home-assistant
FP6 e/OS HA Certificate Authority is not trusted
Home Assistant Android app version(s):
Android version(s): 15 Device model(s): Fair phone 6 e/OS Home Assistant version: 2025.7.2 Last working Home Assistant release (if known):
Description of problem, include YAML if issue is related to notifications: On the browser there is no problems connecting but the app says the certificate authority is not trusted. On my Samsung it works without any issues
Companion App Logs:
Screenshot or video of problem:
Additional information: Webview 135.0.7049.100 is installed and using a Webview debug app there are no problems connecting to HA url
This issue usually means the device in question needs to have teh CA imported to the devices trust store in order for htis to work. Have you done that yet? Different devices have a different set of initially supported CA's.
https://support.google.com/pixelphone/answer/2844832?hl=en&visit_id=638884448839658364-1615645523&rd=1
These errors are not ones that can be fixed by the app.
Yes. Otherwise it would not be working in the browser or in the Dev WebView app. It is a custom CA and installed in the store. It looks more like the HA app is not looking in the store on the FP6 correctly
There could be more other CAs in the chain, have you looked at the actual error yet to see which CA it is complaining about?
There is no CA chain. I created it and it is a CA and the cert. The error that I get from the app is unable to connect to home assistant the home assistant certificate authority is not trusted. Please review the home assistant certificate or the connection settings and try again. But I don't see any other logs or settings that I can change other than supplying the HTTPS url
There is probably a still a middle man CA from the CA you created. You may need to break down the CA tree to see which host may still need to be added. We have seen this before, some users also report regenerating the Cert or using a different provider also helps fix the issue. If the app get a CA error then the only way to get it fixed is by the users end as the app does not provide the certs, those are all provided by the user.
I have the same setup on multiple phones. All the rest are Samsung Android but on the Fair Phone it is not accepting the user certificate authority
Thats understandable but every single android device has a different CA store so its expected that you may need to import additional things on different devices.
We had another user who also had a self signed certificate taht also got the CA not trusted error, they ended up recreating the cert as mentioned in https://github.com/home-assistant/companion.home-assistant/pull/1011 to get the issue corrected for them. Not sure if this will be helpful for you? You'll need to look at the proposed changes to see how they recreated it.
The one that I had did already have the same IP hints. Regenerated it as the instruction says and get the same error but only on the Fair Phone. Is there something specific to the e / OS that needs to be adjusted in the code?
No code changes are needed by the app. The app is responding to a legitimate error given by the system. We cannot proceed and can only use a certificate considered valid by the system.
Why do all other installed apps work with the system user certificate and home assistant companion does not find the user ca on the Fair phone e/OS. How can I debug what the exact problem is?
Not a lot of experience with this error, but: your screenshots show 1 certificate for apps and 1 for Wi-Fi, shouldn't the one installed for Wi-Fi (also) be installed for apps, or are they the same just with a different description?
The error message corresponds to the WebView error code SSL_UNTRUSTED. Make sure you have a valid certificate for all content on the page. If you check the app logs (companion app settings > Troubleshooting), you can find a line with onReceivedSslError: which may hold slightly more details.
On this e/OS it is split into two seperate stores and my CA is installed in both. So yes both the same just with different names. I will check when I am back home. Using the home assistant cloud in the mean while
07-20 19:34:02.101 20227 20323 E chromium: [ERROR:net/socket/ssl_client_socket_impl.cc:924] handshake failed; returned -1, SSL error code 1, net_error -202
I also see this but I think the top error is what we are looking for
10.542 20227 20227 E chromium: [ERROR:android_webview/browser/aw_browser_terminator.cc:165] Renderer process (29967) crash detected (code -1).
Any idea what the error is about?
