Strange. I only use mTLS cert with mTLS rules and it works well for both android app and web access from PC. On PC web gui, you’ll get a prompt to select the mTLS certificate every session. On the android app, you’ll get the prompt once on set up.
Does it require that you install a cert on the PC, as well as the app?
Yes I have the cert on both the PC and the android phone
I guess the difference is I would rather rely on Cloudflare auth for the PC without the need for a specific private cert. Meaning I can log in from anywhere on a PC as long as I have authenticated with Cloudflare. If I’m at my mom’s house for example I don’t want to have to install a certificate on her PC first to access my HA instance. I just want to hit the URL and have Cloudflare to its thing.
The HA app is not compatible with Cloudflare auth (yet), so a cert is needed if you wish to also use Cloudflare with the app.
So yes, you are correct in the you don’t have to do anything after step 5, if want to use a private cert for everything, however this article is about getting the app to work with a cert, while still allowing the web gui to use Cloudflare without the need for a manually installed private cert on a PC.
1 Like
Really appreciate the well written guide.
Perhaps it’s just me missing something, but I could not select the necessary option from the Selector field when adding a group.
Are you sure you uploaded a certificate to Cloudflare? It may not come up until you do.
If you mean ‘upload a certificate to Cloudflare’ by following steps 1 to 4 (Generate public and private keys), then yes I’ve done that and rechecked that the certificate is active.
@skykingjwc Thank you very much for writing this guide! Got my HA up and running on Cloudflare Tunnel in 1 evening’s work.
The only thing which tripped me up was in Step 5 for the Web GUI Application, Cloudflare enforces “Create additional rules” (can’t leave it blank). I had to include emails to only my email address to be able to save the application policy.
Hi, i’ve follow the guide, but with browser I can access to my instance of home assistant, but when I try to open the app, I receive an error that say " the certificate is not yet or is no longer valid, install a new credential on the phone and try again" without any possibility of choice which certificate it must use. What can I verify? I’m sure the certificate create on cloudflare is the only installed on phone.
can anyone help me?
One question. Should we setup local tunnel or remote tunnel? Or do both work?
Good tutorial, but unfortunately due to conflict of interests, iOS users are not able to use this way to protect their setups while allowing external access without paying for it.
There was a discussion on the PR:
And it moved to this topic, but it will probably be ignored:
Unfortunately, seems that community pressure will not work with this conflict as it involves Nabu Casa
Hi! Does that mean I won’t be able to access HA in my ios app with this method?
Hi, thanks a lot for your guide. It helped a lot.
But why do you need a WAF rule ?
I created 2 applications on cloudflare, one for web access with cloudflare PIN authentication and one for home assistant android app with certificate authentication and it’s work great. Doesn’t need a WAF rule. The only thing I had to do is to configure the access policy for web access to authorize only my mail.
Hopefully a question with a simple answer.
I have an iOS phone with a cloudflare tunnel through the Cloudflared addon that all works well.
My wife however has an Android phone!!!
Is there anyway to run the above setup in parallel with what I have existing there for iOS?
Thanks,
Are you sure you are running the IOS App through Cloudflare. As far as I know that’s not currently possible, at least not with Cloudflare Auth enabled.
Many thanks for this detailed guide. It helped me a lot. Maybe as a hint for others. I converted the mTLS certificate with an old openSSL library (2017 around). A certificate was created succefully, phone imported it successfully, but I was never asked to use it. After doing this with an up to date openSSL it worked immediately. I have a Samsung Galaxy something.
@skykingjwc (or anyone else).
Sorry for the seemingly daft question. But I keep seeing people saying that if you use cloudflare tunnels with “auth enabled”, then it can prevent the companion app working.
How exactly is “auth” enabled in the Cloudflare dashboard? Basically, I’m not sure whether I’ve enabled “auth” or not, and would like to check. How would I know if “auth” is enabled?
I was following this tutorial but i get to a point i didn’t understand. To validate a certificate to login you have to setup rootCA to use against client certificate. Without rootCA setup properly cloudflare is basically let access everybody or nobody (based on allow or block mTLS rule). If you can access your ha instance everybody can do it following this tutorial. To setup certificate verification as Zero Trust app policy you need to setup Access>Service Auth>Mutual TLS add cert in the options and submit your rootCA. As this last options is under the enterprise paid plan, and I think almost nobody here is paying for that just to access HA, and because it is not explained in the tutorial it looks to me that everybody set free access to their HA login.
Moreover WAF rules should act like Layer 1 protection you have to cross to get to Layer 2 (Zero Trust). To be true if i follow the tutorial but i set up policies on zero trust about valid certificate as “include” it just skip to the next rule for login (google and OTP in my case). Documentation in cloudflare write that “bypass” and “service auth” policies are executed before every else rule, so the proof is to set email address verification as sencon policy and see if you still get to HA login page. In my case it never worked!
Please if I’m wrong give me some explanation
I tried following the tutorial but I cannot get zero trust application for the certificate to work. The website also just shows access forbidden. This error occurs on Windows and Android Thoughts?
When making the group I get the following error:
If instead of the group being required its included I don’t get the error but it is still not working.
DNS is setup as follows
The non app URL works without an issue.
Hi, Yes I am with a straight tunnel with no CF Auth currently. I may look at getting something in there at some point but still trying to get a bunch of things up and running first.