Struggling to get iOS app logged in after moving from Nabu Casa to reverse proxy

Wally2k21 · January 24, 2022, 8:36pm

Hi all,

I’ve been trying to learn how to do some of the (inter-)networking aspects of ma HA setup. I recently setup a reverse proxy (on my Synology NAS using the inbuilt nginx server) which now successfully serves my HA, plex, and web server using different subdomains via https (all on port 443). The issue I’ve now come in to is when trying to log on to my HA using the iOS app. If I go to https://ha.mydomain.com then I get to the HA logon page and log-on fine - it shows a valid and in date SSL cert. However, if I try to add the server on the iOS app using the same https://ha.mydomain.com is throws an NSURLErrorDomain -1202 (Failed to Connect - the certificate for this server is invalid).

The iOS log gives this:


2022-01-24 18:08:28.644 [Verbose] [main] [OnboardingManualURLViewController.swift:153] connectTapped(_:) > Connect button tapped

2022-01-24 18:08:28.648 [Info] [main] [OnboardingAuth.swift:80] performPreSteps(checkPoint:authDetails:sender:) > beforeAuth

2022-01-24 18:08:28.648 [Verbose] [main] [OnboardingAuthStepConnectivity.swift:20] perform(point:) > 

2022-01-24 18:08:28.734 [Verbose] [main] [OnboardingAuthStepConnectivity.swift:28] perform(point:) > NSURLAuthenticationMethodServerTrust

2022-01-24 18:08:28.760 [Info] [main] [OnboardingAuthStepConnectivity.swift:53] perform(point:) > failure(Alamofire.AFError.sessionTaskFailed(error: Error Domain=NSURLErrorDomain 	Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “ha.mydomain.com”, which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(    
    "<cert(0x154029e00) s: *.mydomain.com i: R3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://ha.mydomain.com/auth/authorize?response_type=code&client_id=https://home-assistant.io/iOS&redirect_uri=homeassistant://auth-callback, NSErrorFailingURLStringKey=https://ha.mydomain.com/auth/authorize?response_type=code&client_id=https://home-assistant.io/iOS&redirect_uri=homeassistant://auth-callback, NSUnderlyingError=0x2820f7ba0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x281ef0aa0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9814, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9814, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x154029e00) s: *.mydomain.com i: R3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <F4ED8165-427B-494C-8EFD-3D373AC30015>.<1>"
), _kCFStreamErrorCodeKey=-9814, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <F4ED8165-427B-494C-8EFD-3D373AC30015>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x281ef0aa0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “ha.mydomain.com”, which could put your confidential information at risk.}))
2022-01-24 18:08:28.766 [Info] [main] [OnboardingAuth.swift:70] perform(checkPoint:checks:) > OnboardingAuthStepConnectivity: rejected(HomeAssistant.OnboardingAuthError(kind: HomeAssistant.OnboardingAuthError.ErrorKind.sslUntrusted(Error Domain=NSURLErrorDomain Code=-1202 "The certificate for this server is invalid. You might be connecting to a server that is pretending to be “ha.mydomain.com”, which could put your confidential information at risk." UserInfo={NSLocalizedRecoverySuggestion=Would you like to connect to the server anyway?, _kCFStreamErrorDomainKey=3, NSErrorPeerCertificateChainKey=(
    "<cert(0x154029e00) s: *.mydomain.com i: R3>"
), NSErrorClientCertificateStateKey=0, NSErrorFailingURLKey=https://ha.mydomain.com/auth/authorize?response_type=code&client_id=https://home-assistant.io/iOS&redirect_uri=homeassistant://auth-callback, NSErrorFailingURLStringKey=https://ha.mydomain.com/auth/authorize?response_type=code&client_id=https://home-assistant.io/iOS&redirect_uri=homeassistant://auth-callback, NSUnderlyingError=0x2820f7ba0 {Error Domain=kCFErrorDomainCFNetwork Code=-1202 "(null)" UserInfo={_kCFStreamPropertySSLClientCertificateState=0, kCFStreamPropertySSLPeerTrust=<SecTrustRef: 0x281ef0aa0>, _kCFNetworkCFStreamSSLErrorOriginalValue=-9814, _kCFStreamErrorDomainKey=3, _kCFStreamErrorCodeKey=-9814, kCFStreamPropertySSLPeerCertificates=(
    "<cert(0x154029e00) s: *.mydomain.com i: R3>"
)}}, _NSURLErrorRelatedURLSessionTaskErrorKey=(
    "LocalDataTask <F4ED8165-427B-494C-8EFD-3D373AC30015>.<1>"
), _kCFStreamErrorCodeKey=-9814, _NSURLErrorFailingURLSessionTaskErrorKey=LocalDataTask <F4ED8165-427B-494C-8EFD-3D373AC30015>.<1>, NSURLErrorFailingURLPeerTrustErrorKey=<SecTrustRef: 0x281ef0aa0>, NSLocalizedDescription=The certificate for this server is invalid. You might be connecting to a server that is pretending to be “ha.mydomain.com”, which could put your confidential information at risk.}), data: nil))

2022-01-24 18:08:53.180 [Verbose] [main] [ServerManager.swift:287] serverInfoSetter(cache:keychain:identifier:encoder:notify:) > ignoring update to deleted server historic

Thanks for any help!

PCRx · January 24, 2022, 9:17pm

This should fix you up:

HTTP Integration

Specifically read under the Reverse Proxy section.

