devices and servers from anywhere in the world.