iOS app can't connect from LAN using SSL

Jack01 · January 26, 2024, 7:25am

Hello,

I’m using Home Assistant supervised and set SSL certificate with custom host name accoding to documentation. It’s very simple setup from technical point of view as I’m using public authority issued certificate (Sectigo). There is a split-DNS setup. In the local network, the LAN IP is resolved by the local DNS server (which is not the router), from external, the internet DNS servers resolve the external IP address (the external host name has an underlying fix IP, even not using ddns).

I can connect to Home Assistant from the LAN using web browsers (Edge, Firefox, even Safari on Apple devices), but cannot connect using the official iOS app. Connection ends up in error NSURLErrorDomain -1005

Server side setup:

Core: 2024.1.5
Supervisor: 2023.12.1
Operating System: 11.4

configuration.yaml

http:
  server_port: 54635
  login_attempts_threshold: 5
  ssl_certificate: /ssl/ha_services_maydomain_com_fullchain.pem
  ssl_key: /ssl/ha_services_mydomain_com_key.pem

Settings → System → Network

Running instance name on the local network: ha
IPv4 - Auto (Static reservation set up on the DHCP server by MAC)
iPv6 - Disabled (I’m not using IPv6 on my LAN)
Home Assistant URL Internet: https://ha.services.mydomain.com:54635
Home Assistant URL Local network: https://ha.services.mydomain.com:54635 (Auto switch disabled)

Clinet (app) side setup:
Both, internal and external URL set to https://ha.services.mydomain.com:54635
Tried with removing one or the other, but doesn’t change anything.

Some facts to save time:

iOS devices are able to connect even from LAN using https in Safari. The SSL certificate is trusted, especially as it’s from public authority
iOS devices are able to connect from external even using the app, this also works
I’m not using AdGuard or any similar blockers on iOS devices, it’s all out of the box, no VPN, corporate mobile device management either.
I’m even not hitting the router from the internal network so there is nothing in the game like NAT reflection, loopback protection, etc. My DNS server is on the LAN and it’s not the router, the traffic goes through the LAN switch only towards the local DNS server and to the home assistant server IP in the LAN.

Any idea would be appreciated how to overcome with this issue. The only thing which comes to my mind is the app cache the resolved IP , therefore it’s trying to connect the external IP even internal, but this is just guessing and don’t really want to go into assumptions and would keep the discussion on technical level.

last comment: I know how to set this up using http/80 on the internal network, but I don’t want to see http in 2024 anywhere as it’s very basic today to connect to service endpoints using ssl. If I would be fine with http, I would not open this thread at all. Many thanks for understanding and again any help is higly welcomed.

Jack01 · January 27, 2024, 5:46am

Smells like a bug:

github.com/home-assistant/iOS

When connecting to HA URL via https the login screen is blank (but is working using the IP address)

opened 09:23AM - 11 Oct 23 UTC

litronics

bug ios

**iOS device model, version and app version** Model Name: iPhone 12 Software …Version: 16.7 App version: 2023.4 (2023.460) **Home Assistant Core Version** 2023.10.1 **Describe the bug** When starting the Companion App autodiscover identifies my homeassistant URL. Connecting to that URL issues an error message about the untrusted certificate. Trusting the certificate brings you to an empty login page. Adding a server manually and using the IP address of the same server I get the login page, after the certificate message of course. **To Reproduce** Just connect to the HTTPS URL while HA is configured to use a certificate from private PKI infrastructure. **Expected behavior** the login screen is shown regardless if I use the IP address or the URL of the HA host. **Screenshots** ![dd4d48ebc29e77ab10ab53aaede307e06a8bcc1f_2_231x500](https://github.com/home-assistant/iOS/assets/22157317/14b3eaca-47da-4b4d-8fb8-5c597cbb64e8) **Additional context** I am running my own DNS server which is authoritative for my "fire.fly" domain and resolves to the IP address of my HA VM. The certificate used is a SAN certificate configured as follows: CN: homeasistant.fire.fly SAN-Names: DNS1: homeasistant.fire.fly DNS2: homeassistant IP1: <host-ip> It is signed by my personal CA where I am not able to install the Root-CA-Cert on the iOS device! Hence there always will be an error message about the trust chain. On my windows clients the trusted root is installed, and everything works perfect in the browsers.

If I change to IP address and ignore the cert warning (as the IP is not in the SAN of the cert of course), it works.

Doorkeeper · March 22, 2024, 1:04pm

I’m having a similar problem. Home assistant is obviously still working, as automations still function, but the companion app gives me a 1005 error code.
This happens both at home on my own network, and from outside with unifi teleport, and on iphone and ipad.
How do I log in to reset? I have access with hdmi cable to monitor and usb keyboard. Is there a way to access my google drive this way and revert to an earlier working version?