(iOS 14) Unable to connect to fresh HA setup ObjectMapper failed to serialize

Hi

Been using Hassio via Raspberry Pi and decided to do a fresh install on a more powerful host with containers and behind Traefik reverse proxy

Everything is working well except setting up the iOS app connection. I am running iOS 14 (18A5319i)

Two issues:

  1. Autodiscovery finds the instance, but when I choose it I get this error when it seems to try authenticating:
ObjectMapper failed to serialize response.


Edit: The picture shows 4G but tried wifi with 4G disabled with same results

  1. When I go the manual way the app crashes when I click the typebox

The app was working fine on iOS14 before I made the switch to docker.
I have re installed the app, have all permissions (location, local devices), restarted the phone
The wifi is on the same network as the host (No VLAN (yet))
I have network_mode: host enabled on docker-compose and traefik2 routes to homeassistant manually to IP:8123.
Went over the docs troubleshooting and even tried to set up Nabu Casa Cloud connection for outside connection (manually entering IP fails per problem .2)

Get the same problem with ipadOS14

Anyone know what could be the issue?

Found the problem!

Thanks to the inspiration from WhatPlantsCrave here I found the problem not in TLS version but Google Oauth.

here is my working setup for the future. Ofcourse still a work in progress and open for suggestions
(A massive shoutout to smarthomebeginner for their guides. My config is heavily based on their Traefik Oauth guide and I wouldn’t have gotten this far without them)

Running Traefik v2 in docker-compose, on a NUC machine Ubuntu Server 20.04

docker-compose.yml

version: '3.8'
services:
#? NETWORK CONTAINERS # # # # # # # # # # # # # # #
  #? Traefik Reverse Proxy
  traefik:
    container_name: traefik
    hostname: traefik
    image: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - t2_proxy
    ports:
      - target: 80
        published: 80
        protocol: tcp
        mode: host
      - target: 443
        published: 443
        protocol: tcp
        mode: host
      - target: 8080
        published: 8080
        protocol: tcp
        mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /etc/localtime:/etc/localtime:ro
      - $DOCKERDIR/traefik/acme/acme.json:/acme.json
      - $DOCKERDIR/traefik/shared:/shared
      - $DOCKERDIR/traefik/rules:/rules
      - $DOCKERDIR/traefik/traefik.log:/traefik.log
      - $DOCKERDIR/traefik:/etc/traefik
    environment: 
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
    labels:
      - "traefik.enable=true"
      #? HTTP-to-HTTPS Redirect
      - "traefik.http.routers.http-catchall.entrypoints=http"
      - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      #? HTTP Routers
      - "traefik.http.routers.traefik-rtr.entrypoints=https"
      - "traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)"
      - "traefik.http.routers.traefik-rtr.tls=true"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAINNAME"
      - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAINNAME"
      #? Services - API
      - "traefik.http.routers.traefik-rtr.service=api@internal"
      #? Middlewares
      - "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"

  #? Google OAuth - Proxy layer using Oauth 2.0
  oauth:
    container_name: oauth
    image: thomseddon/traefik-forward-auth:latest
    restart: unless-stopped
    networks:
      - t2_proxy
    security_opt:
      - no-new-privileges
    environment:
      - CLIENT_ID=$GOOGLE_CLIENT_ID
      - CLIENT_SECRET=$GOOGLE_CLIENT_SECRET
      - SECRET=$OAUTH_SECRET
      - COOKIE_DOMAIN=$DOMAINNAME
      - INSECURE_COOKIE=false
      - AUTH_HOST=oauth.$DOMAINNAME
      - URL_PATH=/_oauth
      - WHITELIST=$MY_EMAIL
      - LOG_LEVEL=info
      - LOG_FORMAT=text
      - LIFETIME=2592000 # 30 days
    labels:
      - "traefik.enable=true"
      #? HTTP Routers
      - "traefik.http.routers.oauth-rtr.entrypoints.https"
      - "traefik.http.routers.oauth-rtr.rule=Host(`oauth.$DOMAINNAME`)"
      - "traefik.http.routers.oauth-rtr.tls=true"
      #? HTTP Services
      - "traefik.http.routers.oauth-rtr.service=oauth-svc"
      - "traefik.http.services.oauth-svc.loadbalancer.server.port=$OAUTH_PORT"
      #? Middlewares
      - "traefik.http.routers.oauth-rtr.middlewares=chain-oauth@file"

