jeena/home-assistant.github.io
1
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity Actions

Move infrastructure cookbooks to docs (#2331)

Browse source 
* Move apache configuration to docs

* Add redirect

* Move certificate cookbooks to docs

* Add redirect

* Move tor configuration to docs

* Fix extension

* Update headings and add redirect

* Move file to docs

* Add redirect and remove whitespaces

* Add new sections
This commit is contained in:
Fabian Affolter 2017-03-25 19:19:33 +01:00 committed by GitHub
parent 82c9798f10
commit 8f1095fda0
6 changed files with 43 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

72
source/_docs/ecosystem/certificates/tls_domain_certificate.markdown Normal file
View file

@ -0,0 +1,72 @@
---
layout: page
title: "Certificate for SSL/TLS via domain ownership"
description: "Configure a certificate to use with Home Assistant"
date: 2017-02-17 08:00
sidebar: true
comments: false
sharing: true
footer: true
redirect_from: /cookbook/tls_domain_certificate/
---
If your Home Assistant instance is only accessible from your local network you can still protect the communication between your browsers and the frontend with SSL/TLS. You can use [Self-sign certificate](/cookbook/tls_self_signed_certificate/) but your browser will present a warning and some https-only features might not work.
### {% linkable_title Prerequirement for this guide %}
* Your Home Assistant instance is not exposed to the internet. If it is - use [this guide]({{site_root}}/blog/2015/12/13/setup-encryption-using-lets-encrypt/)
* You control a public domain name. The domain doesn't have to point to a site. A domain controlled by a *trusted* friend will do. (A friend you trust not to MITM you)
* Your home router supports custom DNS entries.
### {% linkable_title Run certbot %}
```bash
$ mkdir certbot
$ cd certbot
$ wget https://dl.eff.org/certbot-auto
$ chmod a+x certbot-auto
$ sudo ./certbot-auto --manual certonly --preferred-challenges dns -d "mydomain.com" --email your@email.address
```
* Agree to Terms of Service
* Choose whether to share your email with Electronic Frontier Foundation.
* Agree to your IP being logged
You will get the following text:
```text
Please deploy a DNS TXT record under the name
_acme-challenge.mydomain.com with the following value:
deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
Once this is deployed,
-------------------------------------------------------------------------------
Press Enter to Continue
```
* Deploy the value to TXT field using your domain registar.
* Go to a site that queries domain record. For example [this one](https://mxtoolbox.com/TXTLookup.aspx) and look if it sees your brand new TXT field (Don't forget to enter the full domain: `_acme-challenge.mydomain.com`)
* Press Enter at certbot prompt.
### {% linkable_title Make mydomain.com point to your Home Assistant instance %}
If your router uses DNSMasq (for example DDWRT) add the following line to DNSMasq options:
```text
address=/mydomain.com/<hass ip>
```
### {% linkable_title Edit your Home Assistant configuration to use your certificates %}
The [`http`](/components/http/) section must contain the full path to the needed files.
```yaml
http:
api_password: YOUR_SECRET_PASSWORD
base_url: https://mydomain.com:8123
ssl_certificate: /etc/letsencrypt/live/mydomain.com/fullchain.pem
ssl_key: /etc/letsencrypt/live/mydomain.com/privkey.pem
```
Make sure the files are accessible by the user that runs Home Assistant, eg. `homeassistant` for a HASSbian setup.

34
source/_docs/ecosystem/certificates/tls_self_signed_certificate.markdown Normal file
View file

@ -0,0 +1,34 @@
---
layout: page
title: "Self-signed certificate for SSL/TLS"
description: "Configure a self-signed certificate to use with Home Assistant"
date: 2016-10-06 08:00
sidebar: true
comments: false
sharing: true
footer: true
redirect_from: /cookbook/tls_self_signed_certificate/
---
If your Home Assistant instance is only accessible from your local network you can still protect the communication between your browsers and the frontend with SSL/TLS. [Let's encrypt]({{site_root}}/blog/2015/12/13/setup-encryption-using-lets-encrypt/) will only work if you have a DNS entry and remote access is allowed. The solution is to use a self-signed certificate. As you most likely don't have a certification authority (CA) your browser will conplain about the security. If you have a CA then this will not be an issue.
To create locally a certificate you need the [OpenSSL](https://www.openssl.org/) command-line tool.
Change to your Home Assistant [configuration directory](/getting-started/configuration/) like `~/.homeassistant`. This will make it easier to backup your certificate and the key. Run the command shown below.
```bash
$ openssl req -new -x509 -sha256 -newkey rsa:4096 -nodes -keyout privkey.pem -days 730 -out fullchain.pem
```
For details about the parameters, please check the OpenSSL documentation. Provide the requested information during the generation process. At the end you will have two files called `privkey.pem` and `fullchain.pem`. The key and the certificate.
Update the `http:` entry in your `configuration.yaml` file and let it point to your created files.
```yaml
http:
api_password: YOUR_SECRET_PASSWORD
ssl_certificate: /home/fab/.homeassistant/fullchain.pem
ssl_key: /home/fab/.homeassistant/privkey.pem
```
A tutorial "[Working with SSL Certificates, Private Keys and CSRs](https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs)" could give you some insight about special cases.