Added SSL guide to cookbook #2269
Conversation
| http://12.12.12.12:8123 | ||
| ``` | ||
|
|
||
| Can you see your HA instance? Awesome! If not, your router may not support ' loopback' - try the next step anyway and if that works, and this one still doesn't, just remember that you cannot use loopback, so will have to use internal addresses when you're on your home network. More on this later on if it's relevant to you. |
There was a problem hiding this comment.
The fact that you put loopback in quotes suggests that it has a meaning which a lot of users don't understand.
I guess it should either be explained or left out.
There was a problem hiding this comment.
Fair point, I was kinda hoping in the context that it would just 'make sense', any suggestions for an explanatory sentence?
There was a problem hiding this comment.
errm no, I don't have a better explanation. I guess that problem won't happen often anyway.
source/_cookbook/SSL guide.md
Outdated
|
|
||
| Can you see your HA instance? Awesome! If not, your router may not support ' loopback' - try the next step anyway and if that works, and this one still doesn't, just remember that you cannot use loopback, so will have to use internal addresses when you're on your home network. More on this later on if it's relevant to you. | ||
|
|
||
| Just to verify this isn't some kind of witchcraft that is actualy using your internal network, pick up your phone, disconnect it from your wifi so that you are on your mobile data and not connected to the home network, put the same url in the browser on your phone. |
There was a problem hiding this comment.
It's actually, two L 😄
Maybe transform to a checklist instead of one big sentence
There was a problem hiding this comment.
Ha, I didn't use spell check for the entire guide, so if you only found one spelling mistake I'm well happy!
I'll correct when I get a sec.
There was a problem hiding this comment.
Spelling corrected.
|
|
||
| * You can access your HA instance across your local network, and access the device that it is on via SSH from your local network. | ||
| * You know the internal IP address of your router and can access your router's configuration pages. | ||
| * You have already set up a password for your HA instance, following the advice on this page: [http](https://home-assistant.io/docs/configuration/basic/) |
There was a problem hiding this comment.
The fact that a password should be set up BEFORE opening the router's firewall cannot be stressed enough.
I think there should be a fat warning note on the beginning of the page.
There was a problem hiding this comment.
I agree, I'll add a warning when I get a sec.
| Remember to save the new rule. | ||
|
|
||
| <p class='note'> | ||
| In cases where your ISP blocks port 80 you will need to change the port forward options to forward port 443 from outside to port 443 on your HA device. Please note that this will limit your options for automatically renewing the certificate, but this is a limitation because of your ISP setup and there is not a lot we can do about it! |
There was a problem hiding this comment.
I know what we are talking about here, but I still had a hard time reading that note (but then, I don't have an suggestion to change it besides writing shorter sentences in general 😏 ) .
Also I do wonder how a "noob" could detect or know that port 80 is blocked? But I guess when it gets longer it would require an extra troubleshooting section
There was a problem hiding this comment.
Yeah, this is kinda what I meant in the opening section about not covering every eventuality, and why I said 'novice' rather than noob. If you can think of a better way to word this bit I'm all ears :-)
|
|
||
|
|
||
| <p class='note'> | ||
| If you're running the 'standard' setup on a raspberry pi the chances are you just logged in as the 'pi' user. If not, you may have logged in as the HA user. There are commands below that require the HA user to be on the sudoers list. If you are not using the 'standard' pi setup it is presumed you will know how to get your HA user on the sudoers list before continuing. If you are running the 'standard' pi setup, from your 'pi' user issue the following command (where <hass> is the HA user): |
There was a problem hiding this comment.
Technical Question: Why does the user need to be on the sudoers list? I think it's not a good idea to give homeassistant that priviledge, since it's running the web services.
EDIT: Ah certbot needs root in --standalone mode. Bummer.
There was a problem hiding this comment.
I guess that could be avoided by adding an extra user and create wrapper scripts which do su to that extra user... well yeah, thats probably too complicated, the guide is already very extensive 👍
There was a problem hiding this comment.
Yeah, there are ways around this, but as a catch-all for a guide it seems like the easiest and isn't that insecure in the grand scheme of things.
source/_cookbook/SSL guide.md
Outdated
| Protocol - Both | ||
| ``` | ||
|
|
||
| If during step 4 you had to use port 443 instead of port 80 to generate your certificate, you should delete that rule now. |
There was a problem hiding this comment.
Maybe rewrite or reorder to line 301 to make clear which rule you mean with "delete that rule"
There was a problem hiding this comment.
Noted, I'll reorder when I get a sec.
| base_url: examplehome.duckdns.org | ||
| ``` | ||
|
|
||
| You may wish to set up other options for the http component at this point, these extra options are beyond the scope of this guide but can be found on the http component page here: [http](https://home-assistant.io/components/http/) |
There was a problem hiding this comment.
Style hint: More full stops would improve the text 😉
|
|
||
| ...and accepting the browsers warning that you are connecting to an insecure site. This warning occurs because your certificate expects your incoming connection to come via your DuckDNS URL. It does not mean that your device has suddenly become insecure. | ||
|
|
||
| Some cases such as this are where your router does not allow 'loopback' or where there is a problem with incoming connections due to technical failure. In these cases you can still use your internal connection and ignore the warnings. |
There was a problem hiding this comment.
That's way too technical, without explaining the technical terms. I suggest to just remove it.
There was a problem hiding this comment.
It's again about the loopback. Which I don't know how to explain in two or less sentences 😄
| ha_ssl and ha_letsencrypt | ||
| ``` | ||
|
|
||
| If you have any more for HA you should delete them now. If you only have ha_ssl this is probably because during step 4 you had to use port 443 instead of port 80, so we deleted the rule during step 5. |
There was a problem hiding this comment.
Rules, is it really that unclear? I think when it is 'presented' and formatted it will look right, but if it doesn't I'll reword it. Not sure what to though?
There was a problem hiding this comment.
Yeah it might be the formatting. Speaking of, I suggest you put the rule names as code.
PS: Line 366 has a typo: "You chould now"
There was a problem hiding this comment.
Typo corrected - will have to see how clear it is when it is rendered and if there are any issues with clarity I will fix with a further PR.
|
|
||
| Please remember whether you are a ONE-RULE person or a BOTH-RULE person for step 8! | ||
|
|
||
| LetsEncrypt certificates only last for 90 days. When they have less than 30 days left they can be renewed. Renewal is a simple process. |
There was a problem hiding this comment.
That might be helpful further up to explain what the guide wants to tell us with "renewal"
There was a problem hiding this comment.
Sorry, I don't get this one, can you clarify please?
Thanks for all the feedback so far :-D
There was a problem hiding this comment.
On 229 the talk is about automatic renewal, but I guess some readers wonder why that is necessary.
But I don't know where a better place is than down here :)
Additions and corrections.
|
Added a few bits and corrected a few bits, should be good to go... |
Added SSL guide to cookbook. Contains an image, which I have put in the images folder.
Hope this is ok?