iOS icon indicating copy to clipboard operation
iOS copied to clipboard
verified publisher icon home-assistant

App fails with TLS error during registration when Nabu Casa account is deactivated, even using HTTP URL

Open asdfgeoff opened this issue 1 month ago • 1 comments

Environment

  • iOS device: iPhone 15 Pro Max, iOS 18
  • App version: Latest (2024.x)
  • Home Assistant Core: 2024.12.x
  • Connection method: Tailscale (HTTP to Tailscale IP)

Describe the bug

When registering a new device in the iOS app using an HTTP URL (e.g., http://100.x.x.x:8123), the app fails with a TLS/SSL error during the final registration step, even though:

  1. Safari can successfully load the same HTTP URL
  2. The app successfully completes initial steps (location permissions, device naming)
  3. The URL explicitly uses HTTP, not HTTPS

Root cause: Home Assistant Cloud (Nabu Casa) was configured but the account was deactivated (subscription cancelled/expired). The app detects cloud is configured and attempts to use it, but the deactivated account causes TLS handshake failures to *.ui.nabu.casa.

Error shown

URLSessionTask failed with error: A TLS error caused the secure connection to fail.

Domain: Alamofire.AFError
Code: 13

Steps to reproduce

  1. Have Nabu Casa configured in Home Assistant
  2. Deactivate/cancel the Nabu Casa subscription (account becomes "deactivated")
  3. Leave cloud integration configured in HA (don't remove it)
  4. Try to register iOS app using a manual HTTP URL (e.g., via Tailscale, local IP, etc.)
  5. App fails with TLS error after initial setup steps complete

Expected behavior

The app should:

  1. Gracefully handle deactivated cloud accounts
  2. Fall back to the manually-provided URL when cloud connection fails
  3. Not attempt HTTPS/cloud connections when the user explicitly provided an HTTP URL

Workaround

Disable Home Assistant Cloud entirely in HA settings (Settings → Home Assistant Cloud → Disconnect). After this, the app successfully registers using the HTTP URL.

Related issues

  • #273 (2019) - Similar issue, was "fixed" by changing URL priority order, but deactivated accounts weren't handled

Suggested fix

When cloud connection fails with authentication/TLS errors (indicating deactivated/invalid account), the app should:

  1. Log a warning about cloud being unavailable
  2. Automatically fall back to the user-provided URL
  3. Optionally notify the user that cloud is misconfigured

Currently, the TLS error from the deactivated cloud account is surfaced to the user as if it were a problem with their manually-entered URL, which is very confusing to debug.

asdfgeoff avatar Nov 26 '25 22:11 asdfgeoff

I recently fixed an issue in core (available in 2025.11.3) https://github.com/home-assistant/core/pull/156940 to make sure to not send to the apps any cloudhook that we are sure won't work.

Would you mind trying again with your setup and update to this version to see if that mitigates the issue?

TimoPtr avatar Nov 27 '25 10:11 TimoPtr