#Certificate mismatch on Android - locally - not using certificates!

I love the HA app and use it often, but it goes through spells when it gives the attached certificate mismatch.

Locally. No cloud (I do not use Nabu Casu for remote access).

It will do this frequently for a while, then stop. I'm connected locally by wifi, on the same subnet as the HA server (2026.1.3) with the latest HA app (2026.2.1). This started before that version however.

My settings (attached) have no https, there's no certificate involved, the HA server URL in the config file is http. If it gives the error and I go to settings, and just immediately exit, it works fine for that iteration.

It is as though it is trying to access something remotely (what?) with a cert and temporarily failing. Remember -- talking local, wifi, same subnet.

It gives no hints as to WHAT certificate is involved. I can find no logs for the android app. There are no errors in the HA server itself that seem related.

The problem will go away for a week or two at a time, then hit hard for a day or three. I can find no pattern or cause. Once I get rid of the error it works fine, all the time, both for commands in, and also dynamic updates to it. This is the only error it gives.

Any ideas what causes it? Or what certificate may be involved that I did not set up?

Linwood

Since your dashboard is loaded behind, I can tell you it's not HA itself but something in your dashboard that is using HTTPS with a wrong certificate. In a card ? A custom integration?

You can probably see which one by using chrome dev tools from the troubleshooting settings

It will add more logs and also allow you to hook chrome dev tools and see the WebView console

You don't have the issue when opening this dashboard on desktop? (Check the logs)

No, same dashboard, I use it all the time in fact I have tried it directly on the phone without ever getting this. The only things I can think that might use a cert are some integrations that are cloud connected, Bambu Labs and Open Weather Map are the only two I can think of. They are not referred to on my main page - does it load all possible dashboard pages? But... again, they work find from Chrome.

I just searched all yaml files and there are tons of http in there but no https.

I don't know what some integrations do under the covers but I generally try to stay away from cloud conencted ones.

I had missed the troubleshooting setting. I see a log in there. (Un)Fortunately it's in remission at present and not giving the error. I am unclear what you mean by "add more logs", I don't see a setting for more detail. Or are you speaking of Chrome browser (where this never fails).

On desktop and chrome it's possible that the cert error is simply silently ignored. Only shown in the console logs of the browser.

If you go in the troubleshooting section and enable WebView debugging it add more logs in the app but also allow you to remote debug the WebView of the app

Android WebView | Home Assistant Companion Docs https://companion.home-assistant.io/docs/integrations/android-webview/#remote-debugging

Got it. Now I just need it to fail again. Part of what's making me a bit crazy is the intermittent nature of this. A certificate shouldn't just wander in and out of matching randomly. And just going to the settings page and back out shouldn't fix it.

Incidentally I also run the web version on televisions (Google TV stick), and it works fine there. Though I don't run it as often there of course, more a curiosity. But never get cert errors.

Well if it is using a let's encrypt certificate for instance it coup happen if it is not properly renew ontime

But it's not. If I want remote access I use wireguard VPN, I never access it directly from outside.

(it's not something that you control on your end)

I use let's encrypt, but only in my firewall not in HA.

I'm thinking about external resources not yours

When you access HA it's always with http right?

Correct.

Then the issue is most probably from an external source like I said

Like trying to get an icon from an https source with an expired cert for instance

I guess I can set up a firewall trace of everything it touches when it starts up, that's on the internet. There really shouldn't be much.

Clean the cache before it you do so

I assumed HA's companion itself didn't need the internet. Maybe I should turn the internet off and restart/clear and see if it even runs. I HOPE it does. But I had not considered that, people love yanking fonts and js and such from the internet instead of locally.

Exactly

Stock HA works without internet but with external integration we can't be sure

But if an integration needs the internet, shouldn't it be the HA server that's getting the error not the campanion app? Or is it bubbling up/through?

Well it's the client that makes the call not HA

So the companion app.or the browser

Well, I think it's a good time to drop off the internet and do some experimenting. even though it isn't failing right now, maybe I can find out what breaks in the HA companion app with the internet down, might give me a clue. Thank you!

Lemme know. Maybe I'm missing something too

In the middle of a TV episode, will finish that first (priorities are important!)

Definitely

Before turning it off, I just captured my phone for a minute or so after clearing cache and opening the HA app. In only 445 packets there were 39 unique external addresses it accessed, all via HTTPS. Obviously not all from HA. I have no idea how to isolate it better to just HA. Going to try the no-internet option shortly.

