I tried setting up self-signed ssl certificate. All works fine, accessing the webui asks to accept the risk of the self-signed cert, and then shows the interface, but when trying to access it using the androind app, it seems the screen asking to accept the risk is not visible, so I just get a white screen.
Anyone figured out a way around this?
Because the self signed certificate is related to one address (dns) and not for local ip…Young Canon use ngix addon to solve this issue.
I have self signed certificate related to dns address, but it stil does not work. Problem is that certificate is not valid. So i am stucked with Ariela…
Could you elaborate on this for point me to to some documentation?
Thanks
See if these steps will help if you use a self-signed certificate https://companion.home-assistant.io/docs/troubleshooting/faqs#using-a-self-signed-certificate-leads-to-a-blank-page-in-android
Not sure if this is the same problem as described above, but I have a similar problem.
Current Status
I have set up NGINX with Letsencrypt and it seemed to be working OK with my ***.duckdns.org domain.
I have tried to export and install my certificate on the android device. This leads to the browser on the phone working sporadically, but eventually it fails. When it does work I can check the SSL certificate and it does seem to be present and correct.
Do you have any idea why I am experiencing this behaviour?
In the web of the Android applicacition show the same problem.
They ask you to install the certicate you have in your Android device, in my case i use the Duckdns plugin and it create directly the cert as a .pem file.
My error is that when i try to install it, my Android tell my i need a password to install it, but i dont have one 
Some help?
Anyone get this working?
I’ve tried to use the internal address feature in the Companion client and I can’t get passed the white screen, and a failed to connect message. The phone can open the page fine in a web-browser, and I’ve even to to the extent of importing the self signed cert into the phones trusted root store (via root access), and it still wont work.
If you have to accept a SSL cert on the internal address then this won’t work. Consider using NAT loopback on your router and just don’t use an internal address. Don’t forget the SSL cert is for your domain and not your internal IP.
Its a self signed cert that I’ve generated for the box internally and attached to the reverse proxy for my internal domain.
Outside works fine. And yes I could use that inside, but with NAT loopback the source address comes from the routers inside interface, not the phone. So logging I can’t tell who is who. In Ariela previously this worked fine.
I suppose I could turn off TLS for the internal address if the app simply cannot accept self-signed.
Try to install nginx plugin, so you in local can access with http and outside with https.
Hey, I’m sorry if bring up a dead thread but it’s still the most relevant one on the subject of having local only https access for your home assistant.
I’ve read through the thread and I can now share the easiest way that I tested personally:
Pros: no duckdns addon, no nginx addon, no lets-encrypt addon
Cons: the certificate will expire eventually (in a couple of years) and you will have to generate a new one and push it to HA
I’m also running on hassio and it’s ok.
Install “SSH & Web Terminal” (the community one, not the official one!) add-on on Supervisor page of HA
This is needed to be able to write the cerificates to the HA filesystem
Install mkcert GitHub - FiloSottile/mkcert: A simple zero-config tool to make locally trusted development certificates with any names you'd like.
the instructions are in the repo, install the root CA, generate the certificate for you HA (note: not only the dns names are valid, but also ip addresses; one certificate can have multiple dns names / ip addresses)
Login to your HA via ssh and copy the certificates to /ssl directory (or some other directory)
Adapt the configuration.yaml accordingly:
http:
ssl_certificate: /ssl/homeassistant-local.pem
ssl_key: /ssl/homeassistant-local-key.pem
Restart the server
If you installed the root ca on your device via mkcert - the https connection from that device should work already. Not the mobile app though.
For mobile app use the instructions at Troubleshooting | Home Assistant Companion Docs
you can see the location of your root CA files via mkcert -CARROT
I also needed to clear cache / storage for mobile app or else it wouldn’t let me in.
Pavel, excellent summary and worked like a charm on the very first attempt which does not happen very often with me 
It can be very simple if HA mobile app simply has a prompt or a setting to trust a particular self-signed certificate. I see no reason why the app does not have this basic feature. I may be wrong, but the only reason I can think of to design the mobile app like this is to subtly push people towards HA cloud.
That’s not true at all. It’s Google’s direct recommendation not to proceed with SSL errors. You can still used a self signed certificate you just need to add it to the device.
Thank you for your response. Adding certificate to device does not work reliably across devices. Using own CA is likely the solution but not very convenient.
I can understand why Google might have issued such recommendation. They likely meant not to “automatically” proceed. There’s no downside to allowing self signed certs is the user knows what they are doing. HA users are smart. Even Google chrome allows users to proceed with self signed certificate. Plenty of apps do it, HA should too IMHO.
different devices have different steps, personally I stick to pixel devices as those steps are always properly documented.
we do but you still need to import it in the device.
I fully agree to technotiger’s comment. It is absurd to not trust your own certificate. Transferred to real life, do you need a third party to confirm your wife is really your wife?
The only reason I can imagine, why all user requests to simply trust own certificates are being closed, is to push people towards paid HA cloud services.
While you and others in this forum may be smart enough to know when to actually trust a certificate the simple truth of the matter is that the majority of the world has no clue. They will be susceptible to any type of attack and it is our responsibility to make sure that is minimized. It is also Googles own recommendation not to proceed on SSL errors.
That is simply not true and how rumors start, none of the developers working on the android app are a paid employee. Everyone is a volunteer working on what it is they want to work on and we all agree that we should not allow bypassing a SSL certificate. If you do not agree with this there is nothing stopping you from forking the app and bypassing the SSL check. You are not forced to pay for nabu casa or anything, you can get a SSL certificate for free and have it valid so it works without needing to bypass a security check. I do not use NC and have a free and valid certificate that does not give any errors.
The app still accepts self-signed certificates as well so not sure why my comment was skipped there, we do indeed support self signed certificate as long as its properly added to the OS.
Google does not recommend to carelessly ignore SSL errors, right. But, they allow you to proceed. Find the difference…