No connection with iOS App

Hello community,

my openhab instance works perfectly but the app for iOS (version 2.03 on iOS 12.1.4) does not. A “connecting” message appears at the buttom but nothing happens.
In the log of the reverse proxy which is connected upstream I can see that requests for /rest/sitemaps with the basic auth username arrive and they are responded (status code 200). But there are also requests for /rest/bindings without a username and these are dismissed (status code 403).
It is an SSL setup with selfsigned certificates. I think there was no info/warning/question about that when connected the first time.
On my android phone with the android app it works without any problem.

Maybe it’s the same problem as OpenHAB 2.0.3 iOS remotely not working

If you access /rest/bindings via a browser, does it request you to authenticate?

Sure, the browser asks for authentication for all openhab URLs. If given the json reply is responded (200) otherwise access is denied (403). Works as designed.

The android app also requests some (problably the same) URLs without authentication. But in contrast to the iOS app it works.

But you are talking about the local connection here, aren’t you?

I haven’t tried setting up an SSL reverse proxy yet, but since you are saying that you use self-signed certificates, have you imported them onto your iPhone?

Sorry, no, it’s a remote connection. A local connection would be hardly to test because it is another network.

Is it neccessary to import selfsigned certificates? This would be done outside the app, wouldn’t it?
On the first connection the android the app has shown a popup with the so far unknown certificate data. It could be accepted within the app.
SSL connections by the iPhone app should be established because I can see successful requests (and unsuccessful ones without authentication) in the reverse proxy logs.

Sorry, but I have to ask again, just to make sure we’re speaking of the same things. I am a bit confused now.

The url I you entered is the one with the ssl reverse proxy in between? And this url goes through the reverse proxy to our openHAB instance? And in the app on your iPhone, have you entered this url under Local URL or Remote URL?

Yes, it should be necessary. SSL connections would normally not be accepted with an unknown and thus untrusted certificate. You can import the certificate by sending it your iPhone (email or Airdrop, whatever). How did you create the certificate? Using the keychain assistent of a Mac?

Don’t sure if it is the same problem, but using iOS app with vpn to connect to openhab didn’t worked.

I had to insert local ip in the app under external ip to get it working. The app seems to decide by wlan connectivity if internal ip or extern ip is used.

Maybe that hint helps

Yes, that’s right. “it’s a remote connection” meat that it was entered under Remote URL. It goes through the proxy to openHAB.
Sorry for confusing.

I will try to import the certificate.
I created the certificate (chain) with openssl.

Thanks, I am on another network so a local connection would never be possible. (I am confused now what is the meaning of local and remote here. I thought it is related to IPv4 net mask. Or is it wifi vs. mobile? What if I am connected to another wifi?)

Don’t know how you connect to reverse proxy. I don’t use openhab cloud, only direct vpn tunnel.

I have got same internal ip in both fields. If I m in a foreign wlan with vpn connection app uses internal ip, when without WiFi it uses external ip

I’ve been using a local url with on-demand VPN on my iPhone which works perfectly. I have entered the local url in Local URL field, and I entered myopenhab.org in the Remote URL field.

As far as I can tell, the app tries to connect locally first. If that fails, it uses the remote connection. However, in combination with the on-demand VPN, the attempt to locally connect causes the VPN to get established, and the local connection works.

Local means in the local network (LAN). However, if using VPN, the Local URL field of the app can be used because the VPN tunnel makes the other end appear as if it were within the local network of the iPhone.

It’s not about wifi and mobile etc.

Sorry, it took a while.

Importing the certificate did not solve the problem. The app shows the same behaviour: popup “connecting”, nothing more.
SSL doesn’t seem to be the problem. I also tried it with an official singed certificate (by let’s encrypt), that didn’t work either.

Next I am going to try it without SSL and plain http.

Very interesting. I startet vpn connection, when established I could not connect with only local ip configured in App. He forced to enter an external ip. Because don’t use myopenhab.org there was no way to get it working without enter local ip at external ip.

Are you sure, it works with vpn and not via myopenhab.org at your device?

I just verified it again, and yes, I‘m sure it uses the local domain over VPN. It says so when connecting.

However, I am using the local domain name, not the numeric IP address.

Very strange. Just checked again, deleted remote url: error.

And while using vpn app shows: connection to remote url if I insert again

Did you set up on-demand VPN or do you manually start the VPN? Are you using domain names or IP addresses in your url?

And, sorry, this might be obvious, but – did you test in Safari, if the local url can in fact connect through your VPN?

Vpn manually because using openVPN.

Using only IPs

Yes, in browser everything from homenetwork works. Samba, webservices, connections to other servers / devices.

Sorry once more for the delay.

I tested many configurations and the result is that SSL works fine, but authentication is the problem.
(Authentication is done by a reverse proxy making use of basic authentication.)

  • If access is granted at all: works
  • If access is granted some users only (basic authentication) and username/password not correct: red popup with an appropriate access denied massage: works
  • If access is granted to some users only with username and password correct: the problem “Connection” popup, nothing more
    • The proxy log shows requests to /rest/sitemaps with authentication that were responded successfully.
    • But there are also requests to /rest/bindings without authentication (or a wrong one). These requests were of course denied. (403)
  • If access is granted some users only but anybody (= no restriction) to /rest/sitemaps: works

In summary the app sends requests without (or wrong) authentication for some ressources. These requests are denied and the app is not usable.