And.... with internet access blocked to the phone (i just set a rule so I could keep watching TV), the HA app runs fine, I browsed around various pages and did not find anything not working. (I only blocked internet to the phone, not to the HA server). And got no mismatch or other cert errors, and the log doesn't show anything interesting.

Only failure there was: ava.net.SocketTimeoutException: failed to connect to mobile-apps.home-assistant.io/151.101.1.195 (port 443) from /192.168.130.52 (port 51708) after 10000ms

I'm not exactly sure what that is, it's looking for notification settings of some sort. Maybe something thru nabu casa even though I'm not using it.

I need to wait for failure and see if I can get a log

The error might only happen when the cert has expired

Yeah. But I thought if it's going outside with no internet access it might given an error in the log. Of course, could be the above is the error and that's where there is a cert that sometimes fails.

Thank you again @onyx harness the logs had what I needed. And it also explains why it happens a lot when it happens, but then not. It is plex: ```
02-19 14:25:15.675 12913 12913 D ServerConnectionStateProviderImpl: usesInternalSsid is: true, usesWifi is: true
02-19 14:25:15.676 12913 12913 D ServerConnectionStateProviderImplKt: Using internal URL
02-19 14:25:15.781 12913 13941 E chromium: [ERROR:net/socket/ssl_client_socket_impl.cc:916] handshake failed; returned -1, SSL error code 1, net_error -200
02-19 14:25:15.785 12913 12913 E WebViewActivity$onCreate: onReceivedSslError: primary error: 2 certificate: Issued to: CN=*.1f50505d9e6b40588c70ccc5c2ac21b5.plex.direct;
02-19 14:25:15.785 12913 12913 E WebViewActivity$onCreate: Issued by: CN=R12,O=Let's Encrypt,C=US;
02-19 14:25:15.785 12913 12913 E WebViewActivity$onCreate: on URL: https://192.168.130.93:32400/photo/:/transcode?height=1800&machineIdentifier=bd56508c9a5bce8d8c4724e71fcb4c0daf157fcf&quality=90&url=http%3A%2F%2F127.0.0.1%3A32400%2Flibrary%2Fmetadata%2F227%2Fthumb%2F1716075120&width=1200&X-Plex-Token=S9UQ7L1yTXWYtBzESCPs
02-19 14:25:15.800 12913 12913 D WindowOnBackDispatcher: setTopOnBackInvokedCallback (unwrapped): android.app.Dialog$$ExternalSyntheticLambda2@635fc5a
02-19 14:25:15.810 12913 12913 W TextView: onProvideContentCaptureStructure(): calling assumeLayout()
02-19 14:25:20.720 12913 12913 D WindowOnBackDispatcher: setTopOnBackInvokedCallback (unwrapped): null
02-19 14:25:20.728 12913 12913 W InputEventReceiver: Attempted to finish an input event but the input event receiver has already been disposed.

I'm going to guess that is an attempt to pull up a thumbnail for the show being shown. It;'s not at all clear why it's using a cert since I have no cert (that I created) in the server, it must be going to the internet to look stuff up.

The .93 server is my plex server but it shouldn't be using HTTPS.

Happy that you've spotted the issue

I'm actually not sure where to go with it though. As I look, there is no plex integration involved. It's coming from a google TV integration (it appears as a media player) and it's showing the currently-playing item. So... I guess the issue is with that google TV integration?

And indeed, now that I look on a desktop browser screen, there's a broken link showing trying to use https, it just doesn't complain about it whereas the companion app does.

Which is actually the google cast integration (not the google TV remote, now that I did deeper).

You can try to open an issue on core with the logs maybe someone could help

Doing that now. It's also possible this is a bug in Google TV's streamer. I assume there's some cast API where the integration can ask "give me a cover image", it may be the TV itself is returning a bad URL, not something the integration does.

FYI if anyone sees this here and is interested here's where I bugged it: https://github.com/home-assistant/core/issues/163573

Thank you again @onyx harness for the help.

Is it possible that you block it at your fw level or DNS server ?

It could explain the cert issue

@onyx harness No. It's my plex server, it's not going out to the internet at all (for this error). In the bug report I put the URL, it's a local IP address on-net. Unless I'm misunderstanding the question.