Posting this here as an informative thing. If you’ve got a phone or tablet running a version of Android that’s older than 7.1.1 and hosting your HA instance with a Let’s Encrypt key, you may be hitting an invalid CA error (or a generic SSL error) through either the HA companion app or Chrome. If you don’t care about why this is happening you can skip to the bottom to see possible solutions.
If I stated anything inaccurate here, feel free to provide a kind worded comment on what to correct. Thanks!
A very simplified understanding of SSL/TLS
SSL certs provide validity that a server you’re talking to is operated by the owner of the domain you entered, and TLS is the process to do that handshake and create a secure connection when all is good.
In order to serve Home Assistant securely over the internet (seeing a padlock next to the URL in a browser and no security warnings), we use SSL/TLS. From a certificate authority we acquire an SSL certificate (sometimes referred to as keys) for the (sub) domain we host off of, stick those certs into the HA config, and now when a user accesses HA the server will provide the browser/app with the cert. The browser/app will then check to make sure the cert was signed by a valid certificate authority, if it is and the domain matches and the cert hasn’t been expired yet, the session can continue through the TLS handshake to create a secure connection between the user and the server. If any of those things don’t check out then the browser/app will throw an error.
There’s a list of certificate authorities (and their CA keys) that every OS and browser has. As time goes on these OSes and browsers have their own ways of updating those lists to check against, or they become stale due to a lack of system updates.
There is a terrible and convoluted ecosystem of certificate authorities. If you want more of an understanding of how much of a mess SSL is check out this dated but mostly still relevant talk with Jesse Burns and (the late) Peter Eckersley from the EFF about this fascinating messed up subject.
Historical context with Let’s Encrypt
SSL certs used to be expensive and a pain to get, you had to apply for them via a certificate authority and each one had a different method of verification, often times requiring some manual interaction with the CA whenever you wanted to review. Verification is important as a bad actor shouldn’t easily get an SSL cert for something like gmail.com.
Let’s Encrypt came along with a mission to make the internet more secure by providing free certs at a time when hitting websites via an HTTPS URL wasn’t as common. They also have some software you can run locally on your server that provides a means to verify you do actually own the domain you’re wanting a certificate for and simply automate the process of renewing cert every few months. As they were a new certificate authority their CA key wasn’t distributed with most OSes/browsers, they had to have every one of their certificates issue be cross signed by a more well known CA. Since 2021 Let’s Encrypt has gained lots traction and their root CA key is everywhere, which is great.
What’s happening now
As of the beginning of February Let’s Encrypt has stopped issuing keys which are cross signed by a third party root CA, and now only exclusively signed by their own root CA certificate (which is awesome and provides more security to everyone).
Sadly what this means is that older OSes and browser which do not have Let’s Encrypt’s root CA certificate in their trust store will start to throw errors when they hit these newer Let’s Encrypt SSL keys. This includes any version of Android prior to 7.1.1, specifically anything requiring Chrome or running as a dedicated app which use the OS system trust store for references root CA keys. I was under the impression that by Android 6 there was a mechanism to auto update the trust store independently of OS upgrades, but we’re all never right about everything.
If you run HA there’s a high probability you also get your SSL cert from Let’s Encrypt, because it’s easy and awesome.
I (and I’m assuming a lot of other HA users) have a few older Android phones and tablets stuck in places to act as dedicated dashboards for HA. As of today for me they’ve all started throwing SSL errors via the companion app. Hitting my custom domain for HA with Chrome shows that it’s an error with the CA being invalid. After digging around the internet I stumbled onto the Let’s Encrypt post I to linked above.
One thing I should really emphasize here, the new certificates are still 100% good and valid and secure, it’s just that older OSes are unable to validate their CA is legit.
Possible work arounds for older Androids
Note 1, I don’t have any desires to get into technical howtos with implementing these. All of this stuff can be found by Googling around and you’re a smart beautiful human (or other living organism).
Note 2, my understanding is Nabu Casa also uses Let’s Encrypt certs for all Home Assistant Cloud remote control URLs.
Note 3, the HA Companion App has no option to ignore SSL cert errors.
I’ve listed these from what I think is the best/easiest to worst options.
-
Browser only - Install Firefox which uses its own trust store for CA certs (that contains the newer Let’s Encrypt root CA cert). Downside is going full screen is a bit of a pain, and you won’t be able to send sensor data if that’s important to you.
-
HA app and Chrome - Manually install the Let’s Encrypt Active ISRG Root X1 Self-signed PEM (not DST Root X3) into the Android Credential Storage. The downside to this is you’re required to setup a screen lock to add custom trusted CA certs.
-
HA app and Chrome - Get an SSL cert for your HA instance from an older CA. This can be an annoying and expensive process.
-
HA app and Chrome - Upgrade your device to something with a newer version of Android.
-
Browser only - Skip past/ignore the SSL error in Chrome (major warning, ignoring SSL errors makes you susceptible to man in the middle attacks, Google that up and understand the risks). Downside is going full screen is a bit of a pain, and you won’t be able to send sensor data if that’s important to you.
-
HA app and Chrome - Setup your own internal certificate authority, provide the CA cert pem to Android, and then issue certificates to yourself. Again you’ll have to deal with a screen lock, but more importantly this is a lot of work if you’re unfamiliar with pretty much everything I’ve written up in this post. You will also need to pass the new CA cert pem to every other device that you ever plan on talking with HA (including any IoT things expecting to hit the HTTPS URL of HA). Basically this is a terrible idea.
If there are other work arounds people want to list here I’m happy to update this post.
Again if I stated anything inaccurate here, feel free to provide a kind worded comment on what to correct. Thanks!