Insecure HTTPS for only one host/cert

[arne182]

Thank you for all your work. I have found that using my homeassistant server with a self signed certificate authority causes the tts playback to not work unless I choose Insecure HTTPS.

I thought that a better solution would be to allow one domain to be excluded of a certificate to be uploaded that is allowed. Is there anyway to do this?

[michaelherger]

As HA and LMS most likely are in the same network, do you even have to use https? Using https internally IMHO doesn't make sense in most cases. Dealing with self-signed certs is a mess...

[arne182]

It would be nice if home assistant could use both http for internal and HTTPS for external. The home assistant instance is port forwarded to the internet and that is the reason for the https

[michaelherger]

If you go to the public internet I'd strongly recommend you get a valid certificate. I believe the HA community has instructions how to do this. Having "invalid" certs only trains people to ignore warnings.

I don't know how you expose your host. But I'm eg. using a Cloudflare tunnel to do expose some service from my local network. This handles certs and everything automatically. And I believe I've seen instructions to use it with HA, too.

[terual]

If you are using DuckDNS as your DNS provider: https://www.home-assistant.io/blog/2017/09/27/effortless-encryption-with-lets-encrypt-and-duckdns/

[arne182]

Paying for something that I can generate for free with a few lines of code and have no other middle man being able to decrypt my traffic is better in my mind. I would rather like to just include my cert into the source code and just recompile it if you could show me where

[terual]

The point is that Let's Encrypt certificates are free, see the link above.

[arne182]

Who has the key for root certificate? If I am not the one owning that then I can only trust that they don't loose theirs or worse sell access to it without me knowing.

[arne182]

Where is the list of certs that are accepted in the code as valid?

[terual]

Are you serious? If that’s your viewpoint you can stop using internet altogether… You do not own any of the root certificates of the sites you use.

[terual]

Normally in Perl Mozilla::CA is used but I am not sure in case of LMS.

[arne182]

I was looking here and there seems to be procedures available to add certs
https://github.com/LMS-Community/slimserver/blob/public/9.0/CPAN/arch/5.34/darwin-thread-multi-2level/IO/Socket/SSL/Utils.pm#L504