Are you sure you uploaded a certificate to Cloudflare? It may not come up until you do.
If you mean ‘upload a certificate to Cloudflare’ by following steps 1 to 4 (Generate public and private keys), then yes I’ve done that and rechecked that the certificate is active.
@skykingjwc Thank you very much for writing this guide! Got my HA up and running on Cloudflare Tunnel in 1 evening’s work.
The only thing which tripped me up was in Step 5 for the Web GUI Application, Cloudflare enforces “Create additional rules” (can’t leave it blank). I had to include emails to only my email address to be able to save the application policy.
Hi, i’ve follow the guide, but with browser I can access to my instance of home assistant, but when I try to open the app, I receive an error that say " the certificate is not yet or is no longer valid, install a new credential on the phone and try again" without any possibility of choice which certificate it must use. What can I verify? I’m sure the certificate create on cloudflare is the only installed on phone.
can anyone help me?
One question. Should we setup local tunnel or remote tunnel? Or do both work?
Good tutorial, but unfortunately due to conflict of interests, iOS users are not able to use this way to protect their setups while allowing external access without paying for it.
There was a discussion on the PR:
And it moved to this topic, but it will probably be ignored:
Unfortunately, seems that community pressure will not work with this conflict as it involves Nabu Casa
Hi! Does that mean I won’t be able to access HA in my ios app with this method?
Hi, thanks a lot for your guide. It helped a lot.
But why do you need a WAF rule ?
I created 2 applications on cloudflare, one for web access with cloudflare PIN authentication and one for home assistant android app with certificate authentication and it’s work great. Doesn’t need a WAF rule. The only thing I had to do is to configure the access policy for web access to authorize only my mail.
Hopefully a question with a simple answer.
I have an iOS phone with a cloudflare tunnel through the Cloudflared addon that all works well.
My wife however has an Android phone!!!
Is there anyway to run the above setup in parallel with what I have existing there for iOS?
Thanks,
Are you sure you are running the IOS App through Cloudflare. As far as I know that’s not currently possible, at least not with Cloudflare Auth enabled.
Many thanks for this detailed guide. It helped me a lot. Maybe as a hint for others. I converted the mTLS certificate with an old openSSL library (2017 around). A certificate was created succefully, phone imported it successfully, but I was never asked to use it. After doing this with an up to date openSSL it worked immediately. I have a Samsung Galaxy something.
@skykingjwc (or anyone else).
Sorry for the seemingly daft question. But I keep seeing people saying that if you use cloudflare tunnels with “auth enabled”, then it can prevent the companion app working.
How exactly is “auth” enabled in the Cloudflare dashboard? Basically, I’m not sure whether I’ve enabled “auth” or not, and would like to check. How would I know if “auth” is enabled?
I was following this tutorial but i get to a point i didn’t understand. To validate a certificate to login you have to setup rootCA to use against client certificate. Without rootCA setup properly cloudflare is basically let access everybody or nobody (based on allow or block mTLS rule). If you can access your ha instance everybody can do it following this tutorial. To setup certificate verification as Zero Trust app policy you need to setup Access>Service Auth>Mutual TLS add cert in the options and submit your rootCA. As this last options is under the enterprise paid plan, and I think almost nobody here is paying for that just to access HA, and because it is not explained in the tutorial it looks to me that everybody set free access to their HA login.
Moreover WAF rules should act like Layer 1 protection you have to cross to get to Layer 2 (Zero Trust). To be true if i follow the tutorial but i set up policies on zero trust about valid certificate as “include” it just skip to the next rule for login (google and OTP in my case). Documentation in cloudflare write that “bypass” and “service auth” policies are executed before every else rule, so the proof is to set email address verification as sencon policy and see if you still get to HA login page. In my case it never worked!
Please if I’m wrong give me some explanation
I tried following the tutorial but I cannot get zero trust application for the certificate to work. The website also just shows access forbidden. This error occurs on Windows and Android Thoughts?
When making the group I get the following error:
If instead of the group being required its included I don’t get the error but it is still not working.
DNS is setup as follows
The non app URL works without an issue.
Hi, Yes I am with a straight tunnel with no CF Auth currently. I may look at getting something in there at some point but still trying to get a bunch of things up and running first.
Same issue for me…
This seems like a big process. Any advantage over just using zerotier?
Glorious! I was struggling for quite some time until I started poking around. I reset the entire cloudflared configuration in HA, uninstalled, deleted all related CF tunnels and applications and went from scratch.
I went with local instead of remote for the cloudflared setup, since I was thinking it might have caused some issues before. Got the web application working fine, but I was still getting 403 errors trying to connect with the app.
Tried @jakcyl 's suggestion of disabliing http/3 optimization, still the same result - no cert request from the app.
So I started digging around the SSL/TLS configuration in cloudflare, and saw the option to add a host on the client certificate page
Added my ha-app url, and immediately worked! So glad to have this working finally. Just letting folks know this is there in case maybe it’s the same issue for others.
1 Like
This has broken smartthings integration for me. sensors where not getting updated so i delted from ha and generated a new personal token and get the follwing error when adding smartthing back again.
SmartThings could not validate the webhook URL. Please ensure the webhook URL is reachable from the internet and try again.
do i need to add this webhook to clourflare?
LOVE U BRO !!! I lost many hours and this little edit save my day. Thanks.