IOS App Authentication Error

IPv6 is part of every modern OS and it tries very hard to autoconfigure. If the ISP does not support IPv6 or changes addresses dynamically this can lead to a state where a machine believes it has IPv6 and thus fails to connect anywhere.

By now the default in most network applications is to try IPv6 first - the problem is that not everything falls back to IPv4. It’s outside our control as home-assistant.io needs to support both obviously.

The only IPv6 enabled on my network are link-local addresses which (auto-enabled by most linux distros). Therefore, I don’t allow AAAA resolution on my DNS servers. Just because there’s a link-local address doesn’t mean the application should be trying to use IPv6 for WAN connections, link-local addresses are L2 only.

Well if you know how to do dns filtering for your network you should not have any issues here :wink:

@switchtower,
I also am running Home Assistant on a Mac, no virtual machines, just a simple single use setup. Ive been struggling to get this to work. Ver 1.5 worked flawlessly, the two days ago 2.0 appeared on my mobile devices. I have read literally dozens of posts of folks have a similar issue albeit on slightly different instal platforms. You are one on the few who is on a Mac like me, so I was hoping you may have come across a solution.

@everyoneelse
For the sake of completeness here is the error I see in my log:

2019-11-29 10:12:23 ERROR (MainThread) [homeassistant.components.auth.indieauth] SSL error while looking up redirect_uri https://home-assistant.io/iOS
2019-11-29 10:12:23 WARNING (MainThread) [homeassistant.components.http.ban] Login attempt or request with invalid authentication from 192.168.1.xxx

I am on a Ubiquiti network with IPv6 OFF.
My config looks like this (in its entirety):

