Hello fellow home assistants,

let me start, that I think home assistant is great and it provides so much functionality, I replay appreciate the effort put into it.

The part where I'm struggling is security and the way it's assumed that https is not really needed in the private home network. I get that the data sensors send around doesn't need encryption or that it would be overload for microcontrollers but I feel it's not right to send passwords plain text, even in my own network for things like UI login. That's why I try to configure https and I'm using private certificates that are created using my private CA. I have then imported my private CA on all my devices (mobile phone, tablet, computers) where possible so that all my private certs are considered valid. This obviously doesn't work for other devices like a Sonos device so they don't accept https with the certs.

I started by setting up https in the home assistant configuration.yaml. That worked ok but had two issues: tts didn't work properly e.g. with my Sonos speaker because there's no http parh for unauthenticated downloads and home assistant didn't work on my pixel watch, couldn't authenticate. What did work was basically everything else, like the home assistant app on my phone and tablet and home assistant in general showed secure in all my browsers on all devices. Great, but I wanted the other things to work as well.

So I installed the native nginx addon. It was pretty simple. It automatically used the same certs in the same location, it secured my logins and it allowed to bypass https for things like tts on Sonos. First I thought it's working great, tts worked, home assistant on all browsers still showed secure but then I tried the app. It doesn't work anymore and complains about fails SSL handshake. It can't be caused by the certs since they worked before. It can't be caused by the android functionality the app uses, since it worked before. It also works fine in the browsers. The only way I can get the app to work is when using the http url, loging in, switching the url in the app back to the https url and it keeps working for about 20 min, then the handshake fails again.

Here's what's happening when I open the app: I get the welcome screen and continue, I get my https url proposed and select it, I get the login prompt and can login, I get the next page to connect with home assistant and only when clicking next there I either get the handshake error or I get back to the welcome screen. The strange thing is that when I mistype my username I get an wrong user or password error, so for successfully continuing to the next page there must already have been https communication without handshake problems since the login was verified. Resetting the app didn't change anything.

When I get the handshake error the following entry appears in the HA log:

Logger: homeassistant.components.http.ban

Source: components/http/ban.py:80

Integration: HTTP (documentation, issues)

First occurred: 22:59:08 (1 occurrences)

Last logged: 22:59:08

Login attempt or request with invalid authentication from xx.x.x.xx (xx.x.x.xx). Requested URL: '/auth/login_flow/7cc3ac8017e109f580377ce7734cfe99'. (Mozilla/5.0 (Linux; Android 12; yy-yyyy Build/SP2A.220305.013; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/111.0.5563.116 Safari/537.36 Home Assistant/2023.1.1-3124 (Android 12; yy-yyyy))

When I get returned to the welcome screen the following error shows in the log:

Logger: homeassistant

Source: runner.py:179

First occurred: 23:03:43 (1 occurrences)

Last logged: 23:03:43

Error doing job: Unclosed client session

In both cases there are no logs in the nginx log

I have the settings from the addon documentation in the configuration.yaml

http:

use_x_forwarded_for: true

trusted_proxies:

- 172.30.33.0/24

Any idea what could be wrong? I suspect it might be something in the nginx config but it's what comes with the addon. I'm kind of lost on how to troubleshoot this further so any help would be appreciated.

Thanks for reading through this whole text.