SSL verification on home assistant connection
mullermn opened this issue · 6 comments
Hi
I'm using the docker configuration on a separate host from the host running home assistant. I've validated that network connectivity is fine, but I seem to be getting an error in verification of the SSL certificate, which is self-signed. I have searched far and wide and haven't found any reference to this issue online which puzzles me - I wouldn't have thought this is an unusual configuration - so apologies if I'm missing something obvious.
Is there a way to either provide a specific certificate for verification or to disable SSL verification, please?
Starting emulated_hue ... done
Attaching to emulated_hue
emulated_hue | [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
emulated_hue | [s6-init] ensuring user provided files have correct perms...exited 0.
emulated_hue | [fix-attrs.d] applying ownership & permissions fixes...
emulated_hue | [fix-attrs.d] done.
emulated_hue | [cont-init.d] executing container initialization scripts...
emulated_hue | [cont-init.d] 00-set-vars.sh: executing...
emulated_hue | [cont-init.d] 00-set-vars.sh: exited 0.
emulated_hue | [cont-init.d] done.
emulated_hue | [services.d] starting services
emulated_hue | [services.d] done.
emulated_hue | [10:01:59] INFO: Starting Emulated Hue...
emulated_hue | 2021-12-22 10:02:01,606 DEBUG emulated_hue.utils -- Loading /root/.emulated_hue/emulated_hue.json failed: [Errno 2] No such file or directory: '/root/.emulated_hue/emulated_hue.json'
emulated_hue | 2021-12-22 10:02:01,610 INFO emulated_hue.config -- Auto detected listen IP address is 10.116.215.55
emulated_hue | 2021-12-22 10:02:01,657 DEBUG getmac -- Raw MAC found: None
emulated_hue | 2021-12-22 10:02:01,660 DEBUG getmac -- Raw MAC found: b8:27:eb:ce:63:6c
emulated_hue |
emulated_hue | 2021-12-22 10:02:01,662 DEBUG aiorun -- Entering run()
emulated_hue | 2021-12-22 10:02:01,692 DEBUG aiorun -- Creating default executor
emulated_hue | 2021-12-22 10:02:01,733 ERROR asyncio -- Task exception was never retrieved
emulated_hue | future: <Task finished name='Task-1' coro=<run.<locals>.new_coro() done, defined at /usr/local/lib/python3.9/site-packages/aiorun.py:219> exception=CannotConnect("Cannot connect to host homeassistant.home:8123 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')]")>
emulated_hue | Traceback (most recent call last):
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 969, in _wrap_create_connection
emulated_hue | return await self._loop.create_connection(*args, **kwargs) # type: ignore # noqa
emulated_hue | File "uvloop/loop.pyx", line 2069, in create_connection
emulated_hue | File "uvloop/loop.pyx", line 2064, in uvloop.loop.Loop.create_connection
emulated_hue | File "uvloop/sslproto.pyx", line 517, in uvloop.loop.SSLProtocol._on_handshake_complete
emulated_hue | File "uvloop/sslproto.pyx", line 499, in uvloop.loop.SSLProtocol._do_handshake
emulated_hue | File "/usr/local/lib/python3.9/ssl.py", line 944, in do_handshake
emulated_hue | self._sslobj.do_handshake()
emulated_hue | ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)
emulated_hue |
emulated_hue | The above exception was the direct cause of the following exception:
emulated_hue |
emulated_hue | Traceback (most recent call last):
emulated_hue | File "/usr/local/lib/python3.9/site-packages/hass_client/client.py", line 241, in connect
emulated_hue | self._client = await self._http_session.ws_connect(
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/client.py", line 754, in _ws_connect
emulated_hue | resp = await self.request(
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/client.py", line 520, in _request
emulated_hue | conn = await self._connector.connect(
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 535, in connect
emulated_hue | proto = await self._create_connection(req, traces, timeout)
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 892, in _create_connection
emulated_hue | _, proto = await self._create_direct_connection(req, traces, timeout)
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 1051, in _create_direct_connection
emulated_hue | raise last_exc
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 1020, in _create_direct_connection
emulated_hue | transp, proto = await self._wrap_create_connection(
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 971, in _wrap_create_connection
emulated_hue | raise ClientConnectorCertificateError(req.connection_key, exc) from exc
emulated_hue | aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host homeassistant.home:8123 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')]
emulated_hue |
emulated_hue | The above exception was the direct cause of the following exception:
emulated_hue |
emulated_hue | Traceback (most recent call last):
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiorun.py", line 229, in new_coro
emulated_hue | await coro
emulated_hue | File "/app/emulated_hue/__init__.py", line 55, in async_start
emulated_hue | await self._hass.connect()
emulated_hue | File "/usr/local/lib/python3.9/site-packages/hass_client/client.py", line 257, in connect
emulated_hue | raise CannotConnect(err) from err
emulated_hue | hass_client.exceptions.CannotConnect: Cannot connect to host homeassistant.home:8123 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')]
Thanks for reporting. This is indeed a first time seeing this. Can you post your specific run commands including environment variables? It appears that you are attempting to use an ssl connection to a FQDN which does not have a valid ssl certificate. You can also instead try using the IP instead of a hostname to see if that resolves the issue.
I tried with the IP with the same result (snippet):
emulated_hue | transp, proto = await self._wrap_create_connection(
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/connector.py", line 971, in _wrap_create_connection
emulated_hue | raise ClientConnectorCertificateError(req.connection_key, exc) from exc
emulated_hue | aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host 10.116.215.53:8123 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1129)')]
emulated_hue |
This is the compose file I tested with (the commented URL was the original config that caused the problem):
version: '3'
services:
hass-emulated-hue:
container_name: emulated_hue
network_mode: host
restart: unless-stopped
environment:
- HASS_TOKEN=stripped
- HASS_URL=https://10.116.215.53:8123 #https://homeassistant.home:8123
- VERBOSE=true #false
image: ghcr.io/hass-emulated-hue/core:0.2.9 # <<< Desired release version here
volumes:
- /home/user/config_emulated_hue:/root/.emulated_hue/
# If host networking mode is undesired,
# Hue requires these ports and there is no way to change them as most
# applications do not support accessing the Hue api over different ports
# Discovery will not operate with bridge mode and ip will need to be manually entered into the applications
# port 80: http
# port 443: https
# port 1900: ssdp -> Does not work with bridged networking as multicast is not forwarded
# port 2100: entertainment
ports:
- '80:80'
- '443:443'
- '1900:1900'
# - '2100:2100'
The error is correct, in the sense that I'm using a self signed cert that the docker container (and host) have no knowledge of, so it can't be verified. I just want to either 1) turn off the verification, or 2) be able to provide the specific cert to verify against.
Thanks for responding
Try simply using http instead in the url. You also should keep the ports commented out as in the example if you are using host networking.
Thanks for the tip about the ports, I will do that.
Regarding changing http -> https, I did this re-enabled SSL in home assistant. This gives:
emulated_hue | future: <Task finished name='Task-1' coro=<run.<locals>.new_coro() done, defined at /usr/local/lib/python3.9/site-packages/aiorun.py:221> exception=CannotConnect('Server disconnected')>
emulated_hue | Traceback (most recent call last):
emulated_hue | File "/usr/local/lib/python3.9/site-packages/hass_client/client.py", line 241, in connect
emulated_hue | self._client = await self._http_session.ws_connect(
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/client.py", line 754, in _ws_connect
emulated_hue | resp = await self.request(
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/client.py", line 544, in _request
emulated_hue | await resp.start(conn)
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/client_reqrep.py", line 890, in start
emulated_hue | message, payload = await self._protocol.read() # type: ignore
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiohttp/streams.py", line 604, in read
emulated_hue | await self._waiter
emulated_hue | aiohttp.client_exceptions.ServerDisconnectedError: Server disconnected
emulated_hue |
emulated_hue | The above exception was the direct cause of the following exception:
emulated_hue |
emulated_hue | Traceback (most recent call last):
emulated_hue | File "/usr/local/lib/python3.9/site-packages/aiorun.py", line 231, in new_coro
emulated_hue | await coro
emulated_hue | File "/app/emulated_hue/__init__.py", line 55, in async_start
emulated_hue | await self._hass.connect()
emulated_hue | File "/usr/local/lib/python3.9/site-packages/hass_client/client.py", line 257, in connect
emulated_hue | raise CannotConnect(err) from err
emulated_hue | hass_client.exceptions.CannotConnect: Server disconnected
I think this makes sense though, as if I recall the code is substituting http for ws before attempting a connection, so it's now attempting to connect to ws://homeassistant.home:8123 , but that won't work because home assistant is now only offering an SSL secured endpoint?
I see. Perhaps you can instead use a reverse proxy like the nginx proxy manager in the addon store with duckdns to obtain a proper certificate or simply disable https in the embedded home assistant server. I don't really think disabling ssl verification is the way to go with this issue. What's the point of using https in the first place if you're allowing self signed certs?
Closing due to no activity