homeassistant:
  # Name of the location where Home Assistant is running
  name: HA-iMac
  # Location required to calculate the time the sun rises and sets
  latitude: !secret latitude
  longitude: !secret longitude
  # Impacts weather/sunrise data (altitude above sea level in meters)
  elevation: 4.3
  # metric for Metric, imperial for Imperial
  unit_system: imperial
  # Pick yours from here:
  # http://en.wikipedia.org/wiki/List_of_tz_database_time_zones
  customize: !include customize.yaml
  time_zone: !secret timezone
#
#  ---------------
    - type: homeassistant
    - type: legacy_api_password
      api_password: !secret api_password
    - type: trusted_networks
      trusted_networks:
      - !secret trusted_network1
      - !secret trusted_network2
      - !secret external_ip
#  ---------------
# Enables Breaking Changes Sensor (>0.96)
breaking_changes:
#  ---------------
# Enables configuration UI
config:
#  ---------------
# configures a default set of integrations for Home Assistant to load
default_config:
# https://www.home-assistant.io/integrations/default_config/
#  ---------------
# Discover and automatically configure zeroconf/mDNS and uPnP devices
discovery:
  ignore:
    - apple_tv
    - roku
    - sonos
#  ---------------
# Enables the frontend
frontend:
  javascript_version: latest
  themes: !include_dir_merge_named themes
#  ---------------
# Enables support for IOS
#ios:
# see Include section below!
#  ---------------
# Enables support for tracking state changes over time
logbook:
#  ---------------
# https://www.home-assistant.io/components/logger/
logger:
  default: info
#  ---------------
# Lovelace configuration via YAML
lovelace:
  mode: yaml
#  ---------------
# Enables a map showing the location of tracked devices
map:
#  ---------------
# Allows Home Assistant mobile apps to easily integrate with Home Assistant.
mobile_app:
#  ---------------
# Enables lovelace momentary switches
momentary:
#  ---------------
# Enable Person component
person:
#  ---------------
# Enable Python scripts
#python_script:
#  ---------------
# Track the sun
sun:
#  ---------------
# System Health component
system_health:
#  ---------------
# Text to speech
tts:
  - platform: google_translate
    service_name: google_say
# Text to speech
#  ---------------
# Checks for available updates
updater:
  # Optional, allows Home Assistant developers to focus on popular components.
  include_used_components: true
#  ---------------
#
# Included files
alarm_control_panel: !include includes/alarm_cp.yaml
automation: !include_dir_merge_list automations
binary_sensor: !include includes/binary_sensors.yaml
camera: !include_dir_merge_list cameras
device_tracker: !include includes/device_trackers.yaml
group: !include_dir_merge_named groups
history: !include includes/history_cfgs.yaml
ios: !include includes/ios_cfg.yaml
##http: !include includes/http_cfgs.yaml
input_boolean: !include includes/input_booleans.yaml
input_datetime: !include includes/input_datetimes.yaml
input_number: !include includes/input_numbers.yaml
input_select: !include includes/input_selects.yaml
input_text: !include includes/input_texts.yaml
light: !include includes/lights.yaml
media_player: !include includes/media_players.yaml
mqtt: !include includes/mqtt_cfgs.yaml
notify: !include_dir_merge_list notify
proximity: !include includes/proximity.yaml
recorder: !include includes/recorders.yaml
scene: !include_dir_list scenes
script: !include_dir_merge_named scripts
sensor: !include_dir_merge_list sensors
switch: !include includes/switches.yaml
weblink: !include includes/weblinks.yaml
zone: !include includes/zones.yaml
#
# ******************************************************************************
#    Additional Components - alphabetically listed
#*******************************************************************************
#  ---------------
# Alexa Media Player
# https://github.com/keatontaylor/custom_components/wiki/Configuration
# https://github.com/keatontaylor/custom_components/tree/master/alexa_media
alexa_media:
  accounts:
    - email: !secret alexa_email
      password: !secret alexa_pw
      url: amazon.com
#
#  ---------------
# Enable Home Assistant Community Store
hacs:
  token: !secret githubtoken1
  appdaemon: True
  # Enable tracking of AppDaemon apps.
  python_script: True
  # Enable tracking of python scripts.
  theme: True
  # Enable tracking of themes.
#
#  ---------------
# Own Tracks
owntracks:
  max_gps_accuracy: 50
  events_only: false
#  waypoints: true
#
#  ---------------
# Rachio Irrigation Control
rachio:
  api_key: !secret rachio_api_key
#
#  ---------------
# Roku TV
roku:
  host: !secret roku_url
#
#  ---------------
# Sleep IQ Bed
sleepiq:
  username: !secret sleepiq_un
  password: !secret sleepiq_pw
#
#  ---------------
# Vera Setup
vera:
  vera_controller_url: !secret vera_url
  # Optional to exclude devices - this is a list of vera device ids
  exclude: [ 7, 13, 14, 47, 57, 86, 87, 109, 110, 133, 134, 135, 136, 140, 147, 155, 172, 174, 176, 178, 180, 182, 189, 205]
  # Optional to import switches as lights - this is a list of vera device ids
  lights: [25, 26, 27, 29, 40, 44, 46, 48, 49, 52, 53, 62, 92, 93, 94, 95, 105, 106, 115, 123, 124, 126, 201, 202, 203, 204, 213, 222, 224, 225, 242]
#
#  ---------------
# Weather - Dark Sky Weather
weather:
  - platform: darksky
    mode: daily
    api_key: !secret darksky_api_key

I believe I have all the necessary parts and pieces in my Config file. I have restarted HA several times.

I’ve seen the thread about previous beta testers. I was not one, so no beta versions ever installed. 1.5 to 2.0 directly.

I’ve also seen the thread about installs on Mac with the certifi issue. I checked my python directories and see the certifi is there.

At this point I’m at a total loss. There are lots of install variations and some answers seem specific to a RPi3/4 install and therefore not relevant while others are for docker/VM installs.

Anyone with success in getting 2.0 the run with HA installed on a Mac, I’d love to know what you did to make it work. If you spot either an omission or an improper setup in my Config, please let me know.

