feature-requests icon indicating copy to clipboard operation
feature-requests copied to clipboard
verified publisher icon esphome

Support for custom CA certificates

Open danierukun opened this issue 1 year ago • 1 comments

Describe the problem you have/What new integration you would like

It would be nice to have a configuration option to include custom Certificate Authority certificates in the ESPHome container.

Please describe your use case for this integration and alternatives you've tried:

I need to be able to add a custom CA certificate to the ESPHome container so that it may connect to my local Git server. I currently do this by docker cp the cert into the container and then update-ca-certificates in the container shell.

Additional context

I have a homelab that does not have a public domain name. I have ESPHome as an addon in my Home Assistant instance. I also have an internal Git server secured by a TLS cert of my own CA. If I want to use ESPHome's package feature I need to be able to trust my own CA so that the container may checkout my code from my Git server and complete firmware builds.

danierukun avatar Sep 18 '24 19:09 danierukun

If this is added there should be an API for automatic installation of new keys and certificates without user intervention. Certbot-like tools are usually running on systems that insist on exporting certificates but should not permit incoming access.

noseshimself avatar Oct 13 '24 01:10 noseshimself

I would like to +1 this, I have an external component living on a private git server. The esphome requires manual intervention as above to play nice.

For the sake of anyone who may be in the neighborhood and having issues. From the homeassistant CLI:

~ # openssl s_client -connect git.example.net:443 | openssl x509 -outform PEM > git.example.net.crt
Connecting to 2604::1
depth=1 O=EXAMPLE.NET, CN=example.net
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=1 O=EXAMPLE.NET, CN=example.net
verify return:1
depth=0 
verify return:1
~ # docker cp ./git.example.net.crt addon_5c53de3b_esphome:/usr/local/share/ca-certificates       
Successfully copied 3.07kB to addon_5c53de3b_esphome:/usr/local/share/ca-certificates
~ # docker exec addon_5c53de3b_esphome update-ca-certificates
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

MadnessASAP avatar Dec 02 '24 01:12 MadnessASAP

for the sake of keep it simple, this could be easily solved by mounting ca-certificates from the docker host. at least as an option to enable this via add-on configuration would be awesome.

people who decided to be cloud free, would love to use their own CA instead of depending on letsencrypt online service. That way one can fully build everything in their homelab / homelan. I use for example step-CA as ACME service which runs on a rpi2. I take the extra effort to distribute my CA certs on local devices, but is a hassle in HA and almost each HA addon to add own CA certs.

oldboys92 avatar Jan 28 '25 21:01 oldboys92

Why not take it all the way and support integrated acme clients for esp devices that want to host something, I know of https://sourceforge.net/projects/esp32-acme-client/ and https://www.oryx-embedded.com/products/CycloneACME.html that already implement ACME targeting ESP32 and microcontrollers.

Cronvs avatar Aug 03 '25 17:08 Cronvs

At least I don't want to have a hundred devices have access to authentication material and to be reachable from the Internet for HTTP-01 or have the keys for DNS-01. That's an accident waiting to happen. Better provide an interface to swap out certificate, chain and key. If someone is messing that up, the worst thing that can happen is the attacker cutting himself off from the device.

noseshimself avatar Aug 04 '25 13:08 noseshimself

I don't see why both couldn't be supported. Still, if you are already hosting your own CA, I think it's still mostly internal rather than over a publicly facing interface. Moreover, DNS keys can be restricted to specific domains, meaning you could easily restrict a subdomain for your esp devices, and finally, ACME I believe already support device attestation which I also believe all new esp32 devices are shipped with to be able to do.

Personally I run my own local DNS and CA, I seperate my dns keys for the isolation I want, I manually give devices their own EAB id. Still, I would probably prefer device attestation when that becomes widely available. All of this is only on my internal net. I don't see why providing a an acme endpoint to esp32/iot devices is an accident in the making, or dynamic updates to individual domains. Of course I wouldn't run let's encrypt, but that's another story.

Cronvs avatar Aug 04 '25 13:08 Cronvs