Wally2k21 · January 24, 2022, 9:25pm

Thanks - I added the “use_x_forwarded_for” and “trusted_proxies” lines when I setup the reverse proxy. This allows me to access my server via https://ha.mydomain.com. This is set as follows:

HTTPS Request (443) → Router (443) → port forwards to NAS (443) → reverse proxy to HA (192.168.1.45:8123)

All of this works ok when I access via Chrome and shows a valid SSL cert, just not when I try to log in the iOS app…

PCRx · January 24, 2022, 10:14pm

Is the IP address you entered under trusted_proxies the same one assigned to your NAS?

Wally2k21 · January 24, 2022, 10:16pm

Yes, I’ve got this in my cofig.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.1.30

where my NAS (which hosts the proxy server) is at 192.168.1.30

tmjpugh · January 24, 2022, 10:38pm

IOS doesn’t like your cert. is it self signed?

Your url is showing in the error message you posted. Best to remove that.

Chrome is easy. iOS complains
I still can’t login from IOS device browsers. App is ok though. Linux/Android never an issue.

Fix this cert.

EDIT
Just remembered I never did get this resolved. I use nabu casa for iOS app. I will check this again and see if I can resolve

Wally2k21 · January 24, 2022, 10:49pm

Thanks - error message removed!

I’m pretty sure the cert isn’t self signed, it’s from my hosting / domain provider, the pic below shows the info from chrome on ha.mydomain.com.

In some ways, I’m glad you haven’t figured it out it means I’m less likely to have missed something blindingly obvious.

tmjpugh · January 24, 2022, 10:50pm

iOS app works for me without Nabu. had to verify again

tmjpugh · January 24, 2022, 10:56pm

What proxy you using

Try checking logs there to see if it shows anything helpful

Wally2k21 · January 24, 2022, 11:02pm

The proxy is the native nginx on the Synology NAS. I had a look at those logs but this just shows:

2022/01/24 17:26:49 [error] 25515#25515: *66869 connect() failed (111: Connection refused) while connecting to upstream, client: 212.xxx.xxx.xxx, server: ha.mydomain.com, request: "POST /auth/token HTTP/1.1", upstream: "http://192.168.1.45:8123/auth/token", host: "ha.mydomain.com", referrer: "https://ha.mydomain.com/config/server_control"
2022/01/24 17:26:49 [error] 25515#25515: *66970 connect() failed (111: Connection refused) while connecting to upstream, client: 212.xxx.xxx.xxx, server: ha.mydomain.com, request: "GET /api/websocket HTTP/1.1", upstream: "http://192.168.1.45:8123/api/websocket", host: "ha.mydomain.com"

Where 212.xxx.xxx.xxx is the external IP for my network

tmjpugh · January 24, 2022, 11:25pm

i suspect nginx config possibly related to your issue so I post mine below for comparison

since your external IP is showing as client I think the specifc part I add seperately below is related or at least may need to be added so clients actual ip show as connecting an not just but I not super expert in this so please check carefully with nginx docs

        set_real_ip_from     172.17.0.0/24; # i got lazy but this should be localhost or host IP i believe
        real_ip_header       X-Forwarded-For;

Location config below

    #############################################
    #                 HTTPS HASS                #
    #############################################
    server {
        listen               443 ssl http2;
        listen               [::]:443 ssl http2;
        server_name          my.hadomain.com;
        access_log           /var/log/nginx/access/ha.log;
        error_log            /var/log/nginx/error/ha.log;

        ssl_client_certificate /etc/cloudflare/cloudflare.pem;
        ssl_certificate      /etc/cloudflare/fullchain.pem;
        ssl_certificate_key  /etc/cloudflare/privkey.key;
        ssl_ciphers          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_protocols        TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;

        add_header           Permissions-Policy "interest-cohort=()";
        add_header           Strict-Transport-Security "max-age=31536000; includeSubdomains" always; 
        proxy_buffering      off;
        set_real_ip_from     172.17.0.0/24; # i got lazy but this should be localhost or host IP i believe
        real_ip_header       X-Forwarded-For;

        location / {
#            proxy_pass       http://192.168.10.12:8123;
            proxy_pass          http://homeassistant_backend;
            proxy_set_header    Host $host;
            proxy_set_header    X-Forwarded-Proto   $scheme;
            proxy_intercept_errors  on;
            proxy_http_version  1.1;
            proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header    Upgrade $http_upgrade;
            proxy_set_header    Connection "Upgrade";
            proxy_set_header    X-Real-IP $remote_addr;
        }

    }

Wally2k21 · January 25, 2022, 10:57am

Thanks - I’ll dive into that. What is still confusing me is that the reverse proxy seems to be working correctly on the browser interface just not in the app!

masadido · April 11, 2022, 10:07pm

Hi Wally,

I’m facing the exact same problem with a very similar configuration.
Did you finally find a way to connect with the app?

Thanks a lot !

SuperMega · April 28, 2022, 5:42pm

I am also having this problem with Synology Reverse proxy. Browsers work fine, iOS App doesn’t!

VolkerStolz · February 25, 2024, 10:20am

The certificate in the screenshot seems to be from a personal firewall-product that intercepts and fakes the SSL-connection for inspection. This certificate might only be valid on the machine that you use to look at it/make the screenshot, and might not be the real certificate that Nginx uses. Can you use an “uncompromised” way (for lack of a better word) to connect to Nginx and see what certificate it is actually serving (or should be serving, if you find it in the configuration)?