I’ve recently set up a new HAOS install and I’m struggling to get my phone to connect. I’m using a self created CA certificate, which is installed in my Android certificate store and capable of verifying other TLS connections, including accessing HA through the web interface in Chrome, however the Companion app just throws out “The Home Assistant certificate authority is not trusted.”. The only troubleshooting info available for this issue says this should just work, since the cert is installed correctly and otherwise working. There’s no other meaningful error information I can see in the app.
Is there any way to fix this without using LetsEncrypt? I don’t want to use LE for multiple reasons (using an internal domain, not wanting to connect to the external internet to get a cert, etc).
this may happen if the self signed certificate was not generated to be valid, we had a user try to submit htese changes. They may help you. This is a bit out of scope for the apps which is why there is no real troubleshooting step here.
I’m confident that the cert is valid, I did see that issue searching around before posting but I’ve installed the cert successfully without the errors that are supposed to pop up on Android with invalid certs, and checking on another system shows that the cert is correctly labelled as a CA cert. It also works flawlessly for most other apps on the phone, including accessing HA through Chrome rather than the app.
Like I said, the certificate chain is valid and successfully validates the same HA instance if I access it through the web interface in Chrome on the same phone.
Chrome uses the system wide certificate store, which is why I specified Chrome. Android uses its own (I know because I installed the cert into both the system and Android to get everything else working). The same CA successfully validates other services in their respective apps too for what it’s worth, Nextcloud works seamlessly for instance.
Android is the system, so that should be the system wide one.
Chrome might use that too or have its own, but this might just be a confusion in the typing moment.
I do not know how to go further here then, since I use a Let’s Encrypt certificate everywhere today.
This is 100% the case, both use a different trust store.
the main takeaway is this. If Android reports there is an issue with the SSL cert then it is up to the user to solve it, the app does not bypass any errors. We accept any and all imported user CAs.
Another consideration is that the browser does not make use of all the different communication methods the app does. The app uses all different APIs which you dont see the browser consuming.
the main takeaway is this. If Android reports there is an issue with the SSL cert then it is up to the user to solve it, the app does not bypass any errors. We accept any and all imported user CAs.
Sure, but Android is not reporting any issues with the certificate, like I already said it imported without error and is working in other apps on the device, Chrome was just one example. Firefox is a bit unique in that it uses its own trust store but this is not the case with Chrome (which uses the OS store) or most other apps.
Another consideration is that the browser does not make use of all the different communication methods the app does. The app uses all different APIs which you dont see the browser consuming.
Not really relevant, all TLS communication should be using the same certs, and any non-TLS communication shouldn’t care about TLS certs since it wouldn’t be using them anyway.
The only explanation I can think of is that at some point the app has been changed to use the unmodifiable System store instead of the modifiable User store (both are OS wide, but specifying the former blocks user installation of certs per relatively recent Android security policy). IMHO this should be considered a bug if it’s the case because user installed certs are explicitly supported, but I didn’t want to assume this was the case since I couldn’t find any other examples of this happening that wound up with either a solution or an actual determination of the cause of the error.
if the certificate is not working and the app is complaining then it is reporting an error which it is. We have also had users report that as such too that when properly created the self signed certificate has no issue as you can see in the PR.
we accept both not sure how you came to that conclusion.
Thanks for the info, I need to put my foot in my mouth but at least the issue is fixed. The tl:dr is making a new cert using a different application did indeed fix it.
I had seen the linked PR and associated error before posting this thread, I had assumed it was a different issue because I’m using a proper certificate chain instead of a self contained, self signing cert as in the discussion and there was also mention of Android throwing errors on certificate import iirc. In particular, the conclusion was that the cert needs to have the CA role specified, which is true for mine already as reported by Android and directly in the cert. Unfortunately the error HA shows is hopelessly vague (which I now get is Android’s fault but still complicates troubleshooting) and none of the 3 options listed on the Android troubleshooting page applied.
I thought it must be a system vs user issue because the only other app I’ve had this issue with is Obsidian, in that case because explicitly rejects any user certs. I’m still a bit confused why the cert works for other stuff if it doesn’t work for HA (is there some optional aspect to cert handling/verification that HA is doing?).
Anyway, as it turns out the presumably OpenSSL certs generated by TrueNAS’s integrated tool are a bit wonky, switching to SSCG produced a valid cert. Is there any way to update the troubleshooting guide to indicate that the tool used to generate the certs matters? (Troubleshooting | Home Assistant Companion Docs) This was the first place I checked when it wasn’t working before and could save users a lot of headaches in the future.
to be completely honest we struggle with this part because creating a valid certificate is out of scope for HA and users are expected to have their servers configured properly. There are too many variabilities to consider here and adding one note will lead to others as there are multiple ways to create a certificate and none of them directly involve HA.
I see where you’re coming from but surely something to the effect of “some tools don’t create fully valid CA certificates for Android” would be sufficient without going out of scope? I’m clearly not the first person to have this issue, and it does seem to in some way be specific to HA rather than Android at large (in that whatever condition triggers the error is not occurring in other self hosted applications for whatever reason). I’m not a professional sysadmin by any stretch but I’ve been dabbling in this space for years and this is the only application I’ve ever had trouble with making valid CA certs for that supports them.