I too am at a total loss as for what to do next. I love HA and what it can do but this is a very frustrating setback.

Apologies for such a long post but wanted to be as complete as possible for anyone who may read it through.

1 Like

Have you actually run certifi or did you just check if the file exists? I am 100% sure you missed a step there. If possible reinstall python from python.org. I literally spent two days during the beta trying to reproduce your error including getting a mac to test.

@olbjan,
Yes, I did run certifi and it responded with the path to the .pem file. I don’t think I need to paste that path anywhere but I may be wrong. I will try to reinstall python tonight. Can you give me an idea of what you think I missed? I really don’t remember anything out of the ordinary when I installed it months ago, but if you have any suggestions I would certainly appreciate them. I would not want to miss something two times in a row. :wink:
Thank you. I appreciate your quick response.

The error is clear: the root certificates must be missing.

I don’t remember my exact steps (reproducing this was months ago) but it was fixed for the person that ran into it by a reinstall of python.

I remember the hint about adding certs in the macos installer was easy to overlook, which is how I reproduced it at first…

I’m not sure what you mean. Disabling link-local IPv6 is a silly solution to a problem that probably shouldn’t exist. Let’s see if enabling AAAA resolution helps, I can live with that.

@ olbjan,
I did a full re-install of the latest version of Python (now 3.8) and was very careful to document each step. I did see the notification about downloading the certificate from certifi. Yes, I probably did miss it last time, but even after making sure each step was completed I still get the same error in the mobile app. Screenshots below show the completion of Python install and the selected “install certificates.command” just after double-clicking it.

The response I got back was:

Last login: Sat Nov 30 20:59:50 on ttys000

HA-iMac:~ artdavis$ /Applications/Python\ 3.8/Install\ Certificates.command ; exit;
 -- pip install --upgrade certifi

Requirement already up-to-date: certifi in /Library/Frameworks/Python.framework/Versions/3.8/lib/python3.8/site-packages (2019.11.28)

WARNING: You are using pip version 19.2.3, however version 19.3.1 is available.

You should consider upgrading via the 'pip install --upgrade pip' command.
 -- removing any existing file or link
 -- creating symlink to certifi certificate bundle
 -- setting permissions
 -- update complete
logout
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.

[Process completed]
  • Note on above response. I had this copied to my clipboard but lost it during the full restart after Python install. Ran it again and got the “requirement up to date” line followed by the same response from the first time, showing the completed task.
    So currently I have reinstalled Python and verified that I did the install certificate step, reboot the Mac, restarted Home Assistant 3 times and tried to log in with the mobile app after each restart of HA. Still the same error.


    Hit continue. Get this error:

Any additional thoughts or ideas? I’d really hate to have to abandon the mobile app but Im at a loss.
Thank you for you help so far and I hope we can get this solved.
Art

I’ll take a shot at reproducing on Monday when I have access to a Mac again.

Hope you can hang onthat long :wink:

@olbjan,
Any luck trying to reproduce the error I described several days ago? Despite all my efforts, I still can not get 2.0 to allow me to log in. Thanks again for al your help so far.
Art

Hi all. I’m new here and first off all i desire thank all for the grat job that can bring me at this point, i can know better HA with all the great post on this community.
I’m affected to this problem too.
My installtion is a CentOs 7 Virtual Machine and Home Assistant 0.103.3 up and running. All works good.
I use IOS App in my previous Hassio installation. Now, i change to Home Assistant, update the Home Assistant version ad UPDATE THE IOS APP.
From my first try in connect IOS App with Home Assistant i exprinced the first error:

OS error while looking up redirect_uri https://home-assistant.io/iOS: **Network is unreachable**

Read in all tread, i completely disable IPV6 on my CentOs virtual machine.
Now my machine not have IPV6 available.
But i still not able to connect with IOS App … but the error change:

OS error while looking up redirect_uri https://home-assistant.io/iOS: **Address family not supported by protocol**

