Computing/Running my own CA

1. Use step-ca in docker on Synology NAS, mapping through port 9000:9000
2. Add the acme provider per the docs
   1. SSH to the host
   2. docker -it smallstep-step-ca-1 /bin/bash
   3. step ca provisioner add acme --type ACME --x509-default-dur 730h # 1 monthish
3. Export out the root CRT file, will need it for trust everywhere
   1. certs/root_ca.crt

HomeAssistant

1. Update the http config to allow trusted reverse proxies
2. Install the Caddy2 add-on from https://github.com/einschmidt/hassio-addons
3. Add a Caddyfile that specifies the local CA
4. Ensure the Caddyfile points to the exported CA certificate in somewhere like /config
5. Start Caddy2 and it should successfully retrieve a certificate

Working Caddyfile

homeassistant.home.arpa {
	reverse_proxy homeassistant:8123
	tls ca@home.arpa {
		ca https://vault.home.arpa:9000/acme/acme/directory
		ca_root /ssl/ca.pem
	}
}

Working configuration.yaml

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.0.194  # whatever the homeassistant box resolves to

Synology

To add TLS/SSL to the NAS itself,

1. Copy the cert to /var/db/ca-certificates, named .crt, 0644
2. Run update-ca-certificates.sh
3. Grab acme.sh from Github - wget https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
4. Install to /usr/local/share/acme.sh/
5. Piggyback on the DSM Let's Encrypt setup in nginx, and run /usr/local/share/acme.sh/acme.sh --issue --home /usr/local/share/acme.sh -d vault.home.arpa  --server https://vault.home.arpa:9000/acme/acme/directory --webroot /var/lib/letsencrypt
6. Set SYNO_Username, SYNO_Password
7. /usr/local/share/acme.sh/acme.sh --deploy --home /usr/local/share/acme.sh -d vault.home.arpa --deploy-hook synology_dsm
8. Add a Task Scheduler entry to run /usr/local/share/acme.sh/acme.sh --cron --home /usr/local/share/acme.sh/ frequently. step-ca defaults to 24 hours, so every 4 hours should ensure the certificate stays updated.