HA blocked from ( iOS ) iPhone using self-signed cert

247365 · February 17, 2019, 9:50pm

Hi

Unable to login to HA from iPhone.

Can login to HA from laptop.

Received the following messages in the log file.

Feb 17 21:01:21 hassbian hass[515]: 2019-02-17 16:01:21 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/authorize to PRIVATE IP ADDRESS (auth: False)

Feb 17 21:01:21 hassbian hass[515]: 2019-02-17 16:01:21 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/providers to PRIVATE IP ADDRESS (auth: False)

Feb 17 21:01:22 hassbian hass[515]: 2019-02-17 16:01:22 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow to PRIVATE IP ADDRESS (auth: False)

Feb 17 21:01:38 hassbian hass[515]: 2019-02-17 16:01:38 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow/ gobbledygook to PRIVATE IP ADDRESS (auth: False)

Feb 17 21:06:07 hassbian hass[515]: 2019-02-17 16:06:07 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/providers to PRIVATE IP ADDRESS (auth: False)

Feb 17 21:06:07 hassbian hass[515]: 2019-02-17 16:06:07 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow to PRIVATE IP ADDRESS (auth: False)

Cannot locate any IP BAN file in hassnian HA configuration.

Have read conflicting information that self-signed certs may or may not work with iOS and HA.

Suggestions?

reclusivemonkey · February 19, 2019, 1:46pm

I’ve never had a problem with self signed certs on iOS.

Are you trying to login using the HA iOS app or a browser on your iPhone?

247365 · February 19, 2019, 3:16pm

Hello Reclusive Monkey

Both/either.

As stated previously I can access https://192.xxx.xxx.xxx:8123 which displays the login window.

When I enter the user name and password I receive the error message.

reclusivemonkey · February 19, 2019, 4:10pm

Can you post the http bit from your configuration? (If you’re not using secrets, comment any passwords out)

247365 · February 19, 2019, 4:33pm

Will do but it will be later in the day.

Bytemonger · February 20, 2019, 12:29am

We need to see the http: part of your config file. Also where/how did you create the self signed certificates.

247365 · February 20, 2019, 4:20pm

Here you go.

(FYI I started from scratch this morning and ended up with the same results.)

Can access and login to https from Safari on Mac OS

Can access but NOT login to https from Safari on iOS

configuration.yaml

http:

ssl_certificate: /home/homeassistant/.homeassistant/certs/certificate.pem

ssl_key: /home/homeassistant/.homeassistant/certs/privkey.pem

Created CERT using instruction found at the following link:

$ openssl req -sha256 -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 730 -out certificate.pem

/var/log/daemon.log

Feb 20 15:57:48 hassbian hass[508]: 2019-02-20 15:57:48 INFO (MainThread) [homeassistant.components.http.view] Serving / to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:57:49 hassbian hass[508]: 2019-02-20 15:57:49 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/authorize to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:57:49 hassbian hass[508]: 2019-02-20 15:57:49 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/providers to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:57:49 hassbian hass[508]: 2019-02-20 15:57:49 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:59:31 hassbian hass[508]: 2019-02-20 15:59:31 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow/ gobbledygook to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:59:32 hassbian hass[508]: 2019-02-20 15:59:32 INFO (MainThread) [homeassistant.components.http.view] Serving / to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:59:32 hassbian hass[508]: 2019-02-20 15:59:32 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/token to 192.xxx.xxx.xxx (auth: False)

/var/log/syslog

Feb 20 15:35:50 hassbian hass[508]: 2019-02-20 15:35:50 INFO (MainThread) [homeassistant.components.http.view] Serving / to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:35:50 hassbian hass[508]: 2019-02-20 15:35:50 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/authorize to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:35:50 hassbian hass[508]: 2019-02-20 15:35:50 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/providers to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:35:51 hassbian hass[508]: 2019-02-20 15:35:51 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:37:08 hassbian hass[508]: 2019-02-20 15:37:08 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/login_flow/ gobbledygook to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:37:09 hassbian hass[508]: 2019-02-20 15:37:09 INFO (MainThread) [homeassistant.components.http.view] Serving / to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:37:09 hassbian hass[508]: 2019-02-20 15:37:09 INFO (MainThread) [homeassistant.components.http.view] Serving /auth/token to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:37:09 hassbian hass[508]: 2019-02-20 15:37:09 INFO (MainThread) [homeassistant.components.http.view] Serving /api/websocket to 192.xxx.xxx.xxx (auth: False)