21 15:09:09.527 14851 16112 E chromium: [ERROR:net/socket/ssl_client_socket_impl.cc:924] handshake failed; returned -1, SSL error code 1, net_error -202 07-21 15:09:09.530 14851 14851 E WebViewActivity$onCreate: onReceivedSslError: primary error: 3 certificate: Issued to: CN=192.168.188.196; 07-21 15:09:09.530 14851 14851 E WebViewActivity$onCreate: Issued by: CN=Arne Schwarck Root CA; 07-21 15:09:09.530 14851 14851 E WebViewActivity$onCreate: on URL: https://192.168.188.196:8123/?external_auth=1 07-21 15:09:12.958 14851 14851 W
Hello, it seems to me more related to your CN. Usually CN = IP address many browsers will refuse. Use "CN=whatever you want", e.g. that "CN=homeassistant.local" and add your IP address as Subject Alternative Name. You must not forget also add corresponding name from CN as DNS record to list in SAN:
X509v3 Subject Alternative Name: DNS:homeassistant.local, IP:192.168.188.196
Best regards Jarda Stribrsky
I had it also different before and that did not work. All browsers on the effected phone work. All other phones with the home assistant app work with this and the previous cert. But I can gladly regenerate the cert if that is what this app requires. It is strange that it is just on this new phone
chromium: [ERROR:net/socket/ssl_client_socket_impl.cc:924] handshake failed; returned -1, SSL error code 1, net_error -202 07-21 19:49:54.819 14851 14851 E WebViewActivity$onCreate: onReceivedSslError: primary error: 3 certificate: Issued to: CN=homeassistant; 07-21 19:49:54.819 14851 14851 E WebViewActivity$onCreate: Issued by: CN=Arne Schwarck Root CA; 07-21 19:49:54.819 14851 14851 E WebViewActivity$onCreate: on URL: https://192.168.188.196:8123/todo?entity_id=todo.shopping_list_4&external_auth=1 07-21 19:49:54.924 14851 14851 I cr_AwAutofillManager
I just want through the same pain... this is what worked:
I ran this script (just update your HA_IP to your IP). The script creates a root ca and intermediate which are both restricted to *.local and private ipv4.
I moved the ha-fullchain.pem and ha.key.pem onto homeassistant and configured it in configuration.yaml
I then had to import both root.cert.pem and inter.cert.pem onto the android phone. That solved it - it was a pain.
#!/usr/bin/env bash
set -euo pipefail
# --- Settings you might tweak ---
ROOT_CN="MyLocalRootCA"
INTER_CN="MyLocalConstrainedCA"
HA_CN="homeassistant.local"
HA_IP="10.42.0.196"
ROOT_DAYS=3650
INTER_DAYS=3650
LEAF_DAYS=825
OUTDIR="mylan-ca"
# --------------------------------
umask 077
mkdir -p "$OUTDIR"
cd "$OUTDIR"
echo "=== 0) OpenSSL version ==="
openssl version
echo "=== 1) Create ROOT CA (encrypted key, with constraints) ==="
cat > root.cnf <<EOF
[ req ]
default_bits = 4096
prompt = no
distinguished_name = dn
x509_extensions = v3_ca
[ dn ]
CN = ${ROOT_CN}
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = critical, CA:true, pathlen:1
keyUsage = critical, keyCertSign, cRLSign
# Clients *often ignore* nameConstraints on roots, but we include them as requested:
nameConstraints = critical, permitted;DNS:.local, permitted;IP:10.0.0.0/255.0.0.0, permitted;IP:172.16.0.0/255.240.0.0, permitted;IP:192.168.0.0/255.255.0.0
EOF
# Will prompt for a passphrase
openssl genrsa -aes256 -out root.key.pem 4096
openssl req -x509 -new -sha256 -days "${ROOT_DAYS}" \
-key root.key.pem -out root.cert.pem \
-config root.cnf -extensions v3_ca -outform PEM
echo "Created: root.key.pem (ENCRYPTED), root.cert.pem"
echo "=== 2) Create CONSTRAINED INTERMEDIATE CA (unencrypted key) ==="
openssl genrsa -out inter.key.pem 4096
cat > inter.csr.cnf <<EOF
[ req ]
default_bits = 4096
prompt = no
distinguished_name = dn
[ dn ]
CN = ${INTER_CN}
EOF
openssl req -new -key inter.key.pem -out inter.csr.pem -config inter.csr.cnf
