Certificate hostname mismatch, does not connect. (It does not mismatch and is public-Web-PKI-trusted)

demonpan · April 23, 2026, 2:55pm

App on local network. Direct routing to HA. No reverse proxy, HA’s webserver. TLS on. Cert from letsencrypt. I use a public Ipv4 for my HA VM. Its the same everywhere, no split brain DNS. Every normal browser on a freshly installed laptop trusts the cert.
Hostname == CN == SAN. no mismatch.

What do? Does the app have debug logs?

WallyR · April 24, 2026, 5:57pm

Are you sure you connect with https on the local network?
On the local network the app will try to connect to the address given as local in the network settings.

demonpan · April 29, 2026, 12:47pm

TL:DR It was a bug in Rethink DNS on Android that did not apply for browsers but only the Homeassistant Companion. It is not a Homeassistant bug.

Yes I am sure. I could not connect to non-tls-http because it does not even listen for that. I put the URL with https into the app.

The local network and the public network are the same and it only listens with https on port 443. The VM has a globally routable public IPv4.
On the VM it is running in a container that is portmapped to the host.

As said, it works in a browser just fine from the public internet and in Wifi standing in the same house as the server. It works in every browser that trusts letsencrypt. It does not work with the app.


curl -v https://homeassistant.mycompany.de
* Host homeassistant.mycompany.de:443 was resolved.
* IPv6: (none)
* IPv4: 185.XXX.XXX.XXX
*   Trying 185.XXX.XXX.XXX:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / id-ecPublicKey
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: CN=homeassistant.mycompany.de
*  start date: Feb 17 15:04:08 2026 GMT
*  expire date: May 18 15:04:07 2026 GMT
*  subjectAltName: host "homeassistant.mycompany.de" matched cert's "homeassistant.mycompany.de"
*  issuer: C=US; O=Let's Encrypt; CN=E8
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* Connected to homeassistant.mycompany.de (185.XXX.XXX.XXX) port 443
* using HTTP/1.x
> GET / HTTP/1.1
> Host: homeassistant.mycompany.de
> User-Agent: curl/8.14.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: text/html; charset=utf-8
< Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
< Server:
< X-Frame-Options: SAMEORIGIN
< Content-Length: 5946
< Date: Wed, 29 Apr 2026 12:41:02 GMT
<
<!DOCTYPE html><html><head><title>Home Assistant</title><meta charset="utf-8"> ....

I censored name and IP using an exact match search and replace. Not manually. So a slight mismatch would be obvious because not everything is replaced.

In network settings, the url has the exact same protocol and hostname as in that curl dump. As the Homeassistant URL and in the Local Network field below it.

Network adapters section has 2 selected. One that is a macvtap network into my devices network that supports layer 2 device to device communication. The other is a generic container ip range that is portmapped to the host, that has the 185.X.X.X ip. The container ip is set as “default”.

I’ve got logs from the app now.

Weird asides:

For some reason the thing tries to use the device attestation api. Why would it do that?
Lots of probing for APIs on the phone OS, that I did not expect to be related to Homeassistant.

The app actually receives a different certificate. But why…

Because it strictly prefers IPv6, does not try v4 and does some weird DNS things due to that.

So yeah I had to give it proper IPv6 so that it does not fail.

~~Solved~~

Not quite. For some reason the app uses a wrong DNS server that does not make any sense.

It was actually the phone network setup in a weird way.
I used Rethink DNS to route some Apps via Tunnels.
For some reason the DNS requests of the app went to an in-tunnel DNS server that hijacks all hostnames and answers its own ip. Despite it not obviously being configured to do it.
The default DNS of Rethink was set to System DNS with DNS per Tunnel. But the App was not assigned to a tunnel. But the fallback DNS was the DNS of that tunnel for some reason. Despite the primary DNS being reachable and working in other untunneled apps.

THIS IS A RETHINK DNS BUG NOT A HOME ASSISTANT BUG

SOLVED