Free SSL Certificates through Cloudflare (15y Expiry)

Note: This info is really only useful if you have your own domain. It would not work directly with a dynamic DNS service such as duckdns although your domain can point to a duckdns address using a CNAME, this is what I do.

I recently found out that Cloudflare offer a free package for personal use and so I’ve been playing around with what it can offer my Home Assistant setup.

Even if you’ve never heard of Cloudflare you probably access content using it everyday, for example, this forum is served through Cloudflare. This is by no means my area of expertise (if I even have one) but from what I understand Cloudflare is a service that sits between a web server and it’s clients with it’s main aims to protect against DDoS attacks and improve performance (by caching content using a CDN network).

What really interested me was that they also offer free SSL certification. Given they sit in the middle of communications there actually needs to be 2 SSL certificates to cover each leg of the communication, in the Home Assistant context this would be something like Web Browser (Serving Front End) >> Cloudflare and Cloudflare >> Home Assistant.

For their personal-use offering the Web Browser >> Cloudflare part is covered by a certificate that is shared by a number of Cloudflare users. This certificate is automatically renewed by Cloudflare and so you don’t need to worry about keeping it renewed.

For the Cloudflare >> Home Assistant part Cloudflare can provide what they call an origin certificate. From what I understand, this is a certificate that is signed by Cloudflare, it wouldn’t be validated by your browser but it doesn’t need to be as it is only Cloudflare themselves that see it. Your browser would only see the shared certificate above which is accepted by most browsers. The really good bit here is that this origin certificate can be valid for 15 years!

Between Cloudflare automatcially renewing the shared certificate and the 15 year expiry of the origin certificate you pretty much don’t need to worry about renewing SSL certificates .

The process of issuing an origin certificate is also very easy. You don’t even need to create a Certificate Sigining Request (CSR), they can do this for you. You just ask for a certificate and then download the .pem and .key files which can be used in Home Assistant:

http:
  ssl_certificate: /home/your_user/.homeassistant/certificate.pem
  ssl_key: /home/your_user/.homeassistant/privkey.pem

The process of setting up Cloudflare as well is very simple and only takes a few minutes.

It’s worth noting that Cloudflare have a number of ways in which SSL can be configured, the setup I am describing here can be used with the Full SSL (Strict) model.

I’m still playing around with Cloudflare and I’m interested to see if the caching adversely affects Home Assistant in any way (particularly when I’m making changes).

One good part I have found is that it makes it very easy to auto forward HTTP to HTTPS. This means that I can type www.<mydomain>.com in my browser and it automatically uses HTTPS (I don’t need to specify it).

One caveat I will mention is that Cloudflare only proxies HTTP and HTTPS using a limited set of ports. This means that you will need to have you Home Assistant exposed on one of these ports and you won’t be able to use other services (such as SSH) using the address you protect with Cloudflare. There are however a number of ways around this e.g.

• Skip out Cloudflare by directly using the external IP address or duckdns address of your Home Assistant instance.
• Create another sub-domain that is not routed through Cloudflare e.g. ssh.<yourdomain>.com.

Hopefully this is useful to someone.

Very interesting read, I’m planning on setting up a new system shortly myself. I’ve tried before, but I failed and I intend to correct that now. However, I want several services and several subdomains. So could Cloudflare access multiple services, say:

Home Assistant at ha.mydomain.com
Plex at plex.mydaomain.com
Personal webiste at www.mydomain.com ?

I intend to use docker, and have many containers, but only a few are interesting to access externally. I need to set up Traefik or NGINX also I believe (the horror). Could your setup cover all of these features, or would it only cover Home Assistant? Looking at the HA Cloudflare component, I got the feeling it will only update for my HA instance, and not for the services.

Hi @hulkhaugen. What you’re describing is very close to my setup (which has evolved since the initial post) and so it’s all very possible.