cat > inter.ext.cnf <<'EOF'
[ v3_intermediate_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, keyCertSign, cRLSign
# Constrain issuance to *.local and RFC1918 IPv4 ranges
nameConstraints = critical, permitted;DNS:.local, permitted;IP:10.0.0.0/255.0.0.0, permitted;IP:172.16.0.0/255.240.0.0, permitted;IP:192.168.0.0/255.255.0.0
EOF
# Remove stale serial if re-running
rm -f root.cert.srl || true
# Will prompt for the ROOT passphrase
openssl x509 -req -in inter.csr.pem -CA root.cert.pem -CAkey root.key.pem -CAcreateserial \
-out inter.cert.pem -days "${INTER_DAYS}" -sha256 \
-extfile inter.ext.cnf -extensions v3_intermediate_ca -outform PEM
echo "Created: inter.key.pem (UNENCRYPTED), inter.cert.pem"
echo "=== 3) Create HA SERVER key, CSR, and cert (SAN: DNS ${HA_CN}, IP ${HA_IP}) ==="
openssl genrsa -out ha.key.pem 4096
cat > ha.cnf <<EOF
[ req ]
default_bits = 4096
prompt = no
distinguished_name = dn
[ dn ]
CN = ${HA_CN}
[ v3_server ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
basicConstraints = critical, CA:false
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = ${HA_CN}
IP.1 = ${HA_IP}
EOF
openssl req -new -key ha.key.pem -out ha.csr.pem -config ha.cnf
# Remove stale serial if re-running
rm -f inter.cert.srl || true
openssl x509 -req -in ha.csr.pem -CA inter.cert.pem -CAkey inter.key.pem -CAcreateserial \
-out ha.cert.pem -days "${LEAF_DAYS}" -sha256 \
-extfile ha.cnf -extensions v3_server -outform PEM
echo "Created: ha.key.pem, ha.csr.pem, ha.cert.pem"
echo "=== 4) Build chain and verify ==="
cat ha.cert.pem inter.cert.pem > ha-fullchain.pem
cat root.cert.pem inter.cert.pem > ca-bundle.pem
echo "Verifying leaf against root+intermediate bundle..."
openssl verify -CAfile ca-bundle.pem ha.cert.pem
echo "=== DONE ==="
echo "Trust this on clients: root.cert.pem"
echo "Use on Home Assistant: ssl_certificate: /config/ssl/ha-fullchain.pem"
echo " ssl_key: /config/ssl/ha.key.pem"
ls -1 *.pem
I just want through the same pain... this is what worked:
I ran this script (just update your HA_IP to your IP). The script creates a root ca and intermediate which are both restricted to *.local and private ipv4.
I moved the ha-fullchain.pem and ha.key.pem onto homeassistant and configured it in configuration.yaml
I then had to import both root.cert.pem and inter.cert.pem onto the android phone. That solved it - it was a pain.
#!/usr/bin/env bash set -euo pipefail # --- Settings you might tweak --- ROOT_CN="MyLocalRootCA" INTER_CN="MyLocalConstrainedCA" HA_CN="homeassistant.local" HA_IP="10.42.0.196" ROOT_DAYS=3650 INTER_DAYS=3650 LEAF_DAYS=825 OUTDIR="mylan-ca" # -------------------------------- umask 077 mkdir -p "$OUTDIR" cd "$OUTDIR" echo "=== 0) OpenSSL version ===" openssl version echo "=== 1) Create ROOT CA (encrypted key, with constraints) ===" cat > root.cnf <<EOF [ req ] default_bits = 4096 prompt = no distinguished_name = dn x509_extensions = v3_ca [ dn ] CN = ${ROOT_CN} [ v3_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer basicConstraints = critical, CA:true, pathlen:1 keyUsage = critical, keyCertSign, cRLSign # Clients *often ignore* nameConstraints on roots, but we include them as requested: nameConstraints = critical, permitted;DNS:.local, permitted;IP:10.0.0.0/255.0.0.0, permitted;IP:172.16.0.0/255.240.0.0, permitted;IP:192.168.0.0/255.255.0.0 EOF # Will prompt for a passphrase openssl genrsa -aes256 -out root.key.pem 4096 openssl req -x509 -new -sha256 -days "${ROOT_DAYS}" \ -key root.key.pem -out root.cert.pem \ -config root.cnf -extensions v3_ca -outform PEM echo "Created: root.key.pem (ENCRYPTED), root.cert.pem" echo "=== 2) Create CONSTRAINED INTERMEDIATE CA (unencrypted key) ===" openssl genrsa -out