Feb 20 15:37:41 hassbian hass[508]: 2019-02-20 15:37:41 INFO (MainThread) [homeassistant.components.http.view] Serving /api/history/period/2019-02-19T15:37:41.260Z to 192.xxx.xxx.xxx (auth: True)

Feb 20 15:37:43 hassbian hass[508]: 2019-02-20 15:37:43 INFO (MainThread) [homeassistant.components.http.view] Serving /api/history/period/2019-02-19T15:37:43.843Z to 192.xxx.xxx.xxx (auth: True)

Feb 20 15:37:57 hassbian hass[508]: 2019-02-20 15:37:57 INFO (MainThread) [homeassistant.components.http.view] Serving /api/history/period/2019-02-19T15:37:57.270Z to 192.xxx.xxx.xxx (auth: True)

Feb 20 15:38:46 hassbian hass[508]: 2019-02-20 15:38:46 INFO (MainThread) [homeassistant.components.http.view] Serving /api/history/period/2019-02-20T15:37:57.270Z to 192.xxx.xxx.xxx (auth: True)

Bytemonger · February 20, 2019, 10:48pm

I think I remember. I emailed the public certificate and then installed it on my iPhone from within the mail app. Then you have to go into general then profiles and trust the certificate. Then I went into the HA app and connect to https://hassio.local

I think getting the trust button to show can be an issue.

Bytemonger · February 20, 2019, 10:53pm

By the way I used this repository and add on to do ssl certificates. Very easy to do. It runs and creates the cert. It does not need to run unless you need an cert created.

I also use port 443 not 8123 as setup in the config file.

247365 · February 20, 2019, 11:34pm

I’m beyond confused.

As you can see from the earlier screen-grab Safari on ( iOS ) the phone has accepted the self-signed certificate.

I’m able to enter the user name and password on a secured page.

It is when I click the NEXT button that I receive the “Unable to connect…” message.

As far as mailing the certificate to myself I have but I am unable to add it. When I click on the attachment the only button that appears is OK.

There are other options below like Message, EMail and other things but nothing to add to my trusted certs.

Any suggestions on getting the cert mailed in an acceptable format?

247365 · February 22, 2019, 8:29pm

Hello

Here is the information. Hope this will assist in diagnosing the problem.

http:
ssl_certificate: /home/homeassistant/.homeassistant/certs/certificate.pem
ssl_key: /home/homeassistant/.homeassistant/certs/privkey.pem

reclusivemonkey · February 22, 2019, 8:57pm

Sorry my setup is very different to yours; I’ve got an external domain setup as I like to trigger things on me arriving and leaving work. Has it ever worked on iOS?

247365 · February 22, 2019, 9:05pm

From ( iOS ) iPhone it only allows me to login when access HTTP and NOT HTTPS.

When using HTTPS on iOS : I get to the login. I enter password. I click NEXT. It then sits there and gives the error posted previously.

reclusivemonkey · February 23, 2019, 9:33am

If you’ve configured your router to use 8123 try

http:
  port: 8123
  ssl_certificate: /home/homeassistant/.homeassistant/certs/certificate.pem
  ssl_key: /home/homeassistant/.homeassistant/certs/privkey.pem

Then try logging in without the port after your IP address in HA. Also try hassio.local port number as well.

Failing that I would try removing the certificates you’ve imported and try again. If you can’t manually remove them you may have to reset network settings, but of course that will reset all the network stuff on your phone.

Failing that I’m afraid I’m fresh out of ideas as my setup uses LetsEncrypt and an external domain so it’s a very different setup.

jamgood96 · November 10, 2019, 11:12pm

I thought I’d jump into this thread and say I’m experiencing the same issue.

I set Home Assistant up to use a self signed certificate. All works fine from my Mac when I hit either https://hassio.local:8123 or the IP address of the instance, but when I try to do it from the iOS app (or any iOS browser for that matter) I get the same result as reported in the above posts.

I set the logger to debug mode, but there was literally nothing in it related to logging in. Is there a different way to output some logs for this?

I’m running Hass.io 3.5 and HA 0.101.3.

jamgood96 · November 11, 2019, 12:32am

I got things sorted. The issue—at least in my case—was that iOS 13 has new, stricter certificate requirements. I was able to generate a self-signed certificate based on this post that, when installed, has allowed me to use a self signed cert with HA.