Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Self-signed certificates issue #180

Open
starbuck93 opened this issue Sep 24, 2018 · 21 comments

Comments

Projects
None yet
5 participants
@starbuck93
Copy link

commented Sep 24, 2018

I used Let's Encrypt on my HASS instance, but things like Python Requests still require the "allow invalid" flag to be enabled to run correctly. Chrome sees it as a valid certificate, though.

Perhaps HA Client needs a button or a checkbox-style setting that sets that flag in the background to allow these types of "invalid" certificates.

Thanks for the help!

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Sep 24, 2018

It is strange because certificates from Let's Encrypt should be valid according to capability list: https://letsencrypt.org/docs/certificate-compatibility/
I think the issue is not in certificate. Cold you please terminate the app, start it again, wait for error, go to Menu -> Log, scroll to the end of the list and take a screenshot. Thanks.

@starbuck93

This comment has been minimized.

Copy link
Author

commented Sep 24, 2018

It says "Connection timeout (code: 1)" at the bottom of the screen. Here's the screenshot:
screenshot_20180924-084613

@starbuck93

This comment has been minimized.

Copy link
Author

commented Sep 24, 2018

Here's what Windows says my cert looks like in Chrome:
certificate

So I believe the cert is valid, but something isn't right. So my solution has been to "allow invalid certs" basically.

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Sep 24, 2018

Will add more meaningful errors handling in log in next build to figure out the error. Looks like the cert is valid and problem is not in it. Thanks for your help in testing.

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Sep 24, 2018

Version 0.1.2-alpha published for testers. Will be available in Google Play soon. There is extended error handling in log view so we can see now what exception is not letting you connect. Please share screenshot once updated and tested. Thanks.

@starbuck93

This comment has been minimized.

Copy link
Author

commented Sep 25, 2018

Now running 0.1.2-alpha. The new error message is

[Global error] : WebSocketChannelException: WebSocketChannelException: HandshakeException: Handshake error in client (OS Error: CERTIFICATE_VERIFY_FAILED: unable to get local issuer certificate(handshake.cc:363))

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Sep 25, 2018

Ha, so it is really a cert issue. Thanks, will try to find a solution.

@Oliviakrkk

This comment has been minimized.

Copy link

commented Sep 25, 2018

It would be nice to have an option to either accept any self signed cert or import one.

Now everyone uses let's encrypt...(it doesn't work when you have private IP).

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Sep 25, 2018

But I'm using let's encrypt as well and I have no such issue.
Which device and OS version do you have?

@Oliviakrkk

This comment has been minimized.

Copy link

commented Sep 25, 2018

I am using self signed certificate. Generated by me. With name.local... And I cannot connect to my hass instance from the app.

"CERTIFICATE VERIFY FAILED: self signed certificate"

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Sep 25, 2018

Oh, my bad, sorry. Understood.

@e-alfred

This comment has been minimized.

Copy link

commented Sep 27, 2018

Support for self signed certs is quite necessary for people who run Home Assistant on a private network (maybe even behind a VPN) but still want to use HTTPS.

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Oct 3, 2018

So. Allowing unverified self-signed certificates is not supported by secure web socket in flutter framework. It is actually not supported by wss in Android at all. It is still possible to connect to host though HTTPS, but not trough Web Socket .
To solve the problem you can try to add your certificate as trusted one to an Android certificate storage in Settings -> Security on your device. It will make your self-signed certificate a trusted one and, theoretically will allow you to connect from this device.
The other option, obviously, is to switch to WS without encryption.

Here is an issue reported to dart sdk repository: dart-lang/sdk#34284
Here is some thoughts on stackoverflow: https://stackoverflow.com/questions/51562727/ssl-iowebsocketchannel-with-self-signed-cert-using-flutter

@estevez-dev estevez-dev closed this Oct 3, 2018

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Oct 3, 2018

Will leave it open for visibility of a problem

@estevez-dev estevez-dev reopened this Oct 3, 2018

@Oliviakrkk

This comment has been minimized.

Copy link

commented Oct 3, 2018

I am afraid it wont be that easy. I exported certificate from chrome on windows 10 and imported it to Android. Still doesn't work. :/

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Oct 3, 2018

Unfortunately I can't control Android certificates from the app. If your certificate is not trusted, it is not trusted not by HA Client, but by your mobile device. For now there is no way to help you from HA Client side. May be this can help.

@Oliviakrkk

This comment has been minimized.

Copy link

commented Oct 3, 2018

Ok, I understand. But I think this is pretty fundamental for this app :/. I tried to make it work using your link...

I created new cert, added it to android, disabled google play protect. The certificate works in chrome - connection is marked as secure. But the app still does not see the imported certificate.

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Oct 3, 2018

Thanks for trying. Agree, it is pretty important for HA Client. I'm watching issues reported in Flutter and Dart repos. And googling a lot =) That's all I can do for now.

@estevez-dev estevez-dev changed the title Allow self-signed certificates Self-signed certificates issue Oct 4, 2018

@linuxjet

This comment has been minimized.

Copy link

commented Oct 22, 2018

Is there any way to make this work with SSL Pinning? I have the same type of issue and and want to make the switch to Flutter, but this is a showstopper.

@estevez-dev

This comment has been minimized.

Copy link
Owner

commented Oct 22, 2018

Unfortunately the only way now is to switch from ssl, or to get cert from lets encrypt =(

@linuxjet

This comment has been minimized.

Copy link

commented Oct 22, 2018

I wish letsecrypt was an option. I use it for many home systems, but the hardware platform I want my clients to connect to does not have an automated way to update the certs.

thx for the quick reply.

@estevez-dev estevez-dev transferred this issue from estevez-dev/ha_client_pub Nov 12, 2018

@estevez-dev estevez-dev added this to the Future milestone Jan 24, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.