i can now access my ui with home.mydomain.xyz:8123 with an ssl connection. I kinda missed how you configured the homeassitant.home.mydomain.xyz subdomain and how you do not have to use the 8123 port anymore. Did i miss this or is it a router setting (german fritzbox)
Thank you so much for this step-by-step guide!
I too have gone through the whole guide and everything mostly works but like jakethedog above I would like to see how I can create a subdomain for my home network too!
Setting up a sub-zone is kind of outside the scope of this document and is a bit more complex. It requires you to manage your internal network using a DNS resolver (dnsmasq in my case). Most home routers are not set up for this and the configuration can be wildly different.
Generally speaking, you need to find a setting that sets your local DNS domain. Your router might call this your local domain and some routers will default this to the router’s name.localdomain or something similar.
From there, you assign hostnames to your DHCP clients, either through your router’s DHCP settings or directly on each of your devices.
Now to your second point: I do not recommend using native port 443 or HomeAssistant port 8123 for your external access. Since 443 is the default port number for SSL connections, your IP address is going to get pounded by automated bots that are searching for vulnerable web servers. And using 8123 puts you in the same area where bots will be looking for Home Assistant servers that they can penetrate.
I’d recommend using a random port number, somewhere in the upper range and then use your router’s port forwarding feature to send traffic from that port number to your Home Assistant’s IP on it’s standard port 8123.
“# Create a Cloudflare account”
I’ve had trouble because my email address ends with “.net.”
After filling out the required information to create an account on Cloudflare, I get an error message that says, “Email is REQUIRED!” In other words, it acts as if I’d left the field blank. Just a note for anyone else who has that problem, and maybe doesn’t understand what the problem is…
I’ll just have to use a gmail account for that…
( Honestly, I haven’t run into that problem in more than 30 years! When the Internet first went “mainstream” there were a few services that had that limitation–because whomever wrote the script for a form (to provide input validation) didn’t imagine that anyone’s email address could possibly end in anything other than “.com” but that hasn’t happened to me since the early days!)
And, BTW, thanks for taking the time & trouble of writing this tutorial!
and did a port forwarding 8123 → 443. so i can access by using home.mydomain.xyz[:443] remotely.
how does homeasstant.home.mydomain work?
Just a heads up for security, I would NEVER expose HA externally. If you are using Cloudflare, use an app tunnel (free for like 10 services on each domain). That way your network is not exposed, but you can still access your system. Services like Shodan (and thousands like Shodan), scan the entire internet and every single IP and look for all ports open, and you invited hackers and really anyone into your main network with no security. Port Forwarding is a HORRIBLE idea and leaves you extremely vulnerable. If you must expose the actual site external, setup a DMZ subnet and properly firewall off and segment your hosts on another subnet/vlan. This is a HIGHLY advanced configuration though and your home router will not be able to do this…
Using the Naba.casa URL service is best. Its cheap and worth it and you are not exposing your network, and still makes it where you can access it. OR if you use Cloudflare, they have a feature called App Tunnels, and that allows you to have public facing apps (like HA/UptimeKuma/personal websites/etc…) hosted from your own servers in your home and not expose through your firewall. It uses an agent that communicates with itself over its own 443 tunnel and caches your site/app if you want, and other features, all for free! I do this with a handful of external facing apps I have and I do not have any open ports external on my network. And then you get DDoS and other basics protection with Cloudflare.
I am a Lead Sr. Cyber Security Architect for a fortune 500 financial firm, and see a ton of things daily on attackers using new ways no one ever thought of to get in. You may say “its just my home network, who will care” Well, Sites like Shodan index your IP and open ports and what is running in those open ports and bored hackers can have scripts that just go out and saw give me all home assistant available external and start attacking peoples homes, literally.
