Unable to access HA with custom certificates

I am running a self-signed CA at home on my pfSense and created a server certificate for my instance of home assistant. That pfSense also runs a DNS server which resolves “homeassistant.” to “10.0.0.3”. As you can see below, I put “homeassistant.”, “SUBDOMAIN.dyndns.org” and “10.0.0.3” as SANs into the server certificate. My http config in HA looks as follows:

http:
  base_url: https://homeassistant.DOMAIN:8123
  ssl_certificate: server.crt
  ssl_key: server.key
  ip_ban_enabled: True
  login_attempts_threshold: 10

When I started to write this, I wanted to post screenshots of the problem with Google Chrome but for some reason Chrome has decided to just work now. Instead, Opera now has that same problem:

I get this error without an option to proceed and skip the SSL validation. The same happens in incognito mode.

Google Chrome on Android show that same error and Chrome on iPad shows a homeassistant logo with “Unable to connnect to Home Assistant” and a retry button AFTER login! Pressing retry brings me back to that same screen.


Does anyone have an idea what could be going on there?

DNS lookup:

dig +short A homeassistant.<DOMAIN>
10.0.0.3

CA certificate:

$ openssl x509 -in ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, C=**, ST=**, L=**, O=**
        Validity
            Not Before: Jan  5 07:33:12 2020 GMT
            Not After : Jan  2 07:33:12 2030 GMT
        Subject: CN=**, C=**, ST=**, L=**, O=**
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:d0:54:e3:6d:f2:76:c8:bc:14:c6:03:b8:53:77:
                    b5:d0:88:46:38:48:b0:67:d6:38:ad:77:9f:1d:1d:
                    88:be:0e:8b:78:b5:5c:e0:87:e8:9a:ca:09:60:66:
                    6e:18:23:97:37:56:0e:38:2a:6c:d7:d5:9e:b9:3a:
                    00:31:a6:09:82:83:eb:83:fb:47:4e:e0:3a:8f:ab:
                    42:1f:35:8b:0f:6d:10:c2:de:21:46:e8:0c:e5:a0:
                    7a:06:38:3e:15:8b:41:a0:1c:e2:c4:68:ec:04:93:
                    b0:83:ac:28:df:1f:5e:7a:b3:d7:1e:7a:92:c9:c8:
                    d7:80:a9:46:73:c9:46:0f:aa:1b:1e:9f:41:64:21:
                    00:81:da:e4:43:16:ce:c4:90:b0:b9:3c:3b:33:b1:
                    73:bd:45:aa:6f:cf:db:b7:f8:b1:26:27:e4:93:8e:
                    a7:20:bb:04:88:c3:d2:03:b8:9c:48:11:88:56:97:
                    99:77:76:d6:aa:09:2f:6f:a6:05:e4:c5:5a:7c:c9:
                    6d:f6:6a:e7:18:66:ea:be:1b:66:b3:6e:34:74:4a:
                    5c:17:99:96:11:eb:ec:27:47:8c:10:c8:da:d8:90:
                    15:48:41:03:7c:8d:b7:7d:12:ff:45:01:a4:1f:8f:
                    53:fb:12:f8:0c:b9:7d:86:89:6c:d6:14:e7:45:da:
                    6a:70:72:42:41:84:85:26:bd:bc:be:2d:ce:58:5e:
                    f4:ac:b5:59:20:7c:97:f2:09:b5:a8:03:d3:20:6d:
                    2a:67:a8:90:ab:dd:46:98:cf:37:39:42:bf:d8:94:
                    0d:b5:d5:ef:85:59:c0:69:73:49:40:0f:ce:1e:35:
                    50:bc:11:54:29:b0:ae:67:95:d3:39:21:ee:f1:4c:
                    10:0a:ff:e3:bf:36:e2:3b:22:10:6e:ab:55:8f:ea:
                    8b:89:72:cc:ec:76:50:9f:47:23:47:26:3c:80:11:
                    dc:b4:17:d6:3a:42:6f:eb:a8:ec:29:ad:c4:9d:f1:
                    db:96:ea:13:aa:58:03:23:9b:4f:87:aa:27:1d:d1:
                    33:91:fd:b9:a1:92:1b:61:1e:c2:67:ed:b9:92:ed:
                    b1:33:07:6a:a4:3f:d3:97:5f:7a:8f:b2:d6:10:ad:
                    27:92:e2:5d:01:b1:aa:82:5f:d8:57:2a:8c:88:3d:
                    05:e6:b6:67:14:25:81:10:a0:c2:19:77:6d:f5:23:
                    bf:39:86:5c:91:8c:5e:c7:df:ba:60:e9:de:ce:43:
                    0f:f2:d0:5c:04:9d:a1:9b:0f:31:a9:00:6f:80:10:
                    03:32:31:10:6c:d7:12:61:68:fd:67:5d:52:b7:fe:
                    e6:27:a4:7e:c8:dc:ab:71:d8:c6:68:3f:e3:28:14:
                    f4:07:b3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                03:FC:71:7A:8D:FC:79:E8:A7:2D:D8:8C:A0:AE:0A:6C:4C:EC:5A:6F
            X509v3 Authority Key Identifier:
                keyid:03:FC:71:7A:8D:FC:79:E8:A7:2D:D8:8C:A0:AE:0A:6C:4C:EC:5A:6F
                DirName:/CN=CA/C=**/ST=**/L=**/O=**
                serial:00

