Not able to login with tablet [App] (SSL Handshake)

Hello, I have home assistant (latest version) running on a Raspberry Pi. So far everything works fine. I can access home assistant via duckdns. When I access the site on my phone, everything works as it should. Even if I use the app that is installed on the phone, everything works. But the App on the Tablet does not work. I can also access my Home Assistant via Google Chrome. When I try to log in via the app, I also end up on the Home assistant login page. But as soon as I try to log in, I get the error “ssl handshake failed”

# Loads default set of integrations. Do remove.
default_config:

http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 5
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

What kind of certs are they? What kind of tablet/phones? ios/android? are you connecting local only or to your duckdns?

logs from logcat would help as well. (logcat reader or adb grant the permissions to read it).

Logs from ha show anything?

Hello, it´s an let´s encrypt cert via duckdns app.

  • Android Tablet
  • i try via https://name.duckdns.org
    When i try to connect via the local ip i cant even see the login page with the app.
    It seems that the App cant find home assistant in my network. Normaly, when i start the App at the first time, HA suggest me the domain and i just can click on “next”
    But even there i have to fill it out manually

It works on every Device (iPhone, PC, Huawei Phone) via the app. Only on that Tablet it shows me that error.

There is the Log from my Duckdns Logfile:

NOCHANGE
[17:58:04] INFO: Renew certificate for domains: removed.duckdns.org and aliases: 
# INFO: Using main config file /data/workdir/config
Processing removed.duckdns.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Nov  9 18:00:28 2022 GMT (Longer than 30 days). Skipping renew!
[18:04:08] INFO: OK

Where can i find Logcal ?

Is the time/date correct on that android tablet? logcat is the android system logs. you can access it via ‘adb’ or an app like ‘log cat viewer’ if the necessary permissions are granted. That, I think, is what you’ll really need to understand why the tablet isn’t able to connect via ssl.

The log above is the renewal. I was more asking about the home assistant logs.

time/date is correct.
i installed logcat and grat the permissions via ADB.
The Log shows me

HWPointEventFilter  do not support AFT because of no config

The Home Assistan Logs are clear

HI Lars,
I had a similar situation when using a old Android tablet that didn’t had a OS upgrade for so time (Android 4.xx)
It worked with Opera for some time but them I had to drop it … too slow.
the simptoms you are describing is almost like a browser handshacking topic

1 Like

That was exactly my next question around android versions. :slight_smile:

1 Like

Hi Miguelroma,

thanks 4 your reply. mhm that could be possible. I got an old Huawei MediaPad T3 10 with Android 7 (EMIU 5.1)
unfortunately there are no more Updates supported for this device.
And since huawei no longer gives out bootloader codes, I can’t root/flash either :roll_eyes:

If memory serves me… Older android web didn’t mind self-signed certificates. In your case, you have added the certificates directly to HA instead of using a proxy like nginx proxy manager… If you had used nginx I wonder if you could have added an additional listening port with a self-signed certificate and used it on that tablet (local only!)… Never tried it. but I’d guess it would work in a browser at a minimum and potentially in the app but not sure.

The thing is i allready can connect to home assistant via google chrome and kiosk manager. So i am able to use HA via the Tablet. I only wanted to install the app so i can add the sensor from the tablet to ha

ah I misread that. I think that’s as far as you’re going to get on that tablet unless you can update the CAs…

android can be very picky about CA’s, the main thing is that the app is unable to solve any SSL errors.

Google has some tips for users: Security with HTTPS and SSL  |  Android Developers

there are just 2 solutions.

  • install the ca on the tablet via ADB → need root for that
  • modify the app (as developer from the app) → not possible cause im not the developer

it would be so easy if huawei would give me an unluck code for the bootloader… :frowning:

the app already does the part where the user needs to provide their CA, check your device manual for how to do it. On a pixel you follow these steps but other devices may see something else: https://support.google.com/pixelphone/answer/2844832?hl=en

1 Like

Okay, thank you again.
i converted the CA with openssl from .pem to .crt.
Then i was able to install it over the menu from the tablet.
but nothing changed :frowning:

the error is not wrong, there is still something wrong with your certificate, consider generating a new one or using a different provider

Thanks to all the HA developers -this is a wonderful product.

But why is this still a problem? I have exactly the same issue as the OP had. I have a working HA instance accessible from outside my network over HTTPS (I use my own domain name, Cloudflare for access and LetsEncrypt for the cert) .

On my Android phone both Google Chrome and Midori give me access over my External URL https://obscured:8443

İf the phone’s browsers have no problem, in that they have no SSL Handshake errors, then why does the HA app?

The whole point of the app is to make things more convenient for the user, not less convenient, ie only works without SSL, eg when on home network.

İt’s a problem for me because I’m not getting notifications to the app when away from home - so I hope the developers fix the app.

Maybe there is a “don’t exit on SSL handshake errors” option?

SSL issues are not one the app will solve, the app will only work with valid SSL certificates. Android is also picky to the point where each device has a different CA that it trusts. Some users need to regenerate using a different so their device will like it. Nothing the app can do here.

See official android documentation regarding SSL
https://developer.android.com/training/articles/security-ssl#CommonProblems

Settings > Companion App > show and share logs

Look at the actual SSL handshake issue and compare it to the ones in the link up above to understand how to solve your SSL issue.

This is not a fair test as browsers do not make API calls like the app does, which is where the SSL handshake issue comes from.

Browsers allow users to bypass SSL errors and that is not going to be possible in the app.

I have the same problem as other users. It started to appear when I enabled Cloudflared tunnel.
I had companion app working via nabu-casa and then I’ve switched to cloudflared tunnel.
The app was working fine via cloudflare (I’ve just switched HA address in app settings from nabu-casa to cloudflare url) until it has been reinstalled, after reinstallation I’m unable to connect to my HA instance. I’m getting ssl errors in companion app (on iPhone and Android) in any of below situations:

  • connecting via cloudflare tunnel (NSURLErrorDomain - 1200 Error) - tried two different approaches - one when cloudflare proxy traffic to local HA instance via HTTP and second when cloudflare tunnel proxy traffic to local HA instance via HTTPS. Results remain the same.
  • connecting locally via https. HA instance is setup locally to use letsencrypt cert, duckdns domain name resolved locally via proper dnsmasq config on EdgeRouter - working flawlessly via any browser without any errors on both Windows machine, Android phone and iPhone.
  • connecting locally via http. HA instance is setup locally without any certificate - works via any browser) on local network via local IP address (yes, you read it correctly - I’m getting SSL errors on compnion app while using http connection, which is working correctly on browsers) - NSURLErrorDomain - 1200 Error

And no - I do not allow browser to bypass ssl errors, I’ve inspected the certificate. What is interesting here - the login page loads correctly, I’m able to enter my credentials, next I’m asked for my 2fa, and after submitting this step if fails.

EDIT: disabling cloudflare addon and next restarting HA instance allowed me to connect via Companion App locally via http. So it has to be somehow related with the Cloudflare tunnel addon. After succesfull login in Companion App using this method (with cloudflare addon disbled) I was able to re-enable the cloudflare addon, update the HA url in Companion app to point to cloudflare URL and app is working just fine now. Weird.

@dshokouhi I’ve kinda dislike how you disregard users problems and reports assuming in the first step that they are wrong and for sure this is user fault. And regarding your advice of the logs review - how user should be able to get to the settings of the companion app if the app is not letting user in and therefore user is unable to get into those settings? And I don’t buy your diagnosis that SSL handshake on API calls is somehow different for app than it is for a browser, afaik app utilises the same https transfer protocol as browser does, so handshake is handled in the same way.