android: Self-signed SSL is not supported

Home Assistant Android version: 1.9.0-167

Android version: 9.1.0

Phone model: Honor 7x

Home Assistant version: 0.109.6

Last working Home Assistant release (if known): none

Description of problem:

Connection via the Android app with self-signed certificate (https://www.home-assistant.io/docs/ecosystem/certificates/tls_self_signed_certificate/) does not work
Connection via Android browser with self-signed certificate works fine
Connection via the Android app without SSL works fine

Traceback (if applicable):

Screenshot of problem:

Additional information: Maybe add a switch to allow “not safe” certificates in the app settings? (ignore SSL errors)

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 8
Comments: 22 (2 by maintainers)

Links to this issue

SSL woes to get both Alexa integration and HA App working

Most upvoted comments

I don’t think adding a system-wide CA and potentially compromising the security of the whole system is a good solution. We don’t need to ignore SSL errors, just add an option to specify a custom certificate that will be trusted even though it is self-signed.

+11

ondras12345 on Feb 9, 2021

Great! However for all non-IT-professional users it would be great to have the option to accept the self-signed certificates as well! +1

api2001 on Oct 16, 2020

Terribly frustrating (and I am an IT professional), it does not work onno matter what, delete cache, different certificate chains, nothing.

I just use it internally, no proxy, no router. Just direct connection in a private network with a self signed certificate everywhere. I even tried Elkropac’s example to the last detail. new cert, HA restart… Web browsers have no problems (after accepting the warning), this app, even with the certs installed in Android, fails with Unable to communicate with Home Assitant because of a SSL error.

The app should have an option (central or interactive) like any other https capable app, Firefox, Chrome, curl, wget, Mosquitto, Caddy Nginx, etc. to bypass certificate validation. self signed certificates need no validation

Lovely-Maisonette on Nov 25, 2020

Hi, I solved it now by creating a local CA (certificate authority), creating local SSL keys signed by this CA and import the CA certificate to the list of Trusted CAs on my phones:

Create SSL/CA for local usage: https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

Add CA cert to Trusted CAs in Android: https://www.lastbreach.com/blog/importing-private-ca-certificates-in-android

This is a bit more effort but acceptable and just works. api

api2001 on Oct 15, 2020

Hi, this would really be worth a fix. I use a private VPN connection (because this is really safer than port forwarding stuff) but now I struggle with this self-signed certificates. Of course my local homeassistant box neither has a valid www-domain nor is directly connected to the internet. It would be great if there was an optional setting in the app “[x] I know what I do and would really like to accept this certificate” , hidden somewhere, where unexperienced users do not accidentally set it. I also tried manually importing the HTTP server’s ssl certificate to Android but this did not work.

api2001 on Oct 3, 2020

Hi, the certificate has to be generated “properly”. So it has to have subjectaltname and CA extension. When you import it to android, you can test it in chrome. It should not complain.

I used this command to generate it

openssl req -new -x509 -days 3560 -key privkey.pem -out fullchain.pem  -config req.conf

req.conf contains

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = @alt_names
[req_distinguished_name]
C = CZ
L = Location
CN = hassio.example.net
[alt_names]
DNS.1 = hassio.example.net

Elkropac on Aug 3, 2020