RBR850 How to support https on local network (NOT remote) with nat loopback

An interesting project. How is the Home Assistant server connected to the network?

If it is 'wired', then the only way to sniff on that particular link is to have physical access to the network. (and even then placing a sniffer is not trivial.  I use a managed switch and enable port mirroring.)

If the communication goes across WiFi, then (a) even a managed switch probably will not see the traffic, and (b) the actual data packets are encrypted.  This is one reason sniffing on WiFi is so damn complicated.  I can see that a packet goes from device A to device B, but cannot expose what is inside the packet for inspection.  (and it's my own network!)

Have you considered a self-signed SSL certificate?  This is what Netgear uses on the Orbi https version of the web administration interface.  Web browsers throw a fit, "Unsafe!  Go Back!  Go Back!", but there is always a tiny link somewhere on the page offering "additional information" that has an option to go there anyway.  Once done, the web browser no longer complains. 

Of course the user can provide a DNS server.  That is one of the options on the web setup.  As an experiment for how to define local DNS name resolution, I set my Orbi to use a local Pi-hole DNS server.  (Pi-hole has a feature for local network name resolution.)  Works fine.  If Pi-hole cannot resolve the name, I set it to use CloudFlare and GoogleDNS.

I abandoned that because I don't mind just using the LAN !P addresses for things, but it did work.

Is this Home Automation actually a web server?  I had thought that most of this was done through smartphone apps and is probably encrypted already.