New Add-On: Cloudflared

Create Tunnel API call failed: tunnel with name already exists

Slightly different problem than the one @KjellG described but I believe it’s kind of related, at least after reading @Alec reply.

First of all, I do agree, it is excellent work and add-on from @brenner-tobias - while it lasted. Unfortunately the programmer could not integrate my newbie dumbness into the code :wink:

I just installed HA a few days ago and as I was closely following several YT channel on this topic this was one of the first add-on I installed, I even figured out how to set it up with a subdomain instead of my main. (very proud)

Was working excellently, and I played around in HA for days, installed add-ons, etc. Then I received my memory and SSD upgrade for my m720q so I could finish the whole setup and go “production”. As you would expect at this point, I decided to start fresh with Proxmox and HA. When I logged in (obviously a new instance of) HA and installed the Cloudflared it did not work, and keeps complaining about an existing channel.

I deleted my domain from Cloudflare (several times), gone back to the initial snapshot I made when I installed the HA VM and tried all combinations I can think of. Obviously it would work with a different domain, but unfortunately I need to use my own (paid) one.

By the way, this does not exist any more: https://dash.teams.cloudflare.com

Any help please as this drives me crazy!!!

Add-on version: 4.0.7
You are running the latest version of this add-on.
System: Home Assistant OS 9.4 (amd64 / qemux86-64)
Home Assistant Core: 2022.12.8
Home Assistant Supervisor: 2022.11.2


[21:06:46] INFO: Checking add-on config…
[21:06:46] INFO: Checking for existing certificate…
[21:06:46] INFO: Existing certificate found
[21:06:46] INFO: Checking for existing tunnel…
[21:06:46] NOTICE: No tunnel file found
[21:06:46] INFO: Creating new tunnel…
failed to create tunnel: Create Tunnel API call failed: tunnel with name already exists
[21:06:47] FATAL: Failed to create tunnel.
Please check the Cloudflare Teams Dashboard for an existing tunnel with the name homeassistant and delete it:
https://dash.teams.cloudflare.com/ Access / Tunnels
s6-rc: warning: unable to start service init-cloudflared-config: command exited 1
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
prog: fatal: stopping the container.

Can I add to the tunnel only a subdomain?
I would like to keep my first level domain to point to my vps (I have hosted my website) than I would like to point only a subdomain to use it for home assitant.
so

mydomain.com → leave as it is to point to my vps
sub.mydomain.com → use it for cloudflare

How can I set a different nameserver only for the subdomain?

The way I’ve done it was first I created the tunnel for the main domain. Then I changed it in the add-on to the sub and on the Cloudflare side I created a CNAME record for the subdomain and copied the authentication key over. Worked flawlessly, until it’s not, but that’s nothing to do with the setting :wink:

There are actually two answers to that:

First of all, nameservers are defined per domain (e.g. example.com). So you have to move your complete domain to Cloudflare nameservers.
This does not mean though, that you have to use your “main” domain for anything HA or Cloudflare tunnel related. You can easily point your main domain to any server using regular A, AAA or CNAME DNS entries, which will be automatically imported from Cloudflare once you migrate your domain from your old nameservers. You can than simply add any subdomain in the HA Cloudflare Add-On (e.g. ha.example.com) as external hostname and the add-on will automatically create the subdomain and route it through the tunnel, without affecting your main domain at all.

Let me know if this is this helps.

Thanks for the effort developing this, easy to move from duckdns+letsencrypt to this for a networking novice.

I have also had success with zero trust email auth for desktops and gateway certificates for mobile devices through WARP. Seems overkill but it works!

This might be a simple question, but with the addon are there any risks with the internal page now not served over SSL just http? I have other IOT devices integrations in the same network with external internet access like google speakers etc. Does setting up another certificate to cover internal traffic through letsencrypt do anything further?

I’m facing an issue that Home Assistant app on iOS / iPhone is failing to update location and other sensors information when connecting to HA using Cloudflared addon.

Exactly to the moment of automatic or forced manual updates there is an error in the HA Companion App:

2023-01-06 14:39:37.478 [Info] [main] [ClientEventStore.swift:8] ClientEventStore > networkRequest: Webhook failed with status code 503 [:]
2023-01-06 14:39:37.482 [Error] [main] [WebhookManager.swift:633] urlSession(_:task:didCompleteWithError:) > failed request to 6BEA5895-63A8-42B1-9FFC-5801A86BB1DB for WebhookResponseLocation: unacceptableStatusCode(503)

In Cloudflare account:

  • Bot Fight Mode is disabled
  • Browser Header check is disabled
  • Security event list is empty

Besides iphone sensort pushes all works perfectly.

The problem appeared from day 1 once I switched to Cloudflared method of exposing HA to the Internet. Nabu Casa cloud subscribtion didn’t have this problem on the same hardware / HA and app configuration (as tested couple of days ago).

I’m a bit lost on how to troubleshoot this, because:

  • HA Companion app does not say which exactly API / URL it tries to reach.
  • HA Companion app does not log headers, body reponse for 503 error
  • Cloudflare does not offer access logs for Free plan, nor security event logging
  • HA backend does not log requests
  • Cloudflared Addon does not log requests

Any ideas what I can try?

I’ve started the separate thread [1], because it may be easy to exchange ideas specifically about this issue

Refs

  1. Webhook failed with status code 503 updating geo-location over Cloudflared

Cloudflare should log blocked requests under Security/WAF.

Security / Events list is empty. Is Cloudflare is just forwarding the response from the backend? Is it possible to see the log of requests, which HomeAssistant is responding? Which URL/API is actually used to send location sensor update from the iPhone/IOS/Companion app?
(Many questions, but I’m a bit lost)

Have you got any Firewall rules set up at all? You should set up a default of Deny and selectively Allow connections on specific criteria. Then you will also see all requests in the Security/Event log.

The Companion app uses various URLs under /api/ (you can use a more fine-grained setup than just allow everything under /api in your zero-trust “applications”). You will have to add ByPass rules for these in Zero-Trust in addition to the WAF.

1 Like

Thanks for the tip @mundschenk-at! It works!

As soon as I’ve created an explicit allow rule in Cloudflare Security/WAF to target host, two things has happened:

  1. I’ve started seeing in Security/Events both accepts and rejections.
  2. Location update webhook calls from iOS Companion app were allowed to pass (HTTP 200).

I’ve created the WAF rule with the action Allow:

(http.host eq "xx.yyy.de")

Now the location update from iPhone works even when HA is not logged into Nabu Casa Subscription.

I’ve created a pull request with the addition to the Troubleshooting section of the addon documentation.

Hope @brenner-tobias can incorporate it into main repo to help future users with the fix.

I think this rule is an important configuration, otherwise location updates just don’t get through.

(I feel a bit sorry to cancel my Nabu Casa subscription, because appreciate a lot the work guys at Nabu Casa do to run Home Assistant project. I sponsor the project now directly over GitHub project sponsorship. The current addon is also an excellent piece of software - very smooth first-time-user experience, especially autoconfiguration of tunnels, exceptional level of documentation - maybe @brenner-tobias would also like add a sponsorship option to his GitHub project so users like me can cheer his and other contributors work)

Does the cloudflared add-on interfere with nginx proxy manager certificate renewal?
Initially I only had NPM running for multiple services with duckdns, which I then switched to cloudflared with my own domain.
I just noticed that meanwhile NPM is not automatically renewing certificates anymore, not sure if this is since I started to use cloudflared, but at the moment I have no other idea about what could be the root cause.
I can still manually renew certificates in NPM (for domains coming from cloudflare as well as from duckdns, which is not coming via cloudflare), but automatic renewal is not happening and “test server reachability” in NPM shows “Communication with the API failed, is NPM running correctly?”.

One question, i have configured cloudflared for my HA system and its working fine. My brother want use the same main domain but with another subsomain. Is it possible to create two different tunnels for one main domain?

Yes. I even have two different tunnels for 2 separate Home assistant installations in two different homes.
In configuration in cloudflare you can configure many subdomains so you can access different local URLs.
take a look at the add-on doc

1 Like

:laughing:

Yes, ihe have read it allready

addon-cloudflared/remote-tunnel.md at main · brenner-tobias/addon-cloudflared (github.com)

Rule 1, read the documentation :stuck_out_tongue_winking_eye:

You can also use local tunnel for it:

Firstly, anything that is not coming over the tunnel (e.g. duckdns domain) should not be affected.
Secondly, yes it seems like the automatic renewal process is not working anymore, but the manual one should not either. Your Domains do not expose your hosts anymore directly to the web but instead expose a reverse proxy server, that is getting the needed responses via the tunnel from your systems.
So the certificates for the Websites need to be valid for this reverse proxy. Luckily, all of these certificates are automatically created by Cloudflare, so you do not have to take care of that.
One drawback is that you cannot download these universal certificates (which are used in the free plan) to use for local connections. So for your local connections, you have to find another way e.g. using self-signed certificates.

I’m not sure if this helps; How to configure Let’s Encrypt SSL Certificates for Home Assistant completely 100% free (Updated for 2022/2023) - Configuration - Home Assistant Community (home-assistant.io) - you could get certbot to register with cloudflare DNS to get the letsencrypt certificates - well the ones on the cloudflare DNS anyway

The Let’s Encrypt add-on works very well to configure a valid “local” certificate for HA.

1 Like

This is a great addon, thank you very much! Great for those stuck behind CGNAT :stuck_out_tongue:

One issue I am having is, I created a tunnel and everything was working fine, however I decided I wanted to change the tunnel name so I can easily identify what tunnel is for what.

I deleted the tunnel in cloudflare and confirmed that all assigned configuration was removed, including the CNAME record.

I then uninstalled the addon and reinstalled and setup again from scratch, and entered the new tunnel name, however it somehow found an existing tunnel with the same ID, and I assume just gave it the same name as the tunnel was created again with the same name even after specifying in the addon setting to give it a specific tunnel name.

Any ideas?

Thanks

Let’s Encrypt supports many popular DNS providers:

You can also set up DNS authentication manually by using a TXT record provided during setup.

2 Likes