inter.key.pem 4096 cat > inter.csr.cnf <<EOF [ req ] default_bits = 4096 prompt = no distinguished_name = dn [ dn ] CN = ${INTER_CN} EOF openssl req -new -key inter.key.pem -out inter.csr.pem -config inter.csr.cnf cat > inter.ext.cnf <<'EOF' [ v3_intermediate_ca ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = critical, CA:true, pathlen:0 keyUsage = critical, keyCertSign, cRLSign # Constrain issuance to *.local and RFC1918 IPv4 ranges nameConstraints = critical, permitted;DNS:.local, permitted;IP:10.0.0.0/255.0.0.0, permitted;IP:172.16.0.0/255.240.0.0, permitted;IP:192.168.0.0/255.255.0.0 EOF # Remove stale serial if re-running rm -f root.cert.srl || true # Will prompt for the ROOT passphrase openssl x509 -req -in inter.csr.pem -CA root.cert.pem -CAkey root.key.pem -CAcreateserial \ -out inter.cert.pem -days "${INTER_DAYS}" -sha256 \ -extfile inter.ext.cnf -extensions v3_intermediate_ca -outform PEM echo "Created: inter.key.pem (UNENCRYPTED), inter.cert.pem" echo "=== 3) Create HA SERVER key, CSR, and cert (SAN: DNS ${HA_CN}, IP ${HA_IP}) ===" openssl genrsa -out ha.key.pem 4096 cat > ha.cnf <<EOF [ req ] default_bits = 4096 prompt = no distinguished_name = dn [ dn ] CN = ${HA_CN} [ v3_server ] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer basicConstraints = critical, CA:false keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = ${HA_CN} IP.1 = ${HA_IP} EOF openssl req -new -key ha.key.pem -out ha.csr.pem -config ha.cnf # Remove stale serial if re-running rm -f inter.cert.srl || true openssl x509 -req -in ha.csr.pem -CA inter.cert.pem -CAkey inter.key.pem -CAcreateserial \ -out ha.cert.pem -days "${LEAF_DAYS}" -sha256 \ -extfile ha.cnf -extensions v3_server -outform PEM echo "Created: ha.key.pem, ha.csr.pem, ha.cert.pem" echo "=== 4) Build chain and verify ===" cat ha.cert.pem inter.cert.pem > ha-fullchain.pem cat root.cert.pem inter.cert.pem > ca-bundle.pem echo "Verifying leaf against root+intermediate bundle..." openssl verify -CAfile ca-bundle.pem ha.cert.pem echo "=== DONE ===" echo "Trust this on clients: root.cert.pem" echo "Use on Home Assistant: ssl_certificate: /config/ssl/ha-fullchain.pem" echo " ssl_key: /config/ssl/ha.key.pem" ls -1 *.pem
@uwwint Thank you for Setting this up. It worked for me on LineageOS 22 and the minimal companion App from F-Droid.
- Additional to this script I adjusted to accept HA OS Domain Name without *.local - this is shown via Auto Discovery (so it is just a Little More confortable)
- Cert-Fixer setup. Note: I imported root.cert.pem and Inter.cert.pem which did NOT Launch the App. But when I disable my local root CA in system CA List - it works.
My Observations so far to this, in Order to enable android companion App with own local SSL access you need to have a rooted device with custom CA and only intermediate ca access on that very device.
Edit: on my first attempt the duration of 10 years did not work. After setting this to 180 days, it works. Seems the new ssl security councils are sharpening the rules...
Edit2: so after update of core, i was receiving the error of auth-callback failed from the Home Assistant Server. I Wonder, if this relates. But the desceibed workaround as messe as it is keeps working
I can confirm with a inter and without the .local the cert is unhappy. the 180 days did nothing to help. the inter cert also did not help fix my problems. I also tried only putting the ip address in as the homeassitant.local does not work by me because of my squid proxy.
I believe that the CA installed on the system would help but I am not ready to root yet.
Something strange that I saw was the Widgets work without any problems, it is just the main UI that is complaining that the CA is not trusted.