If i try ping i can reach it:

# ping home-assistant.io
PING home-assistant.io (104.25.25.31) 56(84) bytes of data.
64 bytes from 104.25.25.31 (104.25.25.31): icmp_seq=1 ttl=55 time=12.5 ms
64 bytes from 104.25.25.31 (104.25.25.31): icmp_seq=2 ttl=55 time=12.5 ms
64 bytes from 104.25.25.31 (104.25.25.31): icmp_seq=3 ttl=55 time=12.5 ms
64 bytes from 104.25.25.31 (104.25.25.31): icmp_seq=4 ttl=55 time=12.2 ms

So … in your opinion why Home Assistant try to reach with “an address not supported by the protocol”?
At this point i not think that is a “Machine IP Layer problem” … in my machine Only IPV4 now is enabled and IPV4 address is reacheable.
Have any suggest?
Thanks all and have a Good New Year!!!
Mauro.

It’s quite likely you either missed something about turning IPv6 off - which unfortunately is rather hard to do - or you may have other broken dependencies on your install.

Unfortunately it’s rather hard to help with this because of the multitude of different ways one can install linux…

But as you’re already running a vm - why not use hassos inside a vm? Saves a lot of headache as all dependencies are managed for you.

On the other hand network is unreachable sure is a new error and you may want to take a look at possible firewall rules keeping your ha from communicating with the outside world.

I installed the 2.0 version on my iPhone this morning. It has this same connection problem. Fortunately, I still have the 1.5.x app, and it is connected and working.

Hardware: Intel NUC7i3BNK - Core i3 8GB RAM, 512GB NVME m.2 SSD
Operating system: Debian Buster 10.x w/AppArmor and Docker-CE
Home Assistant flavor: hass.io
Home Assistant version: 0.103.6

I suspect I’ll need to setup the new app while at home on my LAN, instead of trying to hit it from the wild and woolly internet/WAN.

EDIT: Yup, initializing/setting up the app on my LAN worked like a champ. :slight_smile:

Hi,
Were you able to solve this problem ? I am having the exact same issue.

I solved this. It was ipv6 issue. If you have not played around wiht ipv6 defaults (like me) I just had to reboot the modem, router and haas in that order and it worked.

1 Like

Glad you got it fixed and apologies for a delayed response.

Hi there,

I have had the very same problem with logging into my Hass from both iPhone and Android. It worked fine using Safari or Firefox on my iPhone, but using the App was a no-go.

My situation:
Running Hass (NOT Hassio) on a MacBook Pro osX Catalina in a Python virtualenv, I followed the instructions from the link below just for clarity:

(Have to me nation, I’ve runed Hass previously on Linux (which physically died) and then in Docker on Mac, but 2 million issues later I’m here where I am)

The issue I had was the annoying error message on the phone ”Error invalid client id or redirect uri”. I just could not get it to login.

I’ve struggled for a couple of days now, but found a solution that worked for me. I checked what Hass said in the log, and I spotted something strange about SSL… and recalled something I’ve read about Python and certificates. So I fiddled around a little, and found it.

In the last step after using the binary installation package with its Wizard for Python, it says something about installing certificates. And in that box with text, there is links… and one of them takes you to the Finder window - and I checked under ”Python 3.7” and found a ”mysterious” script called ”Install Certificates.command”. And guess what it does? It installs some certificates… and I restarted Hass - and it all worked just fine! I can now login from both my iPhone and Android phones.

Maybe this can help someone else.

Marcus

1 Like

Thanks! I’ve been struggling with certificates for days! This resolved my issue.

I have strange issue when I trying to log from IOS (safari or HA app) :frowning:
I installed SSL cert and i change password no i have this:
a) I cannot login to HA - bad password
b) I reinstall HA to new VM , I give new IP, uninstall APP on the phone, install again - bad password
c) I try to use IPAD to log in - bad password
d) I don’t have any ip v6 in my network …
In log file i have this: