2024/06/28/using-cloudflare-zerotrust-and-mtls-with-home-assistant-via-the-internet/

[giscus[bot]]

2024/06/28/using-cloudflare-zerotrust-and-mtls-with-home-assistant-via-the-internet/

I’m a big fan of Home Assistant, and until now I only had it accessible from inside my own network. Outside access was only possible through a WireGuard VPN. This works, but isn’t very practical - definitely when I quickly want to check something, or need to diagnose something while on the road, having to toggle the VPN & hope that the DNS resolution works (which sometimes it doesn’t) - the extra hoops make it annoying. Add to that that the location features of Home Assistant aren’t useful until the location of the device is updated in Home Assistant…

https://kcore.org/2024/06/28/using-cloudflare-zerotrust-and-mtls-with-home-assistant-via-the-internet/

[latez]

Hey there, just found this post - great work and thanks for putting this out there. Looking to secure my HA deployment in a similar manner. Question, are you using anything like Google Assistant or Alexa with this setup? If so, did it require any additional configuration? Thanks in advance!

[jdeluyck]

Hi,

No, I do not use either so I have no experience integrating those with Home Assistant.

[delaineS]

Hello! first of all thanks for the guide. i managed to do everything except for my iphone because i can't access it. do you have any suggestions? thanks

[jdeluyck]

Hi,

I don't own any Apple devices, so I have no experience with it.
As far as I can find, it seems that due to limitations on the Apple side it's not supported.

https://community.home-assistant.io/t/client-side-certificate-support/24361
home-assistant/iOS#27 (comment)

[merceroz]

For iPhone users ... you can install the certificate on your iPhone. Get the file to your phone - email, air drop or iCloud files etc - then open it and follow the prompts to install. This page shows the basic process - NOTE the screen shots are for a vendor other than Cloudflare but the process is the same.

Once the certificate is installed access via Safari works. The first time you open the home assistant page it will ask you to confirm you want to use the certificate. You won't be asked subsequently.

The Home Assistant App does NOT work.

[aventustudio]

Another thing you need to do (which I missed and caused me to waste a lot of time) is to add the hostname for which you want cloudflare to issue a “client certificate request” to the browser or app.

(╯°□°）╯︵ ┻━┻

Wow, I had the same problem. Thank you for your blog post.

[smarcus3]

I've tried to follow these directions and able to access without the certification security enabled. Once enabled I am never able to access the account and is always blocked. I've double checked the directions but no luck. Any thoughts?

[smarcus3]

No popup appeared in Android on either the app or going directly to the link

[smarcus3]

Its back to blocking all connections in Windows and Android chrome without giving any popups. :( I have no idea whats happening.

[smarcus3]

I believe the WAF rule was causing the issue. This appears more robust for me at least (not cf.tls_client_auth.cert_verified and http.host in {"SUBDOMAIN.DOMAIN.org"})

[jdeluyck]

Odd, that reads wrong - not cert_verified and the domain means that everything without the cert should be able to get in, which is the reverse of what you'd want.

[smarcus3]

My current blocking rule: (not cf.tls_client_auth.cert_verified and http.host ne "ha.marcusengineering.org")

[heidricha]

good description, but needs some mnore.

The certificate and the WAF looks ok now, but I cannot disable other authentication (like mail, or github) for the application (on the CF dashboard) so the android app still cannot use the URL
I can access from browser, always could, now also need the client certificate, but gained no other advantage

[jdeluyck]

I'm guessing you have configured some other parts of the Zero trust configuration, where you can actually set that it needs to allow certain email domains for authentication. These do not work together with the mTLS configuration - I found out that the hard way when playing around with it.

[brake16]

Thanks for this write-up. I've gotten almost everything to work except using openssl to create the .pfx file. I know I have the certificate (mtls.cert.pem) and private key (mtls.key.pem) files, and they appear to be in the proper format (appropriate headers). They are on my desktop, and I've navigated to my desktop from within the cmd prompt. The error I get is "Could not find certificates from -in file from C:\Users\me\Desktop\mtls.cert.pem". When I look at the file in Notepad, it starts with the appropriate header (-----BEGIN CERTIFICATE-----), ends correctly (-----END CERTIFICATE-----; followed by a carriage return), and each gibberish line has 64 characters, except the last which is less. Any ideas what's going wrong?

[brake16]

Figured it out. The pem files weren't UTF8 encoded.

[brake16]

For future users: in Notepad, choose Save As to switch encoding to UTF8.
Also, in the companion app, make sure your website starts with https. The app won't let http work.
Lastly, to get your watch setup with the certificate, log out of HA on the watch, then log back in. The companion app on the phone will let you select the certificate during the subsequent watch setup.

[YanisKyr]

Followed these steps and it works fine up to a certain point. I guess the last bit is the most important, as I can't access Home Assistant from outside yet :)

Cloudflare notified me that a certificate expires soon. It the cert that was set-up when I started using Cloudflared and Zero Trust tunnel.

Is there a way to make the new mTLS cert I created based on your guide work with with that? When I try to upload the ones I created following your steps, I get this error (CA certificate chain contains a leaf certificate):
https://i.imgur.com/Y11VLjh.png

[brake16]

The cert that was created by following the guide is for your phone, not Cloudflare.

[YanisKyr]

took me a while, but I got it in the end :D

[vrtareg]

I was trying to follow the whole process number of times but I only got Grocy app working as it has asked if I want to use it stalled certificate and connected properly.

Firefox, Firefox Beta, Firefox with secret features enabled and CA store option enabled, Chrome and Home Assistant app are completely ignoring the certificate for Cloudflare...

Last resort rebooting the phone and then will check certificate encoding also.

I also tried to add my main Cloudflare certificate to the client certificate to make a chain.

Has anything changed in latest Android which is breaking this functionality?

[jdeluyck]

Not that I'm aware - I'm still using the same setup with an Android 15 based device.

[vrtareg]

That is quite interesting.

I was fighting with it on my Xiaomi with Android 14 and Lenovo Tab Android 10 for a while and discovered following

• Certificate files need to be created in editor which supports UTF-8 and after last certificate line there needs to be a new line
• It is better to create p12 file rather than pfx one, no idea why pfx was completely ignored
• On earlier Android versions it is necessary to use -legacy option for openssl
• In Chrome it is necessary to disable "Experimental QUIC protocol" option in "chrome://flags"
• Firefox was able to ask for certificate selection once after enabling developer secret settings and turning on " Use third party CA certificates" option

Currently I have all my Cloudflared hosts secured by mTLS, username and password and 2FA if available which is working from Grocy, HomeAssistant apps and in Chrome. Firefox is not working yet....

So my plan is to use Chrome when I am not in my network and Firefox at home or over Wireguard.

[Guirigall]

Thanks a lot for this guide, worked a treat!

[ntzb]

thanks for the detailed guide!
I kept getting blocked no matter what I did.
my DNS is also managed by cloudflare, and it only started working once I turned on DNSSEC in the cloudflare DNS settings.
hopefully this helps someone.

[vrtareg]

@ntzb - it looks like quite a challenge to enable DNSSEC on a Cloudflare when domain is managed on Ionos ...