            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Certificate Sign, CRL Sign
    Signature Algorithm: sha256WithRSAEncryption
         47:36:fa:fa:8e:aa:3c:51:8e:e0:22:75:f8:22:52:9c:ef:99:
         98:b2:3f:39:00:57:56:db:06:ba:5c:46:e6:ea:fc:a2:4f:89:
         53:e5:49:09:56:e5:f7:d6:2b:7a:d5:b7:4c:ba:38:bb:84:f2:
         bd:33:9e:38:4e:01:4a:69:29:27:78:9e:a7:9a:79:7b:89:34:
         e8:eb:b4:58:1e:90:bd:d7:04:ac:ab:f7:e7:4a:30:e6:93:dd:
         bf:b1:50:f4:ce:e3:1b:49:e6:18:0a:f2:2f:52:96:6f:eb:be:
         41:8e:8f:82:de:15:12:e0:c1:9d:5b:ac:09:b5:c6:9d:1f:b8:
         df:1a:aa:f1:d2:3d:c1:87:63:3e:f5:91:0f:cc:0e:24:53:1a:
         95:81:11:78:d9:33:04:a2:2b:6f:26:8a:5f:85:03:f2:7d:c4:
         38:f0:00:65:3c:97:88:e0:6f:fe:7b:8c:80:7c:4e:e5:17:4f:
         f2:01:7e:03:22:a5:03:ff:6f:8a:71:5e:9f:af:ab:d7:52:83:
         d9:9a:56:30:6c:6e:4e:05:88:a7:06:22:10:d9:e1:fe:34:e6:
         a8:f0:fe:27:ad:26:c8:97:1d:52:d0:d4:5c:13:47:c2:08:19:
         0a:d7:e8:9c:5a:ff:63:a6:5f:8a:d3:b7:ca:7a:d1:fe:b8:63:
         a6:aa:e0:12:c4:b6:8b:6a:67:40:5a:10:77:0a:e5:c8:8a:bf:
         b8:52:54:f5:be:21:85:43:2e:82:6e:4e:3a:ed:0a:d1:5c:49:
         be:37:5a:d2:22:9c:54:1d:66:9f:17:0a:8a:d7:9b:d5:e3:0c:
         df:ac:0a:eb:b2:f7:e5:3a:f1:dd:c7:d5:c3:13:fc:da:bc:b6:
         07:3e:87:a3:7a:40:05:19:10:78:1a:14:de:e7:f5:11:ef:32:
         0a:23:e2:d1:af:70:b4:dd:ee:54:fe:09:5b:b1:83:21:31:15:
         26:29:77:4a:50:30:af:d3:91:43:c4:6a:ce:d2:f5:1d:d8:9c:
         9c:ac:e6:5b:ba:9c:5c:43:3a:c2:f9:57:e4:d9:9f:d6:81:d7:
         ce:df:37:25:8c:1d:af:3d:85:13:b7:ce:fe:07:3b:fb:21:da:
         d3:8e:55:e1:a9:ec:2d:7e:49:9c:30:01:9e:22:38:e2:ab:84:
         cb:69:26:82:3b:38:66:48:49:5d:44:9d:25:07:32:59:0d:7e:
         55:82:2a:af:e3:b7:3f:0a:0c:f1:d3:84:2f:6c:2c:78:8f:ce:
         83:87:32:1d:2f:e8:d0:47:4d:38:29:50:8a:c2:4a:ef:4d:a6:
         6e:1e:5f:6d:3b:c2:9d:eb:77:c6:ac:27:b7:7a:e1:85:40:25:
         7c:5f:b2:11:1c:bc:9b:01

