iOS 13 SSL Certificate issue

Hello, since I updated to iOS13, I can connect HA (98.5 or 99.2) anymore.

“the certificate for this server is invalid”

Creation of my SLL Certificate

openssl req -sha256 -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 730 -out certificate.pem

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:BW
Locality Name (eg, city) []:City Name
Organization Name (eg, company) [Internet Widgits Pty Ltd]: HA
Organizational Unit Name (eg, section) []:M1
Common Name (e.g. server FQDN or YOUR name) []:192.168.1.4
Email Address []:[email protected]

I was also taking care off:

With iOS 12.4.1 is was working fine!

Is this my problem?

TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.

How can I add the name of the server in the Subject?

I have the same issue here! I tried several opnssl configurations but for one reason or another it is not working! Can somebody please assist?

thanks

Luca

+1 having the same problem and followed the same instructions… seems odd that this error is being thrown

+1 same problem

I think a number of people are waiting for this issue to be solved… any news?

I made a PR to update documentation to address this issue (https://github.com/home-assistant/home-assistant.io/pull/11157). Give it a read and let me know if you end up having success!

I also left a note on another ticket that might prove helpful (HA blocked from ( iOS ) iPhone using self-signed cert)

UPDATE:
Something like the following works for me for iOS 13 and macOS 10.15. It’s basically ripped straight from the above mentioned link.

[ req ]
default_bits        = 2048
default_keyfile     = server-selfsigned-CA.key
default_md          = sha256
default_days        = 825
encrypt_key         = no
distinguished_name  = subject
req_extensions      = req_ext
x509_extensions     = x509_ext
string_mask         = utf8only
prompt              = no

[ subject ]
OU                   = Taco Bell
countryName          = US
stateOrProvinceName  = Taco
localityName         = Bell
organizationName     = Taco Bell
commonName           = hassio.local
emailAddress         = [email protected]

[ x509_ext ]
subjectKeyIdentifier     = hash
#authorityKeyIdentifier  = keyid,issuer
authorityKeyIdentifier   = keyid:always,issuer
basicConstraints         = critical, CA:TRUE
keyUsage                 = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign
subjectAltName           = DNS:172.31.1.200, DNS:hassio.local
extendedKeyUsage         = serverAuth

[ req_ext ]
subjectKeyIdentifier  = hash
basicConstraints      = CA:FALSE
keyUsage              = digitalSignature, keyEncipherment
subjectAltName        = DNS:172.31.1.200, DNS:hassio.local
nsComment             = "OpenSSL Generated Certificate"
1 Like

Thanks for this! What was the openssl command you gave on the command line to generate the certificate and key? I’ve used:

$ openssl req -sha256 -newkey rsa:4096 -nodes -config server-selfsigned-CA.cnf -keyout privkey.pem -x509 -days 730 -out certificate.pem

I changed the entries for subjectAltName appropriately for my own server, ie:

subjectAltName = DNS:192.168.1.100, DNS:myserver.duckdns.org

… but I’m still getting an SSL error from the iOS app after Airdropping the .pem file and installing the profile.

Thanks for any help you can provide!

Found my problem. I didn’t do this:

settings / general / about / scroll down to "certificate trust settings" and enable your new certificate

Works great now!

1 Like

Glad you got it figured out! I make no promises for some/all of the settings in the above config, but I know it works :slight_smile:

My PR has also been merged into the docs to hopefully help people in the future. It was definitely a doozy to figure out what was going on!

1 Like

Do you have to manually install the certificate in iOS periodically? I want to setup ssl but this seems like a pain in the time being…