#? APP CONTAINERS # # # # # # # # # # # # # # #
  homeassistant:
    container_name: homeassistant
    image: homeassistant/home-assistant:latest
    restart: always
    security_opt: 
      - no-new-privileges
    privileged: true
    network_mode: host
    ports:
      - target: 8123
        published: $HOMEASSISTANT_PORT
        protocol: tcp
        mode: host
    #devices:
    #  - /dev/ttyUSB0:/dev/ttyUSB0
    #  - /dev/ttyACM0:/dev/ttyACM0
    volumes:
      - $DOCKERDIR/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock # For Docker Monitor https://github.com/Sanderhuisman/docker_monitor
    environment:
      - TZ=$TZ

traefik.yml (dynamic conf under $DOCKERDIR/traefik/traefik.yml)

entryPoints:
  traefik:
    address: ":8080"
  http:
    address: ":80"
  https:
    address: ":443"
    forwardedHeaders:
      trustedIPs:
        #* Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
        - 173.245.48.0/20
        - 103.21.244.0/22
        - 103.22.200.0/22
        - 103.31.4.0/22
        - 141.101.64.0/18
        - 108.162.192.0/18
        - 190.93.240.0/20
        - 188.114.96.0/20
        - 197.234.240.0/22
        - 198.41.128.0/17
        - 162.158.0.0/15
        - 104.16.0.0/12
        - 172.64.0.0/13
        - 131.0.72.0/22


#tls:
  #options:
    #default:
      #minVersion: VersionTLS12

    #mintls13:
      #minVersion: VersionTLS13

certificatesResolvers:
  dns-cloudflare:
    acme:
      email: $CLOUDFLARE_EMAIL
      storage: /acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

log:
  level: ERROR # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC

accessLog:
  filePath: /traefik.log
  bufferingSize: 100 # A buffer of 100 lines
  filters:
    statusCodes:
      - "400-499"
api:
  dashboard: true

ping: {}

finally the middlewares.yml and middleware-chain.yml under $DOCKERDIR/traefik/rules

http:
  middlewares:
    #? Basic Auth which uses a static login from .htpasswd file 
    middlewares-basic-auth:
      basicAuth:
        realm: "Traefik2 Basic Auth"
        usersFile: "/shared/.htpasswd"
    #? Denies request floods (DDoS and CredScan)
    middlewares-rate-limit:
      rateLimit:
        average: 100
        burst: 50
    #? Security headers for. Headers are the "shipping box" around the website that tells the browser how to handle each component
    middlewares-secure-headers:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        hostsProxyHeaders:
          - X-Forwarded-Host
        sslRedirect: true
        stsSeconds: 63072000
        stsIncludeSubdomains: true
        stsPreload: true
        forceSTSHeader: true
        customFrameOptionsValue: "allow-from https:$DOMAINNAME"
        contentTypeNosniff: true
        browserXssFilter: true
#        sslForceHost: true
#        sslHost: "$DOMAINNAME"
        referrerPolicy: "same-origin"
#      Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
#      the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
#      contentSecurityPolicy = "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
        featurePolicy: "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"
        customResponseHeaders:
          X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex,"
          server: ""
    #? Google Oauth authentication. 
    middlewares-oauth:
      forwardAuth:
        address: "http://oauth:4181"
        trustForwardHeader: true
        authResponseHeaders:
          - "X-Forwarded-User"
http:
  middlewares:
    chain-no-auth:
      chain:
        middlewares:
          - "middlewares-rate-limit"
          - "middlewares-secure-headers"
    chain-basic-auth:
      chain:
        middlewares:
          - "middlewares-basic-auth"
          - "middlewares-rate-limit"
          - "middlewares-secure-headers"
    chain-oauth:
      chain:
        middlewares:
          - "middlewares-rate-limit"
          - "middlewares-secure-headers"
          - "middlewares-oauth"

Anyone else receiving this error should check that their router or gateway IP is not listed in the IP ban file of the configuration. I had the exact same scenario as @gislis2, but the cause somewhat different and resolution very simple: comment out or remove the IP ban address in file mentioned previously. Worked immediately after making this observation and change. Hope this helps someone else out there. Cheers!