If you run Home Assistant, you may have noticed that there is an addon called “Let’s Encrypt”. With this, you can get your own free certificate for TLS encryption. No catch, just a free certificate to secure your Home Assistant installation.
The certificate has to be renewed every 3 months, but that’s not a problem, as this can be automated and just run automatically every time the certificate is about to expire.
Certificates in Let’s Encrypt can be generated using DNS- or HTTP-challenge.
If you choose the DNS-challenge, then only a select few DNS-challenges are supported. So if your DNS is hosted somewhere else, you are left with the HTTP-challenge.
And if you use the HTTP-challenge, port 80 needs to be forwarded to your Home Assistant installation. This works for most, but not everybody. Perhaps the port is blocked by your ISP, or you are behind CGNAT (shared IP-address) or the port is in use for another service (perhaps a webserver). This can be addressed by using a reverse proxy, but I found another and more versatile solution, that may come in handy. Not only for certificates for Home Assistant, but I also use it for my UniFi-controller and for securing my surveillance cameras.
The solution is the Windows program “Certify the web”, which is free for evaluation or personal use. You can read more about it at https://certifytheweb.com/
Are you ready to get to work?
Download and install “Certify the web” from https://certifytheweb.com/home/download
Run the application when installed.
Click the “New Certificate” button in the top left corner:
First enter a name for the certificate (default is “New Managed Certificate”), this can be anything – I suggest you use the domain name or call it “Home Assistant”.
Then enter the actual domain name in “Add domains to certificate”:
Click the “+” sign til add the domain to the certificate:
Click “Authorization” in the menu to the right (the padlock icon). Choose “dns-01” in “Challenge Type” and choose “acme-dns DNS API” in “DNS Update Method”. Leave the “API Url” as is:
Click the “Test” button. You’ll get an error, telling you what to do next:
This is a crucial point, where you need to add a new DNS entry for your domain.
You must add a new CNAME record with the name and value that is shown in the error. Both are unique, so you must use tha values shown in the error that you got before. In my case the new CNAME record looks like this:
When the entry is added, the change is normally visible instantly. But sometimes it takes a new update to see the changes, whick normally happens in an hour (TTL in my case is 3600 seconds = 1 hour).
If the change is visible, you can now click the “Test” button once more. If it worked, you will see this screen: