Cloudflare certificate not working in HA Android APP - ideas?

lianyu · September 22, 2024, 7:02am

I have the Cloudflare APP installed in HA and the URL and application set in Cloudflar Zero Trust. All of it is working properly. My old policy used email token authentication, which was a major PITA as it needs to be renewed every 30 days.

So I’m trying to set up a client certificate for my domain and apps in Cloudflare for the HA app, but running into problems.

I followed this guide:

In HA App on Android I enter the URL for Cloudflare APP to my HA and I choose the certificate I created and installed. But I get the error:

Unable to connect to Home Assistant.
The remote site requires a client certificate. Please install the required credential on your phone and try again.

Additional attempts to connect result in a “Error Code: 400”

I know my certificate is valid because if I use Chrome on android, it also prompts for the client certificate, which I select, and then it connects successfully.

So I found this page on Cloudflare which says I need to install the Cloudflare CA certificate (under " Setting up mTLS with Cloudflare and Android"):

That did not help any at all.

So, I’m stuck. Anyone got this working or have ideas what to check?
Thanks!

koying · September 22, 2024, 7:52am

Most of the time, a 400 is returned by HA when the reverse proxy (cloudflare) is not whitelisted. Do you see errors in the HA log?

Did you do the “accept proxied traffic” part

(Using Cloudflare ZeroTrust and mTLS to securely access Home Assistant via the internet - kcore.org)

lianyu · September 22, 2024, 9:11am

It works without trying mTLS, and I have the forwarded proxie set up in configuration.yaml.

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24  # You may also provide the subnet mask

There are no errors in the HA log relating to cloudflare, proxies. And no errors in the Cloudflare Add-on. And it accepts the certificate and connects properly with Chrome on the same Android phone.

koying · September 22, 2024, 9:33am

So the problem is only with the app?
You might want to move then topic, then. The android developers are reactive and helpful.

lianyu · September 22, 2024, 9:47am

Ok. Apologies for putting this in the wrong category.

tom_l · September 22, 2024, 9:52am

Moved.

lianyu · September 22, 2024, 11:27am

Ok. Just banging my head on the desk all day, so I finally gave up and:

Uninstalled/Reinstalled the HA Android APP
Uninstalled/Reinstalled the CloudFlare Add-On in Home Assistant
Deleted the previously configured Applications in Cloudflare Zero Trust

And started over from scratch using the instructions from kcorg.org (listed above)
And It works!!! OMG!!!

The ONLY Issue I ran into is that I have 2 Home Assistant Servers running at two locations, so when I set up the Cloudflare Add-On in the 2nd instance, it died with

failed to create tunnel: Create Tunnel API call failed: tunnel with name already exists

This is because the tunnel name defaults to Homeassistant, which already existed from the 1st HA server. So under “Show unused optional configuration options” you can specify a different tunnel name than the default.

So, when it doubt, wipe it out. Just bite the bullet and start over from scratch.

Cheers!