Mobile App can't connect after enabling SSL

I am trying to check out Grocy add on and I had to enable SSL in order to get the camera to work on my Android. Wanted to see how it all works before I drop a few bucks on a bar code scanner. So I created a cert via OpenSSL per the instructions and added this into my conf. I can use https now via the website but the mobile app won’t connect. Wants me to check config. I am not running any DNS or anything. I just have my RPi on local network. so my connection is the 192.168.x.x:8123. I have tried https as well and still no go. I suspect I have to do something on my phone since the cert was unsigned but what? Am I supposed to manually load one of the pem files?

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
1 Like

if you are running hass.io install the DuckDNS add-on from https://www.home-assistant.io/addons/ and follow these instructions https://github.com/home-assistant/hassio-addons/tree/master/duckdns
then add on your configuration.yaml the following:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  base_url: https://your-configured-domain.duckdns.org:8123

hope that helps

I have no configured domain. it is local only. intent is reach it on the 192.168.x.x ip only.

ok, so if you say that you have already the certificate ready and configuring the above config with your internal ip address, then it should be ok

I followed the instructions here. I created the self signed cert with my local IP. Copied both pem files into the ssl directory. Updated the configuration.yaml and rebooted. I can access via the browser on the https://192.168.x.x:8123.

On my Android I can open chrome, go to the address. I get the standard unsigned complaint but I can select proceed and log in. In the mobile companion app, I get error “unable to connect to home assistant” I click ok to check config. The HA URL iand Internal Connect URL are https://192.168.x.x:8123. I have the Home Network WiFi SSID filled out, although mine is hidden. Not sure if that makes a difference. I am guessing that the unsigned cert is the problem and the HA app is unable to allow the exception like the browser?

What is the better option here? I want to make sure I am setting this up correctly and securely but I seem to hit these configuration road blocks at every step. Is there a good consolidated guide that discusses how to get HA set up correctly rather than having to research each component? I have started trying ti put together a list of all the things I am doing so I can re-create when it goes south.

I’ve tried to reproduce your case, and it seems that I have the same problem!
once I configure only the internal IP on the app, I cannot access my hassio
I get access only with the external duckdns domain, strange!

Well glad it is not just me lol. Is the mobile app not working on https even with a domain? I thought about buying a domain so I could get a signed cert. To be honest I am not to hip on all this, which is why I was hoping for some sort of guide on setting up Hassio correctly. Install the OS, install these plugins, configure this duckdns, certs…that sort of thing.

there you go, that is the answer:

Hmm well that quite unfortunate. I will have to look into re-configuring my network to make this all work. For now I just open chrome on my phone. Basically bypass the Companion App until I can fix it.

if you want a temporary solution using the HA mobile app, you can fill in the duckdns domain in the HA URL field and leave the rest (Home Network wifi SSID & Internal Connection URL) blank,
this way you’re making a dns query on the duckdns server asking for your HA ip, unless you configure your router with a hairpinning (or NAT loopback) configuration

I have not set up DuckDNS though. So backtracking at this point. I need to go back and configure DuckDNS and I guess set up LetsEncrypt first? Started making an install guide as I think I missed a few steps along the way.

no, just the duckdns addon, just follow the steps from my previous post
the addon does all that for you

I set up duckdns per that guide and it seems to be working now as long as I have the duckdns info in external. Adding any local information causes the app to fail to connect. So I guess it works only with the external connection using SSL. Is what it is I guess.

I can’t seem to find instructions on how to generate the certfile. Can you guide me?

Guide?? Perhaps lol. Did you create the account with duckdns, install the add on and update the config with your token and domain? From there make sure you have the privkey and fullchain pem files in your ssl folder? Are you getting any errors on the add on?? or is the problem just in the mobile app?

Just didn’t understand how to create the privkey + fullchain pem files. I’m running Hassio, so no direct access to OpenSSL.

I believe that the add on should create the files for you. Double confirm your config in the let’s encrypt add on.

Thank you!

Hi Redfish,
Thanks for pointer in right direction. I think I know have DuckDNS configured and working. Below are log files, however I really don’t want to access externally. I just wanted to add https:// to my local address. But I don’t know how to apply to my local 192.168.x.x:8123 via DuckDNS/Let’s Encrypt. Can you guide me on any config or is it supposed to happen automatically.

Net: The whole reason I want to set this up is to use Grocy add-in. Their scanning page requires https://

Thank you in Advance!

# INFO: Using main config file /data/workdir/config
+ Generating account key...
+ Registering account key with ACME server...
+ Fetching account ID...
+ Done!
[15:50:29] INFO: OK
<IP Snip>
NOCHANGE
# INFO: Using main config file /data/workdir/config
 + Creating chain cache directory /data/workdir/chains
Processing <domain>.duckdns.org
 + Creating new directory /data/letsencrypt/<domain>.duckdns.org ...
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for <domain>.duckdns.org
 + 1 pending challenge(s)
 + Deploying challenge tokens...
OK + Responding to challenge for <domain>.duckdns.org authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
OK + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
[15:55:47] INFO: OK
<IP Snip>

So once you have https enabled, in the app you don’t use a local address. You have to always Home Assistant URL and leave internal connection as blank. You will always connect over the internet then. Apparently you can make some changes on the router to fix this. Essentailly it tells the traffic to your URL to route locally I guess. I have not messed with this.

I enabled https for Grocy as well because I wanted the camera to scan barcodes. To be honest, it is a bit rubbish. I have ordered a barcode scanner and just waiting on delivery. Provides that works well with my little kitchen tablet, I might disable https and go back to using internal address only. I have quite the delay on my Kindle Fire 7 when trying to access and use grocy via the URL. I suspect this is due to the latency from tablet, to internet, back to HA. it is usable but pretty bad. Could be the tablet I am not sure. Before I invest in a better tablet, I will try to disable the whole internet thing and see if it speeds up.