Home Assistant App through Cloudflare Tunnel with Auth (Android)

pillolola · October 6, 2024, 5:36pm

Hi, i’ve follow the guide, but with browser I can access to my instance of home assistant, but when I try to open the app, I receive an error that say " the certificate is not yet or is no longer valid, install a new credential on the phone and try again" without any possibility of choice which certificate it must use. What can I verify? I’m sure the certificate create on cloudflare is the only installed on phone.
can anyone help me?

jaegerschnitzel · October 22, 2024, 9:01pm

One question. Should we setup local tunnel or remote tunnel? Or do both work?

splintter · October 22, 2024, 9:06pm

Good tutorial, but unfortunately due to conflict of interests, iOS users are not able to use this way to protect their setups while allowing external access without paying for it.

There was a discussion on the PR:

github.com/home-assistant/iOS

Allow supplying client certificates

home-assistant:master ← home-assistant:client-cert

opened 06:12AM - 29 May 22 UTC

zacwest

+375 -82

TODO: - [ ] Update HAKit to support providing arbitrary URLCredentials -- this …requires forking Starscream which doesn't offer the ability to provide it, which means HAKit will begin requiring a fork version, which is messy - [ ] Passphrase prompting (rather than crashing) - [ ] Client certificates [do not work with URLSession background sessions](https://developer.apple.com/forums/thread/704839?answerId=711419022#711419022 ) -- this may be a dealbreaker, especially on Watch or eventually in Widgets - [ ] Requires iOS 15, because that's when URLSession-based WebSocket connections become available, which is when client certificates begin working ## Summary - Only PKCS12 files containing a key & certificate are supported. - Fails with Caddy, which doesn't appear to prompt. - Does work with nginx. Continues the credential threading of #2131 by prompting for client certificates when the server requests. There are 2 kind of client certificate requests: 1. Required, where failing to provide one will error 2. Optional, where failing to provide one continues to work ASWebAuthenticationSession doesn't support customizing networking, so this also implements a (pretty simple) wrapper around the login flow in an in-app web view. This has the upside of not doing a second certificate trusting screen for self-signed certs too. ## Screenshots ## Link to pull request in Documentation repository Documentation: home-assistant/companion.home-assistant# ## Any other notes

And it moved to this topic, but it will probably be ignored:

Unfortunately, seems that community pressure will not work with this conflict as it involves Nabu Casa

yafengwy · October 22, 2024, 11:32pm

Hi! Does that mean I won’t be able to access HA in my ios app with this method?

eki78 · November 1, 2024, 10:27am

Hi, thanks a lot for your guide. It helped a lot.
But why do you need a WAF rule ?
I created 2 applications on cloudflare, one for web access with cloudflare PIN authentication and one for home assistant android app with certificate authentication and it’s work great. Doesn’t need a WAF rule. The only thing I had to do is to configure the access policy for web access to authorize only my mail.

floppinab · November 3, 2024, 9:33am

Hopefully a question with a simple answer.

I have an iOS phone with a cloudflare tunnel through the Cloudflared addon that all works well.

My wife however has an Android phone!!!

Is there anyway to run the above setup in parallel with what I have existing there for iOS?

Thanks,

skykingjwc · November 10, 2024, 5:29am

Are you sure you are running the IOS App through Cloudflare. As far as I know that’s not currently possible, at least not with Cloudflare Auth enabled.