More for my knowledge than anything else, but going with the theme of if you can secure it, you should secure it when it comes to online safety. In this case, we’re going to set up an SSL-enabled Hubitat web interface with our own certificate. This way you can access your Hubitat web interface securely with no more browser warnings.

Requirements

To set this up, you’ll need the following:

A Hubitat home automation hub (obviously…)
Your hub must be accessible using a local hostname or registered domain name. You cannot assign a certificate to an IP address.
Either a self-signed certificate or a certificate issued by a trusted certificate authority (e.g. Lets Encrypt)

Setup

Legwork

First up you need to make sure you can access your hub via a friendly name (myhub.example.com) versus an IP address. Certificates are not assigned to IP addresses, and without this step none of this works. Of note, Hubitat does not recommend exposing your hub to the web, instead they prefer you to use their remote access subscription service. That being said, there is a way to remotely access your hub without a subscription fee and without exposing it directly to the web at large.

Set up a DNS rewrite

The easiest way to set this up is to set up a DNS rewrite. A detailed explanation can be found here using AdGuard, but essentially, we’re going to tell the device you are using to access the hub that instead of using IP 162.198.x.x in the browser bar, typing myhub.example.com ends up in the same place. Remember to point your router to your DNS server instead of the default DNS server.

If you are not using an ad blocker like PiHole or AdGuard, you can do this by changing the hosts file on a Windows PC. To do this, locate your hosts file (usually under C:\Windows\System32\drivers\etc). Right click and open the file with Notepad (or another similar editor like Notepad++). At the bottom of the file add the following entry:

192.168.x.x myhub.example.com

Make sure to replace the IP address with the correct IP for your hub, and the friendly domain name with the name you want to access your hub with and the name the certificate is generated for. Once complete open the command prompt and flush the DNS cache:

ipconfig /flushdns

Note that this method only works on the machine with the hosts file. If you use multiple PCs to access your hub you will need to set this up on each PC. Likewise, this will not work if you want to access the hub from outside your network.

Obtain a certificate

There are several ways to obtain a certificate. I use Cloudflare; you can obtain certificates from their web interface for use on your origin servers. Alternatively, if you have a Raspberry Pi and a domain name you can use CertBot to grab a certificate. You’ll have to copy the certificate and key to your hub, but it works. Lastly, another option is to grab a certificate from a DDNS provider (i.e. DyDNS, NoIP). If you’ve made it this far and you’re remotely interested in figuring out SSL encryption for your hub, you’re smart enough to figure out how to get a certificate without me spelling it out.

Upload the certificate to your hub

Access your hub’s advanced settings page by visiting your.hub.ip/hub/advanced/certificate. Once logged in you will see the default hub certificate and key. You want to copy and paste your certificate and key and replace the default certificate. Once done, hit “Save Certificate and Key”.

If you want to force HTTPS, you can enable it on this screen. Of note, though, if you are using dashboards this will break your dashboards as they are not meant to be served over HTTPS.

Once done, log out. Assuming you followed all the steps, you’ll be able to access the hub by typing https://yourhub.example.com into the browser bar. Note that unless you forced HTTPS, you must include https in the address to access it securely.

Extras

Set up remote access

If you want to remotely access your hub without the subscription and without exposing it to the internet at large, set up a VPN. For an example of setting up a VPN using Ubiquiti OS, see this post. If you’ve got a VPN set up and host your own DNS server, you will be able to securely access your hub from anywhere.

Zack
Author: Zack

Pharmacist, tech guy, pianist, lover of beer, gamer, beach bum. Probably missed something. Just assume I'm into a little bit of everything.

Tags:

No responses yet

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
page
post
Filter by Categories
Alcoholic Drinks (Cocktails)
Breakfast
Cool Stuff
Desserts
Dinner
Fish and Seafood
Fitness
Gaming
Home and Family
Home Automation
Home Security
Networking
Nutrition
Pasta
Pharmacy
Recipe of the Week
Recipes
Rubs
Salads
Sides
Snacks
Soups
Travel
Uncategorized
Web Hosting