I am new to this community - hope I am in the right area. Been watching dozens of videos on how to do this correctly and only getting part-way there. I think I have narrowed it down the CERT that I am getting in the Origin SSL area.

I was using DuckDNS (I have since removed all of that from my HomeAssistant server and pfSense. I did purchase my own domain, and I have adjusted the NameServers there with the ones from CF. I also have set pfSense to use 1.1.1.1 and 1.0.0.1 instead of my ISPs DNS servers (COMCAST BTW). The WAN port on my pfSense has had the same Public IP for 5 months now - and I was advised by Comcast that this rarely changes unless I remove my modem for 24+ hours.

I can get as far as accessing my HomeAssistant server from the Internet (from a browser) using the FQDN and I hit a wall. I get unknown DNS name error. I tried using the A record that I setup in CF - and I get timeout errors.

I have also tried using the @ in the A record - but that does not work either.

If I am local to my HA server and I have installed the CERT into my HomeAssistant - I get a Cert Error (and it does connect but is not encrypted). The main difference that I see in the .PEM file I created from DuckDNS and the one from CF is the DuckDNS .PEM had 3 sections of (—begin / end—) within it - the one I get at CF has only 1.

Hope I made some sense.

Not really, but I’ll take a stab at it anyway.

Are you using a Cloudflare Origin certificate? Those aren’t recognized by web browsers. They are for use between the origin and Cloudflare only and are issued from a Cloudflare private CA. You won’t want to use one of those if you allow traffic from sources other than Cloudflare.

Are you port-forwarding from your pfSense to your HomeAssistant? Does your HomeAssistant instance know to use the host name you are trying to access it with? Does your HomeAssistant instance have a certificate issued by a recognized authority that covers that host name?

Thank you for the explanation – I fought with it for 4 days. Someone in another post advised that my browser was “Always” going to give the error.

I just did not understand - as when I was using DuckDNS…I never had that problem, but it appears that the setup for that also pulled in a 'Let’sEncrypt" set of certs as well. When applied they took the Root and Int CA roles.

From outside my network, I am able to connect with a browser and do not get the SSL errors - now that I have a CERT for the DNS specific name on Cloudflare and not a ROOT domain Cert.

Now I get to figure out why choosing port 2053 (or one of the others for Cloudflare) do not work. I cannot connect to anything unless I leave the port off. in pfSense I have a NAT setup to pass 2053 traffic to the specific IP Address of my HomeAssistant server at port 8123 - but it does not work.

Any ideas on the utilizing Cloudflare ports for this?

As I tested this with an external system (outside my home network) – and put in the same URL but added port 2053 to the end - and it fails.

If I put in my https:// URL - without the port, I connect with no errors.

Troubleshooting your application configuration is probably going to be more effective at the Home Assistant forum.

If you wanted to use HAProxy on your pfSense or discuss your pfSense config, the Netgate Forum will likely yield better results.

Both are out of scope here.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.