More for my knowledge than anything else, but going with the theme of if you can secure it, you should secure it when it comes to online safety. In this case, we’re going to set up an SSL-enabled Hubitat web interface with our own certificate. This way you can access your Hubitat web interface securely with no more browser warnings.
To set this up, you’ll need the following:
First up you need to make sure you can access your hub via a friendly name (myhub.example.com) versus an IP address. Certificates are not assigned to IP addresses, and without this step none of this works. Of note, Hubitat does not recommend exposing your hub to the web, instead they prefer you to use their remote access subscription service. That being said, there is a way to remotely access your hub without a subscription fee and without exposing it directly to the web at large.
Set up a DNS rewrite
The easiest way to set this up is to set up a DNS rewrite. A detailed explanation can be found here using AdGuard, but essentially, we’re going to tell the device you are using to access the hub that instead of using IP 162.198.x.x in the browser bar, typing myhub.example.com ends up in the same place. Remember to point your router to your DNS server instead of the default DNS server.
If you are not using an ad blocker like PiHole or AdGuard, you can do this by changing the hosts file on a Windows PC. To do this, locate your hosts file (usually under C:\Windows\System32\drivers\etc). Right click and open the file with Notepad (or another similar editor like Notepad++). At the bottom of the file add the following entry:
Make sure to replace the IP address with the correct IP for your hub, and the friendly domain name with the name you want to access your hub with and the name the certificate is generated for. Once complete open the command prompt and flush the DNS cache:
Note that this method only works on the machine with the hosts file. If you use multiple PCs to access your hub you will need to set this up on each PC. Likewise, this will not work if you want to access the hub from outside your network.
Obtain a certificate
There are several ways to obtain a certificate. I use Cloudflare; you can obtain certificates from their web interface for use on your origin servers. Alternatively, if you have a Raspberry Pi and a domain name you can use CertBot to grab a certificate. You’ll have to copy the certificate and key to your hub, but it works. Lastly, another option is to grab a certificate from a DDNS provider (i.e. DyDNS, NoIP). If you’ve made it this far and you’re remotely interested in figuring out SSL encryption for your hub, you’re smart enough to figure out how to get a certificate without me spelling it out.
Upload the certificate to your hub
Access your hub’s advanced settings page by visiting your.hub.ip/hub/advanced/certificate. Once logged in you will see the default hub certificate and key. You want to copy and paste your certificate and key and replace the default certificate. Once done, hit “Save Certificate and Key”.
If you want to force HTTPS, you can enable it on this screen. Of note, though, if you are using dashboards this will break your dashboards as they are not meant to be served over HTTPS.
Once done, log out. Assuming you followed all the steps, you’ll be able to access the hub by typing https://yourhub.example.com into the browser bar. Note that unless you forced HTTPS, you must include https in the address to access it securely.
Set up remote access
If you want to remotely access your hub without the subscription and without exposing it to the internet at large, set up a VPN. For an example of setting up a VPN using Ubiquiti OS, see this post. If you’ve got a VPN set up and host your own DNS server, you will be able to securely access your hub from anywhere.