Companion App does not connect with bad SSL certificates

milkywayfarer · February 2, 2022, 9:28pm

I set up my Home Assistant to be available outside of local network using Cloudflare, Cloudflare add-on and Let’s Encrypt addon. Certificates are created for my external address (domain) specifically.

Every time I try to connect to a local address of Home Assistant using a web browser, I need to click “Trust” in order to connect to the address because the certificate does not correspond to the URL. Home Assistant Companion just refuses to connect at all, and there is no option to “Trust” the certificate.

This raises two questions.

Is there any way to allow local IP addresses to use HTTP?
Is there any way to bypass the SSL error in Home Assistant Companion CEF?

anon63427907 · February 2, 2022, 9:30pm

1- Using reverse proxy as nginx, you can still use home assistant local ip address without ssl and nginx will be taken care of ssl part for external connection.

2- limitation of underlying OS, nothing can be done for this.

dshokouhi · February 2, 2022, 10:19pm

no the app will not bypass any SSL errors, you must use a valid certificate which is not valid on a local IP address

milkywayfarer · February 2, 2022, 10:45pm

First solution worked like a charm.

For anyone wondering:

Install Nginx Proxy Manager from Home Assistant Add-On Store
Configure it as in documentation
In Nginx Proxy Manager Web UI, after creating a new user, go to Hosts → Proxy Hosts → create a new host with the following configuration:

Domain Names: add your domain
Scheme: http
Forward Hostname: your Home Assistant local IP
Forward Port: 8123
Check Websockets Support

Then go to SSL Tab:

SSL Certificate → Request a new SSL Certificate
Check Force SSL
Check I Agree... at the bottom

If you want to keep your Cloudflare, click Use a DNS Challenge and configure it with your token.

Edit your configuration.yaml file. Remove SSL mentions from html category and add the following:

  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

Reboot Home Assistant.

This steps made it possible to connect locally without SSL and externally with SSL.

Cheers!

dave-castle · July 26, 2022, 7:02pm

Hi, I’m trying to solve the same issue with your suggesion but when putting my local ip in the domain names, nginx is getting me an error “Requested name 192.168.178.11 is an IP address. The Let’s Encrypt certificate authority will not issue certificates for a bare IP address”

what am I doing wrong?

CentralCommand · July 26, 2022, 7:21pm

Not what the instructions say.

Your IP goes in forward hostname. Your domain goes in domain.

sagitab · November 13, 2022, 5:44pm

I was really excited to try that, but received an “internal error” message right from the first try.
The log showed:

too many failed authorizations recently: see Failed Validation Limit - Let's Encrypt

Which is a bit puzzling, considering I just tried it for the first time.
I’ll appreciate any insights on this!

war1000 · February 4, 2023, 4:51pm

I have a pfsense router and use HAProxy for all my certificates and forwards. Has anyone tried using HAProxy for this? I got to the point where the companion app says that I have certificate mismatch.

LiorNT · May 1, 2023, 8:50pm

Hi guys, I have the same issue ang I hope you can help me to solve it.
Im trying to use tailscale instead of duckdns + port forwarding.
I can connect my HA remotely while using the web browset, but while tryong to use the HA app I got a certification error.
I tried to follow the instructions above but Im not sure what should I add as the domain.
Thanks

MarceCastro · May 3, 2023, 7:49pm

Hi there! Did you find a solution? Same issue here. Although I also got this error message:

“Some challenges have failed.”

And when I go through the steps again, it says that domain is already registered! Looks like it god registered on Let’s Encrypt, although the whole process failed and settings were not saved.

Thanks!

sagitab · May 4, 2023, 5:39pm

Sorry, I stopped working on that so I have no new news.
I moved to cloudflare and at the moment I have no SSL for the local traffic.

MarceCastro · May 4, 2023, 5:51pm

Thanks anyway! I fixed it deleting all https related config on configuration.yaml. That was blocking the addon somehow. Looks like SSL needs to be handle either from the config itself or the Nginx Proxy Manager addon.

gr1nch · July 20, 2023, 9:10am

For my home setup[1] this is the same recurring “SSL handshake” showstopper problem, when connecting from the internet on my phone, using the Home Assistant Android app and Chrome on Android.

However, I’m able - thankfully - to connect with Midori on Android.

Does anyone have an idea why the Midori does accept the SSL cert just fine, but HA and Chrome apps do not?

[1] home setup

HA img on RPi4.
Nginx, LetsEncrypt and Cloudflare add-ons.
DynDNS updated hostname.
Internet connections use HTTPS, local uses HTTP.
Cloudflare caching and security.
On internal, local RFC1918 network the HA, Chrome, Midori apps connect successfully to HA.
From the internet, only the Midori app connects successfully to HA.

atonKin86 · November 20, 2023, 5:15pm

My options for grey/dynamic ip

register domain name from keenDNS
allow remote access in the “Access to web applications” section (http, tcp/8123)
copy your 4th-level domain name to HA->config->network->hostname(top section of the network settings, just domain without http://)
Optional - i did it at the same time with step 3, so don’t know if it’s needed.
set URL-address for internet - https://YOUR_DOMAIN_NAME and for LAN -
http://YOUR_LOCAL_IP_ADDRESS
Works fine for me with ip address in LAN and domain name(use https:// prefix) with HA companion for android.

jralph23 · March 9, 2024, 11:59am

What is this IP address you put in the configuration.yaml: 172.30.33.0/24 ???

naevtamarkus · April 24, 2024, 4:42pm

Hi, I don’t think the solution to this thread actually works. It’s all fine if you connect from outside, but if your server is behind a firewall you’re basically constrained to use http only. If you try https (with all the reverse proxy stuff enabled) there’s still a certificate mismatch because your domain name (for which the certificate is issued for) points to a different address, since you’re using a local (e.g. class C) address.

IMHO what’s missing here is a checkbox in the android app to ignore a bad certificate. The alternatives we have are: 1. unencrypted and 2. encrypted with a public IP (with or without reverse proxy tricks). I believe we’re missing option 3, which is in the middle security wise, to allow for encrypted traffic without checking the certificate. Yeah, I know it gives a false sense of security, but it’s better than no encryption at all (which is allowed). Are we allowed to ask for this feature in the app?

Thanks!

dshokouhi · April 24, 2024, 4:57pm

no we will not be adding this too many users dont know what it means. Use a reverse proxy to handle the certificate or consider creating a self signed certificate and import it to handle your local use case.

in terms of the companion app certificates MUST be valid, no exceptions.

edit: also Googles recommendation (which the app does follow) is not to proceed for any SSL errors

https://developer.android.com/reference/android/webkit/SslErrorHandler#proceed()