I have created a subnet for IoT devices that only need to talk to HA. The firewall rules seem to be correct–IoT subnet devices can access HA on the LAN, HA can access IoT subnet devices, IoT subnet devices can access the local DNS on port 53, and IoT devices cannot access any other zones (not even the Internet). I connected my laptop to the IoT network, and when I enter the HA URL, I get a message with the HA logo saying “Unable to Connect to Home Assistant”. One of my thoughts was that the browser can’t access the CA server on the Internet, but the certificate is noted as valid, so I don’t think that is it. Any thoughts on why my issue could be?
Do the devices need to connect to HA?
Usually it is HA that connects to the device.
Cameras
Light switch
Relays
Only media players are 2 way and they don’t talk to HA, the connect to media servers for content.
I block out from IOT and allow in from HA server
My guess is your firewall rules are faulty.
And regarding certificates, then you need to make sure your devices do not try to retrieve revocation lists and make other checks again the certificate chain.
You might also need to make sure that the devices have the correct date and time and maybe can request updates from time services.
Encryption will typically fail if the difference is too big, because the parties in the encrypted connection will take it as a replay attack attempt.
I think you are correct for most devices, but I am working on setting up a tablet as a control panel. I don’t want it to have access to the Internet, just dashboards I create on HA.
What are you using for your firewall? (Seems like a firewall issue)
SonicWall TZ270. I am not sure the firewall is the issue. The device is touching the HA server on port 8123. I am just getting the HA logo and a message that it cannot connect and a count down to try again.
Possibly, but the device IS touching the HA server, so I am not sure that is that case.
I am not following you that, but these are new certificates, so I don’t think revocation is an issue at this point.
The time on the devices was populated from the Internet and matches.
Using reverse proxy?
Using app, browser or both?
Try connecting from that vlan with laptop and check with PC browser
No
Currently, I am using a laptop browser to test configurations.
Your observation of a HA screen that says it can not load the data and you have to retry does not necessary mean you have contact with the server.
This will also happen if you open the companion app and try to access the server already listed or if you use the browser and have cached info from a previous session.
Even new certificates gets revoked and if it is configured, then all certificates will be looked up at the CAs.