Setting up Tesla Integration with Home Assistant and CloudFlare

In the wake of Tesla discontinuing their REST-API, managing your vehicle via Home Assistant (HA) has become a tad more intricate but not impossible. You’re faced with a choice: opt for a Tessie subscription or, for the DIY enthusiasts, directly link your Tesla Integration with Home Assistant. Both paths have merits, but let’s dive into the latter for those who love a good project.

Preparation: To use the API you have to register a developer account with Tesla and (at least formally) register an app. When setting up the app, Tesla requires a web server that can be accessed from the Internet and one which certain certificates are stored. 

Therefore, the software components are first installed and configured on the HA server. The server will later be made accessible on the Internet and the Tesla developer account will then be created including app registration. 

Here are the steps, with the assumption that you have Home Assistant already operational and is running in Home Assistant Operating System mode.

If you are running Home Assistant on Docker follow this guide.

1. Ensure your Home Assistant is accessible over the internet.
2. Install Apache 2 Minimal Web Server
3. Enable a Secondary Cloudflare Zero Trust tunnel
4. Create a Tesla developer account
5. Install Tesla HTTP Proxy configuration
6. Install the Tesla Custom integration

1. Ensure Home Assistant is accessible of the internet

It is critical that the Tesla Service can access your HA instance, I’ve previously written a blog showing how to do this with Cloudflare Zero Trust. You can use other methods providing Tesla recognise the SSL certificate.

Note: If you have tightened up your security and implemented geo-blocking or equivalent you will need to remove this to ensure your website is accessible from anywhere on the internet until configured.

Alternative: If you’re looking to redirect your router’s traffic and use port forwarding to channel it to port 443 on your web server, alongside implementing DuckDNS, I recommend following the guidance provided in the Tesla Integration wiki.

2. Install Apache2 Minimal Web Server

Tesla requires access to a couple of private keys to validate your configuration. This is best hosted via a plain old Apache2 web server which is accessed through a Cloudflare Zero Trust tunnel.

2.1 Kickstarting web server installation

Start by adding the HA-Addons repository. You can do this manually with the provided GitHub repository link or simply click the ‘Add Repository’ button below for a quick setup and add the repository.

2.2 Navigating to the Add-On Store

After adding the repository, head over to your Home Assistant and go to Settings > Add-Ons, then tap on the Add-On Store and install the Apache2 Minimal Add-On.

2.3 Start the Apache2 installation.

Click on the install button to download and install the Apache2 Minimal web server.

2.4 Start up options.

Enable the startup options to ensure it stays up-to-date and doesn’t crash.

2.5 Configuration Tab

Connect to the configuration tab and fill out the details as per example below with your appropriate domain name.

2.6 Create your apache.conf file.

Login via ssh to your Home Assistant host and create the 000-default.conf file in the /share/apache2/ directory as per below.

<VirtualHost *:80>
  ServerName tesla.smartmotion.life
  DocumentRoot /share/tesla/
  <Directory "/share/tesla">
    Require all granted
  </Directory>
  Alias "/.well-known/appspecific/" "/share/tesla/"
  <Location "/">
    Require all denied
  </Location>
  <Location "/.well-known/appspecific">
    Require all granted
  </Location>
</VirtualHost>

2.7 Start your web server

3. Enable a Secondary Zero Trust tunnel.

Step 1 showed you how you can connect to your HA instance via a Cloudflare Zero trust tunnel. This negates the need to modify your router and port forward and manages the SSL certificate for you. With this configuration you will setup a second website so you will have two URL’s pointing at the HA host. One is your HA instance, the other is the Apache server setup in step 2. This will be used to share the *pem files with Tesla to validate and authenticate the Tesla API.

3.1 Get started

Visit CloudFlare website, sign in with your account.

3.2 Navigate to Zero Trust tunnel

Create a zero trust tunnel, and chose Configure.

3.3 Add a public hostname

You should already have one which was defined in step 1, choose to add one for Tesla API to authenticate against.

3.4 Configuring your Tesla API public host name

When setting up your Apache2 web server, it’s essential to designate a subdomain specifically for Tesla’s API authentication. This step is crucial as it establishes a direct line of communication between Tesla’s services and your setup. Given that the Cloudflare Zero Trust tunnel provides robust encryption, you can confidently operate this connection over port 80. This choice ensures a seamless flow of traffic straight from Cloudflare’s secure endpoints to your Home Assistant (HA) host, all the while maintaining the integrity and confidentiality of your data.

