HomeAssistant with self signed certificate

Eddy · July 1, 2025, 5:57pm

Hi, I have read in the docs that the HomeAssistant integration is known to have issues with self signed certificates. So currently when I want to make an integration with my R3, the status of that integration is ‘connecting’.

I think I have to drop my self signed certificate, or try something with NGINX maybe.

But, before I try that I wanted to ask here if someone has integration in R3 with HomeAssistant working while HA is using a self signed cert? (probably not but it’s worth a shot )

Cheers,
Ed

Eddy · July 2, 2025, 5:22pm

I did some more reading and trials. As mentioned in one of the threads here I first tried to connect with the websocket via a browser plugin, that failed.

It turned out that I had to add subjectAltName when I created the privkey and fullchain certs. After that, using the browser plugin, I could connect with the HA websocket and right away validate the token, in that browser plugin I got a nice

{“type”:“auth_ok”,“ha_version”:“2025.6.1”}

so now Im sure that the websocket is responding.

So, I tried to add the HA integration to R3, again it failed. I see in the R3 logs:

SendRequest(Connect(Io(Custom { kind: InvalidData, error: InvalidCertificate(Other(CaUsedAsEndEntity)) })))

When I want to connect to HA GUI I first have to add that fullchain.pem to the trusted roots on my laptop, restart browser and then I have an https connection with HA GUI.

Is there some way to add this fullchain.pem to the trusted root certificates in R3? Maybe that is the way to use wss with my own self signed certs., any ideas/suggestions?

Kind regards,
Ed

Eddy · July 4, 2025, 3:17pm

Well, the UC documentation is absolutely correct in stating that self signed certs do not work I tried a lot of things and failed every time.

So, I did the following:

home assistant now listens to port 8124 without ssl
nginx listens on same raspberrypi on port 8123 with ssl and sends traffic to home assistant 8124 on localhost
so no changes needed on things already using home assistant because port 8123 is still there with the already known self signed certificate
the UC integration now uses ws://[raspberrypi-ip]:8124/api/websocket (‘ws’ so no ssl)

Although I rather use ‘wss’ with my own local self signed cert, this solution is for now the best way I could get it all to work because all existing stuff is still connecting with ssl, only Remote3 is not using ssl.

If someone has found a way to get UC integration to work with self signed cert then I hope it will be posted here.

Kind regards,
Ed

sgoffman · July 4, 2025, 5:06pm

I ran into the same issue, as I was requiring all HA connections to use SSL. My solution was similar to yours: Switching to NGINX and only forcing external connections to SSL, while internal connections are allowed to be non-SSL.