I, too, “do” cyber security for a fortune 500 company. Security/convenience is going to be in the eye of the beholder. I’ve stated elsewhere in this forum why I am not a fan of Cloudflare’s app tunnel solution. (tl;dr: they are a man-in-the-middle and doesn’t provide end-to-end encryption)
I agree port-forwarding external 443 to 8123 is not ideal. It’s slightly better to do a non-standard random port, say 49731 to 8123. This will get around most script kiddies. Since I’ve set it up, I haven’t detected any intrusions or even scans of HA. Of course, your mileage will vary and it’s up to you to decide if it’s worth it to you.
If you are going to expose HA externally, set up multi-factor authentication.
Just wondering about this. It’s not mentioned anywhere that the add-on has this functionality and I stumbled on this thread while searching for this info
I’ve been running LE for almost 6 months now. I’ve had to trigger the rotation manually twice now by restarting the app. I’m not sure why I had to do that but I waited until 10 days before expiration. LE recommends rotating within 30 days of expiration.
hello,
i followed the instruction, i am able to access my HA remotely using cloudflare tunnel, When I start lets encrypt, it generated SSL certificate but then stops. Is it normal? I s Lets encrypt required to rum all times? i have set it to run at boot.
s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/file-structure.sh
cont-init: info: /etc/cont-init.d/file-structure.sh exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[00:34:29] INFO: Selected DNS Provider: dns-cloudflare
[00:34:29] INFO: Use propagation seconds: 60
[00:34:30] INFO: Use CloudFlare token
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Certificate not yet due for renewal
Certificate not yet due for renewal; no action taken.
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped
If you’re using Cloudflare tunnel, you shouldn’t need Let’s Encrypt since Cloudflare is encrypting the connection from your device, to CF, then to your Home Assistant.
The recommendation from LE is to run certbot daily.
21 days later I see this, LOL. Sorry, I’m not in the forums very much, and i dont get emails or if my spam is catching, i gotta check my settings.
anyways, love the i “do” cyber security too, LOL! but true, never thought of using another random port. Yeah, Cloudflare is a man in the middle solution. I like that they dont hae a shady history or anything and their tunnel solution is basically sending the site over their own connection via the agent and not a true port fwd, atleast thats how I understand it. This type of proxying or reverse proxying, and not in the true type of proxying is a bit confusing and doing more research on it. But I host my DNS items through Cloudflare for my Domains. I dont like using any port fwd unless I need to because a port scanner would find any open port. But if you secure it propper ;). And yes, USE MFA is a massive true statement.
For my services that I MUST port fwd, i.e. plex, I setup a type of DMZ VLAN / Subnet that those hosts live in and are in a very strict walled garden. So my personal devices (computers, laptops, tablets, phones, etc…) are secured and my “default” vlan on any port in my house/ switch is my “guest” VLAN and my personal secure VLAN/Subnet is on its own so a port/SSID has to be configured to let a device talk to my personal devices. and then my IoT subnet/VLAN where I have some port to port open from my other network for DNS Multicast and things like that for ChromeCast and other features to work with my TV’s and equipment. And I run an active directory domain and rack of servers with ESXi/vCenter running to host all my virtual servers (about 25 and VM desktops for throw away systems) and my home automation, HA, is on the ESXi cluster using USB passthru to connect to ZWave/Zigbee/Matter/etc… Then I have a VLAN/Subnet that does nothing but direct internet access out, no talk to eachother, no ports, no nothing just OUT. this is for my Cell phone repeaters (3800 Sqft house build in 2019 and has stucco/chicken wire in the walls grounded and the roof is lined with a foil radiant berrior and other thermal optimizations, make the second you go in my house, all cell signal is GONE! LOL… and my work Access Point that gives my work laptop my work SSID and secure tunnel back.
I just hit my first LetsEncrypt cert renewal and I dont restart my HA server often, and the Lets Encrypt service starts at startup and if cert not needed, it doesnt pull it new and stops.
So if your cert expires before next restart, it will not. But you can go in and start the LE add on and it WILL go out and renew it if within time. Setup a script or CRON to turn on that add on every day might get around that.