Server certificate:

 $openssl x509 -in server.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, C=**, ST=**, L=**, O=**
        Validity
            Not Before: Jan 12 14:54:30 2020 GMT
            Not After : Jan  9 14:54:30 2030 GMT
        Subject: CN=homeassistant.DOMAIN, C=**, ST=**, L=**, O=**
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a4:c2:65:d9:7e:91:16:e1:91:a3:51:ac:92:26:
                    db:7e:da:b7:89:b2:ec:3e:c1:00:d3:9e:c1:3d:a3:
                    ed:2b:0c:9b:3a:54:87:9c:e2:a5:6e:06:05:0b:d0:
                    6e:df:b6:10:40:fa:66:d0:d8:d2:fc:e3:a8:42:27:
                    08:ac:64:4c:67:3f:bd:eb:bc:f5:a7:b3:d4:0d:51:
                    61:c3:79:c5:81:04:90:0b:39:c7:99:d5:2b:ed:87:
                    6f:62:04:01:85:67:e3:65:5e:74:e9:20:1f:82:0f:
                    ed:3f:14:d9:79:ff:41:01:59:6e:6b:82:6f:b9:ee:
                    c0:25:bd:b7:49:72:06:11:4b:5e:5b:27:3f:d1:b9:
                    df:73:7f:22:6b:25:e1:7f:2c:50:e8:bc:72:c7:2d:
                    52:7a:12:bf:66:37:ba:79:33:51:9f:a5:7f:80:50:
                    15:0a:64:ec:d2:32:15:20:93:af:42:f1:94:df:cc:
                    80:96:8c:a2:40:15:48:78:1d:e7:aa:87:f0:12:99:
                    66:db:8d:25:b6:f6:4a:74:75:0c:1c:9a:a2:d9:91:
                    76:9e:0d:66:34:5b:ad:c8:c6:60:dd:81:67:37:3b:
                    b7:da:54:ef:a8:e0:eb:be:63:b2:80:84:cc:be:38:
                    75:93:6d:03:32:c7:75:72:eb:4a:33:36:73:22:f5:
                    aa:43
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Comment:
                OpenSSL Generated User Certificate
            X509v3 Subject Key Identifier:
                1F:92:0C:34:42:DC:42:EF:59:49:06:41:46:99:3C:6B:1F:CE:7D:BE
            X509v3 Authority Key Identifier:
                keyid:03:FC:71:7A:8D:FC:79:E8:A7:2D:D8:8C:A0:AE:0A:6C:4C:EC:5A:6F
                DirName:/CN=CA/C=**/ST=**/L=**/O=**
                serial:00