Have a look at Caddy as an alternative to Nginx, I love it for it’s one-line setup and simple config. Here’s my Caddy config for HA:

# Redirect http traffic to https
http://www.mydomain.com:80 {
        redir https://www.mydomain.com{uri}
}
# Proxy https traffic to the HA docker container
https://www.mydomain.com:443 {
        proxy / https://localhost:8448 {
                transparent
                websocket
                # Ignore any SSL issues as it's only local traffic
                insecure_skip_verify
        }
        tls /home/caddy/mydomain.com.pem /home/caddy/mydomain.com.key
}

You can certainly use the Cloudflare component to update multiple DNS record (providing they all should go to the IP HA is running on). I do this myself.

Thanks for the tip, very interesting, will defo look into this

Amigos

Sou novo por aqui, estou tentando protegere meu hassio com Cloudflare e sempre tenho o retorno ERRO 525 Falha no handshake SSL

Alguem pode me ajudar, eu agradeço muito

Eu segui esse tutorial, mais nao deu certo

Hi

I too followed these instructions and all seemed to work OK. It kind of glossed over which key goes in which file but I have tried both ways round and still same issue.

I get error 525 or 521

I have tried putting the .pem and .key in 3 different places to see if it that was the issue. I have tried as it said on the homeassistant profile, in the ssl section within the hassio folder where config is etc and also within the config folder too.

Is there a fix for this ?

Regards

Martyn

Hi Martyn, did you get anywhere with this or are you still struggling? Do you use a proxy like Caddy or nginx? Can you share your http config?

Hi

I have it working. Only issue is the Cloudflare addon that im using stops. I am going to try the HA config this weekend and see how that goes.

I was advised to just type http: in the config and then point to the 2 files downloaded from Cloudflare.

Dont put a base url in

I used the addon NGinx Home Assistant SSL Proxy

Hope that helps. If you want any more info. Give me a shout

Hey, could you share your config? I’m also struggling with this. I get 525 from Cloudflare.

Nice! Thanks for reading!

Although I dont publish on medium anymore. I reposted on my blog at https://jeffreystone.net/2020/04/17/swapping-out-duckdns-for-cloudflare/ and updated it since I am now using hassio…er Home Assistant. The update only really changes where the certs go, but I have been using cloudflare for a while. It works great!

Do you have you hassio at 8123 locally and do port forwarding 443->8123?

My setup is exactly as yours but I still get error 525 and this in the log:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 275, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
  File "aiohttp\_http_parser.pyx", line 523, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: invalid HTTP method

I solved by using NGINX Home Assistant SSL proxy Add-on

I’m port forwarding to 443 to 8123. I can access locally using the https://internal_ip:8123 and still get to it if I ignore the cert complaints from the browser.

Thanks netizen24601, I got it working without proxy using:

http:
  base_url: https://ha.domain.com:8123
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

And port forwarding from one of the allowed ports to 8123.

Now my question is how to get ip_ban option working again?
It’s probably possible with a combination of the http options defining the Cloudflare IPs but I’m worried to do more damage than good.

This is my best guess is:

  use_x_forwarded_for: true
  trusted_proxies: !secret cf_trusted
  ip_ban_enabled: true
  login_attempts_threshold: 3

If you are trying to do the same, only get you cf_trusted from the official source(!)

But I don’t know how to test that yet

Excellent! I had not turned back on the ip ban, but you just gave me the info to be able to do that.

I’m going back and updating my cloudflare doc to make sure that I include the http for base url and the router setup.

Does anyone has more than one site serving rather than just Home Assistant only?

I’m using NGINX but I got same from Cloudflare, Error 525 or 522. Cert is from Cloudflare located in /SSL.
When I add “http:” to my config the HA will not start.

if you use the addon for nginx then http wouldnt work… its either or… I believe

Any chance you got this sorted out? My setup with Cloudflare makes the server really slow and usually responds with 522 after a 15s timeout.

Yes, it’s working now.
Make sure you read the documentation and have correct config. (nginx)
domain: URL without HTTPS

In the configuration for HomeAssistan go to General settings and add your URL with HTTPS.
Hope this helps.

no HTTP in the configuration.yaml, but if you have this it will not start at all. So I guess you do not have this.