During this process, your server will host *.pem files in a public directory. These files are critical for the authentication process, serving as digital certificates that verify your server’s identity to Tesla’s API. It’s important to note that while these files are accessible, they are securely managed and play a pivotal role in the authentication sequence, ensuring that only authorised requests are processed by your Tesla API application.

By carefully following these guidelines, you’ll establish a secure and efficient communication channel between your Home Assistant setup and Tesla, enabling advanced control and integration of your vehicle with your smart home ecosystem.

4. Create a Tesla developer account

4.1 Get going with your Tesla Developer account.

Go to developer.tesla.com and register as a developer with your standard Tesla account. Two-factor authentication must be set up for the account; I used Microsoft Authenticator as the app.

Tesla required an Australian Business Number (ABN). Smart Motion has a valid one, so the example used that. However, if you do not, it may be possible to create a dummy ABN. I have read that Tesla has promised to remove the ABN requirement. If this has been done, please post a message below.

Once you set up the account, create a pro forma app authorised to access the vehicle.

4.2 Request Application Access

Once logged into the developer dashboard choose ‘Request Application Access’.

4.3 Choose the account which you have just created.

4.4 Write a short description of the purpose of this application

4.5 Enter the client details for your configuration

4.6 Specify the API & Scopes for what you will use it for, I am only accessing vehicle information hence my choices.

4.7 App Request Submitted

After a few seconds, Tesla will send you an automatic approval email. Important: Tesla now checks whether the domain can be reached via the Internet and whether the certificate is correct.

If it worked, you will see the app you created in your account.

4.8 You should now see an active application within your dashboard, choose to ‘View Details’

4.9 Copy and store securely the details, you will need them in step 5.4 below.

5. Install Tesla HTTP Proxy configuration

5.1 Kickstarting Cloudflared Integration

Start by adding the HA-Addons repository. You can do this manually with the provided GitHub repository link or simply click the ‘Add Repository’ button below for a quick setup and add the repository.

5.2 Navigating to the Add-On Store

After adding the repository, head over to your Home Assistant and go to Settings > Add-Ons, then tap on the Add-On Store and install the Tesla HTTP Proxy.

5.3 Install the Tesla HTTP Proxy

Click on the install button to download and install the Tesla HTTP Proxy server.

5.4 Configure the Tesla HTTP Proxy

Head over to the Configuration tab and populate the service, you will need the details from step 4.9.

5.5 Navigate to the info tab and start the Add-On.

Note: If this did not start have you followed the DNS entry setup in 1.2?

5.6 Choose Open Web UI

5.7 We will now follow the four steps in order to authenticate with your Tesla account, choose ‘Login to Tesla account’

Note: You will see a call out warning you that the ‘Page not found’ is to be expected.

5.8 After you have logged into your Tesla account copy the URL from the address bar.

5.9 Navigate back to Home Assistant and paste this callback into the dialogue box provided and choose ‘Generate token from URL’

5.10 Click ‘OK’ at the Authorization complete screen which will copy the refresh token to your clipboard

5.11 Navigate back to the Tesla HTTP Proxy add on screen and choose ‘Enrol public key in your vehicle’ and follow the instructions.

1. Sign in to the Tesla App
2. Scan the QR Code
3. Click ‘Finish setup’ on your phone and it will install the ‘Virtual Key’ in your vehicle

6. Install the Tesla Custom Integration

6.1 Home Assistant Tesla Custom Integration installation

You now have a ‘Refresh Token’ that will enable the Tesla Custom Integration to authenticate. Install it from  GitHub repository link or simply click the ‘Add Repository’ button below for a quick setup and add the repository.

6.2 Agree that you need the Tesla HTTP Proxy, which you have already done.

6.3 Enter your email address and the ‘Refresh Token’ from step 5.10.

6.4 Within your integrations you will now see commands to control your Tesla.

Congratulations! You’ve now got your own Tesla Integration working without the need for ongoing subscription to Tessie! Have questions or feedback for Home Assistant with Cloudflare Zero Trust? Feel free to share your thoughts or ask for help in the comments below.

Did this guide help you secure your Home Assistant remotely? If you found it valuable and are feeling generous, consider Buying Me A Coffee. Your support encourages me to create more helpful content like this. Cheers!