HA behind pfSense with Cloudflare

I’ve deleted the app, reinstalled, did not change.
also note have same problem on other iOS devices, even one that was not previously used.


What does it say in the phone app logs, under app settings?

tried a different reset,
again got URLSessionTask failed with error. The certificate for this server is invalid…


Try forcing a refresh of your certificate, to be sure it’s no more cross signed with the one that expired on Sep 30th.

certificate was issue by me on Friday.

Aren’t you making things more difficult then they are?


and use your domain name in pfsense

then in IOS

local: https://my.domain.url:8123
external: https://my.domain.url

I never really understood why i would need a reverse proxy (except for blocking improper pages for my younger kids :thinking:)

What i did here with my router, would also work on your pfsense

the certificate enabling etc is all done in haproxy.
ha proxy is also doing the mapping of front end to back end.

at the moment I’ve disabled reverse proxy by CloudFlare.

so it is pretty much ISP → Modem → pfSense (with haProxy doing lets_encrypt)

the reverse proxy actually does allot more than that, it hides your ip. go and do a nslookup of your domain with and without reverse proxy enabled, with it enabled it will resolve to your ip, with it it does not.

will have a look at the above, what you did.
(I really don’t want to use DuckDNS or DynuDNS)


I don’t use duckdns, i use my own domain on ha.

when I started I did have a small challenge generating my certificate which I solved it by running a daily check with certbot and copy it to ha using samba when a new certificate was generated :wink:

You might want to check my earlier posts regarding this topic… i already tried to explain many times

I use to use duckdns until they went to unreliable and then moved over to duckdns a couple of weeks ago, as I did not have a static domain,

but when all this started I bought myself a static domain, so want to implement using that.

really keen on the entire idea of reverse proxy… if I can.

Happy to leave dns with cloudflare,

I created via the ACME process a lets_encrypt cert with only ha.“my domain”.com and then a 2nd cert that contain three sub domains.

other bits of IT is my strong point, cert issues/uses is not strong, but I do live in a world where well aware of the risk.
thinking I need to relook how I do this… as mentioned, I got it all working, except for the iOS mobile app that comes up with a invalid cert, there is something about this that the iOS app does not like, the error message under “app configuration/Site name/WebSocket” says Disconnected

I’d go as far as offering a Zoom/Team session if you willing.

My steps:

Point 2 and 3 already in place. will figure 1 out quickly


1 Like

Good…then you only need to figure out step 1… shouldn’t be too hard :wink:


General settings.


Then this should be working now in IOS:

local: https://my.domain.url:8123
external: https://my.domain.url

And I am not sure if PFSense support HairPin NAT, but if that is the case, then there would be no need to differentiate between internal and external URL’s on IOS :wink:

PS: in order for IOS to differentiate between internal and external you will need to define your wifi SSID’s

so just noticed at the url, even though there seems to be something wrong with everything (my side)… even in the browser, it’s showing site is not trusted (and a accept risk is registered)… so that aligns up with iOS complaining about the cert.

and yes I’ve re-issued by lets_encrypt cert.

will have to redo the cert setup completely.


strange though as in ACME configuration my key and the certs have tick boxes as valid.


  1. Are you sure it’s the letsencrypt that is used (in a browser, click on the padlock and find your way to “view certificate”). Check if you can see why the certificate is not trusted
  2. Are you using a Full Qualified Domain Name for your certificate of a “wildcard” (“*.mydomian.com”) one
  3. Are you calling HA with the exact same FQDN

P.S. That’s your problem, btw. You cannot create an “accept risk exception” in the app.

  1. Yes
  2. FQDN
  3. Yes

and agree on the iOS risk accept which we can’t so I need to get it first in the browser working without a risk acceptance, if I get that working then the app should just work… we hope


Yeah, so check in a browser why exactly the certificate is not trusted.
If it’s something about a X1 certificate being expired, we’re in the case I exposed above.

Mine (using chrome browser: