Using HomeAssistant Tesla Custom integraton now requires Tesla's Fleet Api Proxy. Setting it up is some work. There is a ready-made HomeAssistant Add-On. That's great, but doesn't work for Home Assistant Core.
This repo is the solution. A simple docker container with the proxy, and some set-up scripts for the required certificates. The code is mostly taken from the Add-On.
- Docker
- NGINX
- Your own domain
- Choose a subdomain. I will use
tesla.<your domain>.comin this documentation - clone this repo
- copy
client_secrets.py.templatetoclient_secrets.py - in
client_secrets.py, editREGIONto reflect your region, editDOMAINto reflect your domain - run
step_1_run_keygen.py - Request application at
developer.tesla.com. See here for more info. Do not choose the Open Source plan, as you will need the client secret. Choosehttps://tesla.<your domain>.comas allowed origin, andhttps://tesla.<your domain>.com/callbackas redirect URI. Choose all scopes. - You will get a Client ID and Client Secret. Copy them into
client_secrets.py. - add this to your nginx:
server {
listen [::]:443 ssl;
listen 443 ssl;
http2 on;
server_name tesla.<your domain>.com;
proxy_buffering off;
location / {
return 404;
}
location /.well-known/appspecific/com.tesla.3p.public-key.pem {
root <path to this repo>/certs;
try_files /com.tesla.3p.public-key.pem =404;
}
location = /favicon.ico {
log_not_found off;
}
location = /robots.txt {
log_not_found off;
}
}
- reload nginx and check the certificate is available at
https://tesla.<your-domain>.com/.well-known/appspecific/com.tesla.3p.public-key.pem. - run the other
step_*_.pyscripts in order. follow the instructions. - Eventually you will need to start the container:
docker compose up -d - Finally, set up the HomeAssistant Tesla Custom integraton. If you already have it configured, you will have to delete the integration and set it up again. Don't worry, HA doesn't delete your history.
Tesla's Proxy needs two sets of certificates:
- The 3p certificate, used to communicate with Tesla's Servers
- The snakeoil certificate, used to communicate with clients of the proxy (i.e. between HA and the proxy)
step_1_run_keygen.py generates both certs. The 3p one needs to be publically available, so nginx is configured to serve it pubically.
The snakeoil certificate is not published.
Certificates are stored in the certs/ folder.
The 3p key unfortunately can't be, as Tesla's code needs to have it in a keyring.
We use the passkey keyring to store it, and so the key ends up in the password-store/ and gnupg/ folders.
The following steps mostly interact with Tesla.
First, a partner account is created. That one represents our "third-party company".
Then, your personal Tesla account grants that partner account access using OAuth. This creates an access_token and refresh_token, both stored under data/.
These are used for your actual application, i.e. the HA integration.
Run tesla-update.sh