Thanks for the guide. It collects the same steps I followed but then there’s two problems with it:
freenom domains seems to be blocked by cloudflare. I get these error when trying it:
Requesting a certificate for *.myfreenomdomain.ml
Encountered CloudFlareAPIError adding TXT record: 1038 You cannot use this API for domains with a .cf, .ga, .gq, .ml, or .tk TLD (top-level domain). To configure the DNS settings for this domain, use the Cloudflare Dashboard.
Are wildcards domains supported (liek your example snippet for the addon)? If so, how do you setup the wildcard CNAME at cloudflare?
Good day @diamant-x ! I apologize for the delay in responding.
After a quick search, it looks like Cloudflare made a change back in May of 2020 that prevents users from using those TLD domains. I wonder if the reason I was able to is because I have a long-standing account with them.
I’ll update my post accordingly. – DONE
Please read my update at the very top of the post. If you’re tech savvy, you can stand up your own DNS server. But it might be outside of what a novice home user can accomplish.
BTW, I saw this in the documentation. Do I have to provide both?
What is the difference? Where do I find each one of them?
cloudflare_api_key: ’ ’
cloudflare_api_token: ’ ’
i can now access my ui with home.mydomain.xyz:8123 with an ssl connection. I kinda missed how you configured the homeassitant.home.mydomain.xyz subdomain and how you do not have to use the 8123 port anymore. Did i miss this or is it a router setting (german fritzbox)
Thank you so much for this step-by-step guide!
I too have gone through the whole guide and everything mostly works but like jakethedog above I would like to see how I can create a subdomain for my home network too!
Setting up a sub-zone is kind of outside the scope of this document and is a bit more complex. It requires you to manage your internal network using a DNS resolver (dnsmasq in my case). Most home routers are not set up for this and the configuration can be wildly different.
Generally speaking, you need to find a setting that sets your local DNS domain. Your router might call this your local domain and some routers will default this to the router’s name.localdomain or something similar.
From there, you assign hostnames to your DHCP clients, either through your router’s DHCP settings or directly on each of your devices.
Now to your second point: I do not recommend using native port 443 or HomeAssistant port 8123 for your external access. Since 443 is the default port number for SSL connections, your IP address is going to get pounded by automated bots that are searching for vulnerable web servers. And using 8123 puts you in the same area where bots will be looking for Home Assistant servers that they can penetrate.
I’d recommend using a random port number, somewhere in the upper range and then use your router’s port forwarding feature to send traffic from that port number to your Home Assistant’s IP on it’s standard port 8123.
“# Create a Cloudflare account”
I’ve had trouble because my email address ends with “.net.”
After filling out the required information to create an account on Cloudflare, I get an error message that says, “Email is REQUIRED!” In other words, it acts as if I’d left the field blank. Just a note for anyone else who has that problem, and maybe doesn’t understand what the problem is…
I’ll just have to use a gmail account for that…
( Honestly, I haven’t run into that problem in more than 30 years! When the Internet first went “mainstream” there were a few services that had that limitation–because whomever wrote the script for a form (to provide input validation) didn’t imagine that anyone’s email address could possibly end in anything other than “.com” but that hasn’t happened to me since the early days!)
And, BTW, thanks for taking the time & trouble of writing this tutorial!
and did a port forwarding 8123 → 443. so i can access by using home.mydomain.xyz[:443] remotely.
how does homeasstant.home.mydomain work?
Just a heads up for security, I would NEVER expose HA externally. If you are using Cloudflare, use an app tunnel (free for like 10 services on each domain). That way your network is not exposed, but you can still access your system. Services like Shodan (and thousands like Shodan), scan the entire internet and every single IP and look for all ports open, and you invited hackers and really anyone into your main network with no security. Port Forwarding is a HORRIBLE idea and leaves you extremely vulnerable. If you must expose the actual site external, setup a DMZ subnet and properly firewall off and segment your hosts on another subnet/vlan. This is a HIGHLY advanced configuration though and your home router will not be able to do this…
Using the Naba.casa URL service is best. Its cheap and worth it and you are not exposing your network, and still makes it where you can access it. OR if you use Cloudflare, they have a feature called App Tunnels, and that allows you to have public facing apps (like HA/UptimeKuma/personal websites/etc…) hosted from your own servers in your home and not expose through your firewall. It uses an agent that communicates with itself over its own 443 tunnel and caches your site/app if you want, and other features, all for free! I do this with a handful of external facing apps I have and I do not have any open ports external on my network. And then you get DDoS and other basics protection with Cloudflare.
I am a Lead Sr. Cyber Security Architect for a fortune 500 financial firm, and see a ton of things daily on attackers using new ways no one ever thought of to get in. You may say “its just my home network, who will care” Well, Sites like Shodan index your IP and open ports and what is running in those open ports and bored hackers can have scripts that just go out and saw give me all home assistant available external and start attacking peoples homes, literally.
I, too, “do” cyber security for a fortune 500 company. Security/convenience is going to be in the eye of the beholder. I’ve stated elsewhere in this forum why I am not a fan of Cloudflare’s app tunnel solution. (tl;dr: they are a man-in-the-middle and doesn’t provide end-to-end encryption)
I agree port-forwarding external 443 to 8123 is not ideal. It’s slightly better to do a non-standard random port, say 49731 to 8123. This will get around most script kiddies. Since I’ve set it up, I haven’t detected any intrusions or even scans of HA. Of course, your mileage will vary and it’s up to you to decide if it’s worth it to you.
If you are going to expose HA externally, set up multi-factor authentication.
Just wondering about this. It’s not mentioned anywhere that the add-on has this functionality and I stumbled on this thread while searching for this info
I’ve been running LE for almost 6 months now. I’ve had to trigger the rotation manually twice now by restarting the app. I’m not sure why I had to do that but I waited until 10 days before expiration. LE recommends rotating within 30 days of expiration.
