Trouble with initial setup - Error Domain = Code=8 "(null)"

[oatflake]

Hi!  I just downloaded the UD Mobile for iOS app after seeing the email from Universal Device News.

I'm having trouble setting up my ISY994i in the app.  I'm trying to do a local connection; I don't have Polisy and I'd rather not use a portal account; this will be accessed exclusively over a local connection.

I hit the Settings button in the lower right corner, tapped the "eyeball" to the right of Advanced Settings, and then put the non-https URL into the field called "Local IP Address", the same one that I use to access things using the web browser of this same phone.  I left Local Port blank, and then entered the username and password for my ISY.

I then get the popup that says: Error - Attempting Initial Connection - 1. Error Domain = Code=8 "(null)".

Any suggestions on what I might be doing wrong?

Thanks!

[oatflake]

Okay, I realized I had moved my ISY994i to a non-standard port, *and* I was trying to connect with a non-admin user.

So it works now, but connecting with the "admin" user.  Is there some way I can configure this with one of the other users?

EDIT: I'll start a new thread about using this with a non-admin user.  Thanks for your quick response!

Edited May 19, 2021 by oatflake
Put separate issue in new thread

[Javi]

7 minutes ago, oatflake said:

Hi!  I just downloaded the UD Mobile for iOS app after seeing the email from Universal Device News.

I'm having trouble setting up my ISY994i in the app.  I'm trying to do a local connection; I don't have Polisy and I'd rather not use a portal account; this will be accessed exclusively over a local connection.

I hit the Settings button in the lower right corner, tapped the "eyeball" to the right of Advanced Settings, and then put the non-https URL into the field called "Local IP Address", the same one that I use to access things using the web browser of this same phone.  I left Local Port blank, and then entered the username and password for my ISY.

I then get the popup that says: Error - Attempting Initial Connection - 1. Error Domain = Code=8 "(null)".

Any suggestions on what I might be doing wrong?

Thanks!

Hi @oatflake,

Please try to find the ISY with the search icon (magnifying glass) next to local IP Address as there may be an invalid character in the typed address.  Note there is a bug in the current version which may require you to hit the search button a second time after you accept the iOS permission for the app to search for your ISY on the local network, this will be fixed in the next release. 

[lhranch]

OK, I'm seeing the same error message, but with no local connection settings specified. I've been running MobiLinc Pro configured to use only the remote (https) service over a canned CNAME no matter where I am, so that is the way I tried to set up UD Mobile. Since the local connection is an "Advanced Setting" that doesn't even come up unless I ask for it, I was assuming the local connection information was not mandatory. I have only the admin user defined and that's the one I'm using, so that isn't the issue. I've verified that the setting strings are exactly the same in MobiLinc Pro and UD Mobile -- one works, the other doesn't.

Is there perhaps a bug where UD Mobile doesn't like to work if the local information has not been specified?

[Javi]

Hi @lhranch,

Local and remote connections are independent of one another but can be combined in the app as local connections will usually be a few seconds faster getting subscription data (node values)  on initial startup.

There is one thing that may be different in remote connections with UD Mobile compared to third party apps as we are a first party author.  Our apps require a Trusted CA Signed SSL Certificate for direct HTTPS connections. 

Apple And Google have warned developers that bypassing SSL Security may lead to removal from their respective App Stores and may not be supported at all in the future.  Apple set a timeline for this but is overdue in removing a developers ability to bypass SSL and states this option will be removed in the future and currently should only be used by third party developers whom do not control a server or device to which the app connects. Being as we are the first party this exception does not apply to us.  Even if we were to find a way to to meet this requirement and bypass SSL it may be gone at any point in the future thus creating more support issues for us.

 

Remote connection on UD Mobile can be achieved in 3 scenarios. 

First is our managed method using ISY Portal.  ISY Portal has competitive prices of $23 for the first 2 years and renewals cost of $20 for two years.  If your ISY has not been associated with the ISY Portal in the past we offer a 30 day free trial.

Second is an unmanaged direct connection.  The unmanaged method requires a Trusted CA Signed SSL Certificate.  The Trusted SSL CERT is required for reasons stated in the following post (https://forum.universal-devices.com/topic/32627-trouble-with-initial-setup-error-domain-code8-null/?do=findComment&comment=311979 ).  Instructions on adding a CERT to your ISY can be found here: https://www.universal-devices.com/docs/production/ISY994 Series Network Security Guide.pdf . There are methods to add a Self Signed CERT to the Trusted Key Store on Android, however it is beyond the scope of our support and may require root on some devices.

Finally a local connection can be established on a remote network if running a VPN Server on the same local network as the ISY.  To use this method select "Only use Local Connection" in the local connection settings.  Setting this option will instruct the App to ignore remote connection settings and only use the local network.

 

Please do let me know if this answers your questions or if you need additional information.

[lhranch]

This is all good info, and they are all things I will have to address at some point, I'm sure. However, it doesn't look like this is my problem. Shortly after making my original post, I thought I would just fill in the local connection information and see if I could get it to work that way until I debugged the other. Well, it doesn't work that way either, even with "only use local connection" set. I get precisely the same error message. So I definitely don't know what the issue is.

[Javi]

Hi @lhranch,

This is odd, can you verify the Http Port in Admin-Console > Configuration >System?   Was the local IP Address found using the search icon?

[lhranch]

At the moment, I'm not anywhere where I can check the admin console, but I tried using the magnifying glass to find the local network, and I got an error telling me that the app did not have access to use the local network, which is truly bizarre. I have two Wi-Fi networks defined (two separate SSIDs in my home for the same network), I'm definitely on one of them, and I checked under settings to make sure that the app somehow had not been denied network access, and it hasn't. Now I'm really buffaloed.

[Javi]

Hi @lhranch,

The app requires an iOS permission, "Local Network", to search for a Device on a local network, this is only needed to search for the ISY and not for direct local connections. A dialog should have been presented by iOS asking for permission, if permission was denied or dismissed iOS will not show it again and it must be granted from iOS settings. 

The app is not notified when the permission is accepted or denied, so if permission is granted during a search please use the Try Again button.  If permission is denied all M-SEARCH request fail immediately, if the app has permission the search should continue until canceled or an ISY is found.  There are issues on Android with M-SEARCH which can persist until a device reboot, I have not encountered the same on iOS but it may be worth trying.

 

[lhranch]

Under Settings for UD Mobile, there is a slide button for Local Network, and it's on. I can't find anything else that looks like it needs to be turned on. Am I looking in the wrong place?

[lhranch]

Well, now it's getting even more bizarre. I'm out in the car, miles away from my home network, and when I test the remote connection, I get a weird error message that seems to be saying I'm still connected to my home network – but my Wi-Fi isn't connected to anything, and I am on cell data exclusively. 
 

And I know it did contact my router on the correct port, because I got a warning notification from my router that somebody on the Internet was accessing my ISY. But the app message makes no sense and I can't understand what he's trying to tell me.

Edited May 21, 2021 by lhranch
Added para

[Javi]

Hi @lhranch,

If you have "Only use local connection" checked (as evident from the red background on remote connection) the app is instructed to only use the local connection. This setting is for users who do not want to use remote connections or VPN.

Can you post a screenshot of the error you are getting for the local connection search when you are on the same local network as the ISY?

[lhranch]

You're right – I had only use local connections checked. I turned it off, and this time I got the original error message, Error domain equals nothing, code equals eight, null  

If you didn't see the post script I added to my previous posting, check it out. With "only use local connection" turned on, it still reached out and touched my router remotely when I used the test button.

[Javi]

Hi @lhranch,

The app will try to connect to a remote ISY for a security handshake. If you do not have a Trusted CA Signed SSL Certificate the SSL handshake fails and the app throws an error. We will try to get a better error message for this scenario in a future version.

[lhranch]

13 hours ago, Javi said:

Can you post a screenshot of the error you are getting for the local connection search when you are on the same local network as the ISY?

When I click the magnifying glass icon next to "Local IP Address" I get:

            ... and yet...           

It's looking as though I may punt my planned adoption of this app over the CA certificate thing, especially since MobiLinc doesn't have this requirement. (I feel your pain over Apple's anal-retentiveness, but "Krupke, we've got troubles of our own.") A $70-$200/year provider certificate throws it into the realm of businesses or hobbyi$ts, and LetsEncrypt's Unix-orientation and frequent renewal requirements (that I strongly suspect the ISY doesn't automate) pretty much queer that whole deal.

[Javi]

Hi @lhranch,

I apologise for the setup difficulties and thank you for verifying the local connection error. It does appear your device has the required local connection permission.   I'll have research this issue to see if we can find a solution as I am not able to reproduce the issue.  At this point it looks as if we will need to verify connections manually.  Can you verify Admin-Console>Configuration>System>Network-Setting  "Http Port" and "IP Address" match, IP Address must me prefixed with "http://".   Just for this test select "Only Use Local Connection"  to bypass System Network Relations checks.  After credentials are entered what error do you recieve when pressing "Test System On Local network".

 

 

I do understand if you do not want to pursue the app due to the CERT requirement, we do try to provide all available options to users. 

ISY Portal does not require a Static public IP Address or Port forwarding.  Static IP addresses are usually a premium service from ISPs or require a service (DYN DNS) to monitor your changing IP Address.  The cost for either of these services is usually more than ISY Portal (≈$11 yr) not to mention the CERT or security implications by opening a port on the router.  

Most mid/high grade routers have the ability to run a VPN server which will remove the CERT requirement as the app will use HTTP.  This still requires the Static IP Address or dynamic ip monitoring. This will allow connection to local devices without opening ports.

[lhranch]

I do already have a public domain name with a static address and a short TTL. I also have a private DNS inside the LAN that resolves that same name directly to the LAN address of the ISY, also with a short TTL. So I have been using a URL of the form "http://x.y.net" for both the local and remote communication on MobiLinc for years with no problems whatsoever.  I do also have the incoming VPN capability setup, and could use if it I have to, but I'd rather get stuff working the way it is supposed to work before resorting to crutches. (If I have to establish a VPN before I can open the gate for the Fedex guy, he's gone.)

When I use the exact same parameters in UD Mobile that I use i MobiLinc, I immediately get: Error: Error Domain= Code=8 "(null)".

When I change the local address in UD Mobile to the numeric address, I get a 10-30 sec. spinner with "Connecting to network. Looking for ISY", followed by the same: Error: Error Domain= Code=8 "(null)". This suggests to me that UD Mobile is immediately fumbling the DNS lookup in the other case.

Since my last message, I have discovered the existence of cheap CA certs that (while not free) are nowhere near my service provider's charges. At $5/year with up to five year expiration (Comodo from Namecheap), I am certainly willing to pursue those... provided that I can at least get this app working over the local network so I can play with it to see if it offers me significant advantage over MobiLinc.

[Javi]

Looked at the code base and "Code 8" was hard coded at some point for some errors...I'm sure I had a good reason at the time ?‍♂️.

Version 0.2.9 will have better descriptions of the errors, although it will be at least a week before it is in production. 

I ran some additional tests and can only produce a delayed (10-30 sec) "Connecting to Network...."  when the IP Address in not assigned (time out), attempting to connect to any device on the network which does not accept requests at the specified port or contains invalid credentials causes the app to immediately fail and return.

DNS lookup is provided by the OS, so we can start at this point.   When using the "Test System on Local Network" button the app sends a rest request to the ISY (rest/time) to verify a valid response.  Can you make a request from your phones browser to verify the iOS can communicate with the ISY? This should also prompt for the local credentials, if there is not prompt for local credentials please use an incognito tab so we can also verify credentials.

http://192.168.1.9:80/rest/time 

Where 192.168.1.9 is your local ip address and 80 is the port.  In the example above the exact address entered into the app is "http://192.168.1.9", port would be empty or set at "80".

Thanks

[lhranch]

Well, that was a trip. I never even thought of trying to browse directly into the ISY before, but it worked. I slightly missed following your instructions, so the first thing I did was log into it and look at a couple of the screens just out of fascination. Then I went to the rest/time URL like I should have in the first place, and it gave me a string of numbers and trues and falses back. Then I went to a private tab and went there again, and it asked me to login again. So all of that mechanism seems to be working just fine.

[Javi]

Great! I am wondering if the private DNS is not allowing a direct local connection and instead using the https settings. I based on a previous comment made about your router's connection warning when you were away from home and I assume you MobiLinc connection does not specify port 80.

So I do have a few additional questions.

Was a  security warning presented in the browser?

Was the numeric local IP Address used for this connection and did it specify port "80" ?

[lhranch]

The away from home MobiLinc connection specifies HTTPS and a port way up in the five digit range, which is what the ISY is set to listen to. It has been operating fine that way for years.

When I manually browsed to the ISY, It was numeric, but I didn't bother to specify any port knowing that Safari would use 80 anyway. But I did it again right now with :80 just in case, and there was no difference in the response.

I got no security warnings at all from anything.

I'm positive my DNS is not set up to redirect anything to HTTPS; I wouldn't even know how to do that if I wanted to, and I would have no reason to do that in the first place. 

Edited May 22, 2021 by lhranch

[Javi]

Thanks for verifying. 

At this point I am not sure of the cause, the app should function similar to a browser for the rest/time (test connection) call as it is a high level call using iOS defaults (HTTP). I'll ask around to see if anyone else has insight into the issue.

ISY Subscription sockets (TCP) are managed by the app (low level), however these are not started until after the application has synchronized with the ISY.

[lhranch]

If you think it would be worthwhile, I could send you a wireshark-able dump of the traffic on the ISY's IP during a code=8 failure.

[Javi]

Hi @lhranch,

It could be helpful if you can capture your phones network this may require routing your phones connection through the device running WireShark (MitM).  Below is a sample of a successful rest/time request for the local network 192.168.1.9 is the ISY.

 

This is local network search (M-SEARCH):

 

I'll try to get version 0.2.9 pushed to Alpha testing Monday or Tuesday to remove the hard coded "code=8" error, this should show the actual failure cause.

Based on our conversation I gather the remote connection is trying to connect then failing because of the CERT (immediate code=8). The local connection appears to time out (delayed code=8). 

If you would like to join our alpha test group and check if the error messages on version 0.2.9 please follow instructions here https://testflight.apple.com/join/xHtzI5R3

[lhranch]

Haven't gotten around to making the Wireshark dump... but after your update of two days ago, the mystery unravels itself further.

When attempting the local connection, instead of the old code=8 nonsense, I now see:

Error: The resource could not be loaded because the App Transport Security policy requires the use of a secure connection.

Note again, this is for the local connection option only, which I understood is not supposed to require this.