Android: Self-signed SSL is not supported

The app won't work if you have to accept the ssl certificate, can you try these steps?

https://companion.home-assistant.io/docs/troubleshooting/faqs/#using-a-self-signed-certificate-leads-to-a-blank-page-in-android

@dshokouhi
Thanks for you fast feedback.
I have just tried that again:

• Deleted cache/app data
• Imported certificate (it is listed under user certificates)
• Start HA app --> error: "Unable to communicate with HOme Assistant because of SSL error. Please ensure you certificate is valid"

I'm having the same issue. Followed instructions in first link to create .crt file, imported using steps in second link, still get error message: "Unable to communicate with Home Assistant because of SSL error. Please ensure you certificate is valid"

CRT Steps: https://coderwall.com/p/wv6fpq/add-self-signed-ssl-certificate-to-android-for-browsing

Cert Import Steps: https://support.google.com/pixelphone/answer/2844832?hl=en&visit_id=637256100715376070-1062021008&rd=1

I remember having the same type of problem. You need to change access permissions to files in SSL folder as it is stated in the link you have posted Certificate Authority and self-signed certificate for SSL/TLS

sudo chmod 600 fullchain.pem privkey.pem

I remember that there were a clear and easy tutorial about Self Signed SSL in Hassio documentation but it can't find it anymore, maybe it's gone.

Hi,
the certificate has to be generated "properly". So it has to have subjectaltname and CA extension.
When you import it to android, you can test it in chrome. It should not complain.

I used this command to generate it

openssl req -new -x509 -days 3560 -key privkey.pem -out fullchain.pem  -config req.conf

req.conf contains

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_ca
prompt = no
[ v3_ca ]
basicConstraints = critical,CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
subjectAltName = @alt_names
[req_distinguished_name]
C = CZ
L = Location
CN = hassio.example.net
[alt_names]
DNS.1 = hassio.example.net

thanks for the ideas but they do not work.
I use letsencrypt now... that works fine :)

Hi,
this would really be worth a fix.
I use a private VPN connection (because this is really safer than port forwarding stuff) but now I struggle with this self-signed certificates. Of course my local homeassistant box neither has a valid www-domain nor is directly connected to the internet.
It would be great if there was an optional setting in the app "[x] I know what I do and would really like to accept this certificate" , hidden somewhere, where unexperienced users do not accidentally set it.
I also tried manually importing the HTTP server's ssl certificate to Android but this did not work.

I'm in the same boat as api2001. Would be useful to be able manually accept self-signed certificates.

Hi,
I solved it now by creating a local CA (certificate authority), creating local SSL keys signed by this CA and import the CA certificate to the list of Trusted CAs on my phones:

Create SSL/CA for local usage:
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/

Add CA cert to Trusted CAs in Android:
https://www.lastbreach.com/blog/importing-private-ca-certificates-in-android

This is a bit more effort but acceptable and just works.
api

Thanks @api2001 !
I was able to create a CA and cert using the guide. However, after installing the myCA.pem on my phone, I still get the same error from the home assistant android app :/

Hi, please try deleting cache (and maybe whole app storage) of the HA app! Then re-add the URL and it'll hopefully work.

Deleted cache, deleted app storage, uninstalled app, rebooted phone, reinstalled app, same issue. I've double checked that HA is serving the cert issued by my CA. Hmm...

Ah, got it working. The extfile is not optional when generating the cert, and since I'm using an IP to connect to it worked once I set

[alt_names]
IP.1 = xxx.xxx.xxx.xxx

Thanks!

Great! However for all non-IT-professional users it would be great to have the option to accept the self-signed certificates as well!
+1

@api2001 it worked for me, with self-signed, as i wrote before. It's important to have subject alt name in your cert, otherwise chrome won't accept it as valid

+1 !

I would also like to see it possible to use self signed certificates, without the hassle to manually import it to the trusted certificate store.

Also, on my childrens phone running Google Family Link (parental managing system), importing certificates is disabled.

Setting up and managing Letsencrypt certificates and autorenewing is way to advanced and time consuming, even for the IT professionals.

Terribly frustrating (and I am an IT professional), it does not work onno matter what, delete cache, different certificate chains, nothing.

I just use it internally, no proxy, no router. Just direct connection in a private network with a self signed certificate everywhere.
I even tried Elkropac's example to the last detail. new cert, HA restart... Web browsers have no problems (after accepting the warning), this app, even with the certs installed in Android, fails with Unable to communicate with Home Assitant because of a SSL error.

The app should have an option (central or interactive) like any other https capable app, Firefox, Chrome, curl, wget, Mosquitto, Caddy Nginx, etc. to bypass certificate validation. self signed certificates need no validation

+1
Would like to see an option where HA possibly generates a self signed cert, or allows you to add one you generated yourself, using default tools. Then have the app simply allow for these to work, using some sort of option to ignore SSL errors.

The app will not ignore SSL errors, we have already made the decision not to allow it https://github.com/home-assistant/android/issues/448#issuecomment-724724968

I am going to close this now as we cannot allow bypassing certificate errors. There are also several solutions offered in the comments so others who come by can look into alternatives.