            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:homeassistant.DOMAIN, DNS:**.dyndns.org, IP Address:10.0.0.3
    Signature Algorithm: sha256WithRSAEncryption
         3e:20:e8:2b:5c:dd:ba:c8:2a:13:4a:f9:28:0e:6c:57:86:6c:
         8e:5d:11:2b:0b:e8:b0:ae:ee:a7:46:ae:bc:86:55:bb:61:6b:
         1d:fd:a1:03:74:45:0b:f0:df:e4:16:98:c3:b6:3b:4b:27:1e:
         6e:8f:74:99:25:68:b6:98:92:88:bb:76:f2:f8:91:b7:0e:7d:
         03:79:09:84:4b:0c:a1:10:9b:4b:70:a2:3a:ea:e8:46:1b:d1:
         e1:ee:c5:0c:9e:0a:a1:3f:f6:df:83:f8:8e:a0:f1:99:6b:48:
         44:31:e4:93:ad:89:ee:3d:05:8f:12:2e:b4:aa:9e:d2:af:54:
         ba:63:8b:de:c9:a1:13:3c:35:1d:f3:94:79:c0:ef:c2:1b:90:
         b4:1b:c7:c1:c1:b7:ff:e9:be:93:ad:95:da:5b:90:b0:8a:03:
         e5:0e:93:e7:6f:7f:af:0a:46:2f:21:c4:e4:eb:0b:a6:a3:b6:
         d4:47:d1:2f:f0:b6:30:1e:34:54:71:93:24:cb:12:34:24:2e:
         28:dc:07:24:6d:67:6a:e2:01:1d:df:ff:2c:24:36:97:b1:68:
         c2:08:07:16:ba:44:dd:23:46:53:ce:f2:64:a9:db:f7:d0:51:
         71:26:fc:50:e9:67:76:30:f6:cf:fa:37:88:d8:aa:d3:ac:8a:
         ac:2f:fc:59:a4:3b:84:40:c5:68:5c:b4:44:87:50:63:ac:ab:
         9a:1e:81:8f:93:d5:ca:2f:27:b2:d8:b1:e1:fa:ff:e5:86:31:
         a6:9b:f2:c2:c9:b3:64:d9:4c:83:03:bf:e3:d3:2c:28:fe:e0:
         25:29:eb:ad:ae:90:fa:c2:d3:8f:fc:ac:d4:f3:cf:58:ef:02:
         4f:e5:62:8a:08:24:22:44:c4:06:85:17:cf:39:05:3b:e5:69:
         fa:0a:f5:2c:99:80:42:56:c2:28:09:d5:1b:10:f9:22:7e:eb:
         40:cf:18:78:1a:56:21:6b:0e:d6:68:0b:32:91:8d:81:49:60:
         0e:dc:d6:49:6a:6b:41:d5:7a:51:71:ae:73:0d:48:3a:75:8d:
         bf:f6:9d:aa:89:55:94:85:ed:de:37:18:d7:14:09:1c:49:47:
         62:ee:61:6d:1e:db:6b:66:c1:b6:aa:f2:a3:b1:d6:5d:83:91:
         a2:4d:3d:c9:4d:bc:85:d6:42:80:71:78:fd:f8:4c:b0:da:3c:
         7d:d5:38:4e:c6:7d:e3:b8:c6:47:f6:90:54:07:e7:34:3c:52:
         2e:69:a9:29:e8:b7:8b:58:04:94:17:3f:c0:19:36:2a:66:24:
         a0:5e:88:3d:07:e5:a3:80:be:38:bf:31:d9:f6:26:31:3e:63:
         e4:93:77:b9:5c:d5:29:31

Connecting with openssl:

➜  ~ openssl s_client -showcerts -connect 10.0.0.3:8123
CONNECTED(00000003)
depth=0 CN = homeassistant.DOMAIN, C = **, ST = **, L = **, O = **
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = homeassistant.DOMAIN, C = **, ST = **, L = **, O = **
verify error:num=26:unsupported certificate purpose
verify return:1
depth=0 CN = homeassistant.DOMAIN, C = **, ST = **, L = **, O = **
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=homeassistant.DOMAIN/C=**/ST=**/L=**/O=**
   i:/CN=CA/C=**/ST=**/L=**/O=**
-----BEGIN CERTIFIC**E-----
MIIFpjCCA46gAwIBAgIBBTANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQDEwJDQTEL
MAkGA1UEBhMCQVQxGjAYBgNVBAgTEU5pZWRlcm9lc3RlcnJlaWNoMRMwEQYDVQQH
EwpGaXNjaGFtZW5kMRYwFAYDVQQKEw1NYXRoaWFzIEV3YWxkMB4XDTIwMDExMjE0
NTQzMFoXDTMwMDEwOTE0NTQzMFowdzEfMB0GA1UEAxMWaG9tZWFzc2lzdGFudC5l
d2FsZC5kZTELMAkGA1UEBhMCQVQxGjAYBgNVBAgTEU5pZWRlcm9lc3RlcnJlaWNo
MRMwEQYDVQQHEwpGaXNjaGFtZW5kMRYwFAYDVQQKEw1NYXRoaWFzIEV3YWxkMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApMJl2X6RFuGRo1Gskibbftq3
ibLsPsEA057BPaPtKwybOlSHnOKlbgYFC9Bu37YQQPpm0NjS/OOoQicIrGRMZz+9
67z1p7PUDVFhw3nFgQSQCznHmdUr7YdvYgQBhWfjZV506SAfgg/tPxTZef9BAVlu
a4Jvue7AJb23SXIGEUteWyc/0bnfc38iayXhfyxQ6Lxyxy1SehK/Zje6eTNRn6V/
gFAVCmTs0jIVIJOvQvGU38yAloyiQBVIeB3nqofwEplm240ltvZKdHUMHJqi2ZF2
ng1mNFutyMZg3YFnNzu32lTvqODrvmOygITMvjh1k20DMsd1cutKMzZzIvWqQwID
AQABo4IBTzCCAUswCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwMQYJYIZIAYb4QgEN
BCQWIk9wZW5TU0wgR2VuZXJhdGVkIFVzZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FB+SDDRC3ELvWUkGQUaZPGsfzn2+MIGNBgNVHSMEgYUwgYKAFAP8cXqN/Hnopy3Y
jKCuCmxM7FpvoWekZTBjMQswCQYDVQQDEwJDQTELMAkGA1UEBhMCQVQxGjAYBgNV
BAgTEU5pZWRlcm9lc3RlcnJlaWNoMRMwEQYDVQQHEwpGaXNjaGFtZW5kMRYwFAYD
VQQKEw1NYXRoaWFzIEV3YWxkggEAMBMGA1UdJQQMMAoGCCsGAQUFBwMCMDoGA1Ud
EQQzMDGCFmhvbWVhc3Npc3RhbnQuZXdhbGQuZGWCEW1ld2FsZC5keW5kbnMub3Jn
hwQKAAADMA0GCSqGSIb3DQEBCwUAA4ICAQA+IOgrXN26yCoTSvkoDmxXhmyOXREr
C+iwru6nRq68hlW7YWsd/aEDdEUL8N/kFpjDtjtLJx5uj3SZJWi2mJKIu3by+JG3
Dn0DeQmESwyhEJtLcKI66uhGG9Hh7sUMngqhP/bfg/iOoPGZa0hEMeSTrYnuPQWP
Ei60qp7Sr1S6Y4veyaETPDUd85R5wO/CG5C0G8fBwbf/6b6TrZXaW5CwigPlDpPn
b3+vCkYvIcTk6wumo7bUR9Ev8LYwHjRUcZMkyxI0JC4o3AckbWdq4gEd3/8sJDaX
sWjCCAcWukTdI0ZTzvJkqdv30FFxJvxQ6Wd2MPbP+jeI2KrTrIqsL/xZpDuEQMVo
XLREh1BjrKuaHoGPk9XKLyey2LHh+v/lhjGmm/LCybNk2UyDA7/j0ywo/uAlKeut
rpD6wtOP/KzU889Y7wJP5WKKCCQiRMQGhRfPOQU75Wn6CvUsmYBCVsIoCdUbEPki
futAzxh4GlYhaw7WaAsykY2BSWAO3NZJamtB1XpRca5zDUg6dY2/9p2qiVWUhe3e
NxjXFAkcSUdi7mFtHttrZsG2qvKjsdZdg5GiTT3JTbyF1kKAcXj9+Eyw2jx91ThO
xn3juMZH9pBUB+c0PFIuaakp6LeLWASUFz/AGTYqZiSgXog9B+WjgL44vzHZ9iYx
PmPkk3e5XNUpMQ==
-----END CERTIFIC**E-----
---
Server certificate
subject=/CN=homeassistant.DOMAIN/C=**/ST=**/L=**/O=**
issuer=/CN=CA/C=**/ST=**/L=**/O=**
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 2071 bytes and written 293 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 0BB0C465BA6052D884D5A2536843E1AC5B4A8F6549EA41E3D0F6191CD985F67D
    Session-ID-ctx:
    Master-Key: 182D7348EC4B530BB64AAE81DB96915207DC18633E6509D2C3126C991250C31D89837080B43B622FEE7E610BE88C7C06
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - 08 05 c9 f6 20 9d 42 b4-54 15 ec 88 ef 3b 5e 7a   .... .B.T....;^z
    0010 - 1e 75 7d 51 7c c3 e4 a4-4a b8 7f 6d dc cc 6d 69   .u}Q|...J..m..mi
    0020 - ca b6 44 22 22 8e 1f 37-1b 00 10 ba 49 d7 c3 92   ..D""..7....I...
    0030 - a2 f6 7f ea 1c cc d1 95-e5 98 ee 1c 44 a8 95 e2   ............D...
    0040 - 15 4c 75 36 a2 d5 e5 65-20 b0 99 6f b2 35 92 81   .Lu6...e ..o.5..
    0050 - d4 f7 cf ec 5a 47 9e 77-a9 93 6b ae f2 b8 13 0a   ....ZG.w..k.....
    0060 - f3 20 55 d1 90 af e5 a6-40 b5 d9 19 6f 4f 15 15   . [email protected]
    0070 - 29 ac ab 62 da 90 72 25-78 54 76 a6 c5 e8 c3 5e   )..b..r%xTv....^
    0080 - ce 16 e9 10 2e 80 e2 98-09 fc 5f 75 cd 92 e9 03   .........._u....
    0090 - e8 84 b7 15 3c a3 1d ca-52 c9 d6 e9 68 49 be d0   ....<...R...hI..

    Start Time: 1578926603
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)