Griesi
September 20, 2019, 8:09pm
1
Hello, since I updated to iOS13, I can connect HA (98.5 or 99.2) anymore.
“the certificate for this server is invalid”
Creation of my SLL Certificate
openssl req -sha256 -newkey rsa:4096 -nodes -keyout privkey.pem -x509 -days 730 -out certificate.pem
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:BW
Locality Name (eg, city) []:City Name
Organization Name (eg, company) [Internet Widgits Pty Ltd]: HA
Organizational Unit Name (eg, section) []:M1
Common Name (e.g. server FQDN or YOUR name) []:192.168.1.4
Email Address []:[email protected]
I was also taking care off:
With iOS 12.4.1 is was working fine!
Is this my problem?
TLS server certificates must present the DNS name of the server in the Subject Alternative Name extension of the certificate. DNS names in the CommonName of a certificate are no longer trusted.
How can I add the name of the server in the Subject?
I have the same issue here! I tried several opnssl configurations but for one reason or another it is not working! Can somebody please assist?
thanks
Luca
n.e.m
November 4, 2019, 12:14pm
3
+1 having the same problem and followed the same instructions… seems odd that this error is being thrown
parabag
November 11, 2019, 9:45am
5
I think a number of people are waiting for this issue to be solved… any news?
jamgood96
November 11, 2019, 10:28pm
6
I made a PR to update documentation to address this issue (https://github.com/home-assistant/home-assistant.io/pull/11157 ). Give it a read and let me know if you end up having success!
I also left a note on another ticket that might prove helpful (HA blocked from ( iOS ) iPhone using self-signed cert )
UPDATE:
[ req ]
default_bits = 2048
default_keyfile = server-selfsigned-CA.key
default_md = sha256
default_days = 825
encrypt_key = no
distinguished_name = subject
req_extensions = req_ext
x509_extensions = x509_ext
string_mask = utf8only
prompt = no
[ subject ]
OU = Taco Bell
countryName = US
stateOrProvinceName = Taco
localityName = Bell
organizationName = Taco Bell
commonName = hassio.local
emailAddress = [email protected]
[ x509_ext ]
subjectKeyIdentifier = hash
#authorityKeyIdentifier = keyid,issuer
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:TRUE
keyUsage = critical, digitalSignature, keyEncipherment, cRLSign, keyCertSign
subjectAltName = DNS:172.31.1.200, DNS:hassio.local
extendedKeyUsage = serverAuth
[ req_ext ]
subjectKeyIdentifier = hash
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment
subjectAltName = DNS:172.31.1.200, DNS:hassio.local
nsComment = "OpenSSL Generated Certificate"
1 Like
hawkeye217
November 13, 2019, 6:04pm
7
Thanks for this! What was the openssl command you gave on the command line to generate the certificate and key? I’ve used:
$ openssl req -sha256 -newkey rsa:4096 -nodes -config server-selfsigned-CA.cnf -keyout privkey.pem -x509 -days 730 -out certificate.pem
I changed the entries for subjectAltName appropriately for my own server, ie:
subjectAltName = DNS:192.168.1.100, DNS:myserver.duckdns.org
… but I’m still getting an SSL error from the iOS app after Airdropping the .pem file and installing the profile.
Thanks for any help you can provide!
hawkeye217
November 13, 2019, 8:54pm
8
Found my problem. I didn’t do this:
settings / general / about / scroll down to "certificate trust settings" and enable your new certificate
Works great now!
1 Like
jamgood96
November 13, 2019, 10:42pm
9
Glad you got it figured out! I make no promises for some/all of the settings in the above config, but I know it works
My PR has also been merged into the docs to hopefully help people in the future. It was definitely a doozy to figure out what was going on!
1 Like
krock
March 24, 2020, 2:20am
10
Do you have to manually install the certificate in iOS periodically? I want to setup ssl but this seems like a pain in the time being…
