Wear OS 3 HA companion: private CA is not supported

[m4k2k]

Home Assistant Android app version(s):

• latest+beta from play store

Android version(s):

• Wear OS 3.x (Android 11)
• (Tested on Wear OS 3.5)
• probably also Wear OS 4.x

Device model(s):

• All watches using Wear OS 3.x
• (Tested on TicWatch 5 Pro)

**Home Assistant version:** - not applicable/relevant **Last working Home Assistant release (if known):** - not applicable/relevant **Description of problem, include YAML if issue is related to notifications:** - not applicable/relevant **Companion App Logs:** - not applicable/relevant -> "known issue" **Screenshot or video of problem:** - not applicable/relevant

$~$

Issue Description

• This bug is the result of a missing possibility in Wear OS 3.x to install private CA certificates to the android keystore
  • Wear OS has no settings app to install private certificates
  • In Wear OS 2.x (Android 9/10) it is possible to install private CA certificates using adb commands
  • In Wear OS 3.x (Due to a change in Android 11 [read more]) only the settings app and OEM-Apps are allowed to save certificates in the keystore - the adb solution is not supported anymore, there is still no certificate settings app for Wear OS

Justification

• This is not considered a feature request since:
  • Private CAs have always been supported by HA (supported everywhere else)
  • For Wear OS 2.x it is working with private CAs
  • A workaround/fix of a problem is not a feature
• Private CAs are required since:
  • A public certificate is not always an option, since it always requires an exposure to the internet
  • E.g. even the "let's encrypt DNS01 challenge" requires a one-time internet connection every 90 days (since its certificates are only valid 90 days)

Solution options

There are plenty of options how to fix / workaround the incompatibilities of Wear OS 3 / Android 11.

Most solutions end up saving the CA file in the app's secure storage. Then validating against the local, securely stored, CA file. For ease of implementation this should happen at first setup of the Wear OS Companion app. This could be accomplished by

• Have a file picker to choose a local CA file which is then loaded to the app's secure storage
• Show the certificate fingerprint of the chosen HA instance/IP with an "accept" button, which downloads the certificate to the app's secure storage
• Since the phone Companion app is required for first setup, why not transfer the certificate used by the phone, or let the user decided/choose on the phone

Of course there are many more, feel free to suggest.

Intention/Next Step

• At first, it should be accepted as "problem"
• Next, documented as known incompatibility/issue so no-one looses time on troubleshooting
• Last, it needs to be discussed whether and subsequent how it should be addressed

best regards Markus

[doody-doody]

I would love to see this implemented. My current hack is to terminate the SSL connection at a proxy and serve cleartext to the watch. It is pretty ugly.