#Home Assistant Voice Preview works only if your HA is on HTTP

Well, this is a bummer.

I ordered HA Voice Preview, it just arrived and I tried to link it to my HA instance. But it seems that it can never work if you have proper and correct TLS certificate, the only way to use voice assistant is to keep everything flowing unencrypted on your network.

And the issue regarding that is depressing to read, seems like no encryption is the recommendation from devs: https://github.com/esphome/home-assistant-voice-pe/issues/315

Now I need to return the device. I feel this should be pinned somewhere, so folks who care about security and want fully local and secure option know to avoid it...

And just read this from HA dev and try not facepalm too hard:

The whole idea is that the internal URL should point to the default, unencrypted webserver. While it does have authentication (so its not completely insecure) its not served over HTTPS, so it is not encrypted. Our argumentation is that this should be fine as this webserver is invented to be only exposed/used within your own (trusted!) local network and never exposed to the internet.

Source: https://github.com/esphome/home-assistant-voice-pe/issues/315#issuecomment-2839884355

some people have managed to get it working with SSL but its not super easy and some certificate setups just don't seem to work.
perhaps down the line ESPHome will support secure connections better but currently you are correct that it is not really supported.

its a pain but to be fair, if your internal network has been compromised then its game over anyway and you probably have bigger problems than your voice assistant outputs being leaked.

That's true, and I understand historical decisions are hard to change, but still, it would be better if I knew this before I purchased the device.

It's fairly easy. Take over the VPE, add some lines, recompile (and unfortunately do so with each release instead of pulling a readily built firmware file). But that's it. I wish it would not require this but if you're security aware then you know that it's worth it and it doesn't take that much work.

Okay, then I'll try and do that!

Oh geez. Been hitting my head on the wall wondering why this thing wasn't working. I wish they would put this information on the purchasing page.

It's ESPHome limitation...

@peak tundra as far as I understand, the thing is that ESPHome comes with standard CAs only (As expected indeed), therefore if you use your own certificates it has no way to validate them.

Solutions:

1. use a certificate issued by a known CA, for example Let'sEncrypt
2. rebuild ESPHome for the VPE after having manually added your own local CA

I'll be going with solution 2 as soon as I decide to make the effort 😉

@peak tundra I was planning to add custom CA support to ESPHome itself, so that uploading one would become as easy as a click. Contributors are welcome 🙂

Are there instructions for doing 2?