athozs / hass-additional-ca Goto Github PK

While working on enabling tls to the Frigate integration, I came across this error:
[custom_components.frigate.api] Error fetching information from https://redacted.dns.name:5000/api/stats: Cannot connect to host redacted.dns.name:5000 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)')]

According to below comment from file /usr/src/homeassistant/homeassistant/util/ssl.py in docker container homeassistant

    # Reuse environment variable definition from requests, since it's already a
    # requirement. If the environment variable has no value, fall back to using
    # certs from certifi package.

I found that when ca-certificate is also put into the CAFile provided by certifi, which is in my case /usr/local/lib/python3.11/site-packages/certifi/cacert.pem, tls is working like a breeze.

Probably a better solution to the above hard wired path would be running the following command:

homeassistant:/config# python3 -m certifi
/usr/local/lib/python3.11/site-packages/certifi/cacert.pem

I did not know python module certifi provides its own implementation of a truststore which completely ignores /etc/ssl/certs
And this how most ssl.contexts seem to be created (according to the code in util/ssl.py)

Would be cool if you could extend this HACS Integration accordingly.

Hello,
the add-on does not add self-signed CA certificates. I have installed Home Assistant OS version 11.5 on a Mini PC. Here are my configurations:
...
cat /config/configuration.yaml
default_config:
additional_ca:
Test: /config/additional_ca/HarbichCA.pem # a cert file
tts:
platform: google_translate
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
http:
ip_ban_enabled: true
login_attempts_threshold: 3
server_port: 8123
use_x_forwarded_for: true
trusted_proxies:
127.0.0.1
192.168.0.0/16
::1
...
...
ls -la /config/additional_ca
total 16
drwxr-xr-x 2 root root 4096 Feb 17 00:27 .
drwxr-xr-x 13 root root 4096 Feb 17 12:57 ..
-rw-r--r-- 1 root root 1342 Feb 17 00:19 HarbichCA.crt
-rw-r--r-- 1 root root 1342 Feb 17 00:27 HarbichCA.pem
...
...
cat /config/additional_ca/HarbichCA.pem
-----BEGIN CERTIFICATE-----
MIIDsTCCApmgAwIBAgIUa5YTHxAZeFQbxtTHDusUqiQWj4owDQYJKoZIhvcNAQEL
BQAwYDESMBAGA1UEAwwJSGFyYmljaENBMQwwCgYDVQQLDANwa2kxEDAOBgNVBAoM
B0hhcmJpY2gxFjAUBgoJkiaJk/IsZAEZFgZoYXJuZXQxEjAQBgoJkiaJk/IsZAEZ
FgJkZTAeFw0yMzEwMzAxMzQ3MzdaFw0zMzEwMjcxMzQ3MzZaMGAxEjAQBgNVBAMM
CUhhcmJpY2hDQTEMMAoGA1UECwwDcGtpMRAwDgYDVQQKDAdIYXJiaWNoMRYwFAYK
CZImiZPyLGQBGRYGaGFybmV0MRIwEAYKCZImiZPyLGQBGRYCZGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUwckDbx98BnWFqT6BvlyUN05RtgvwywX1

6vXmm8DGq5fSjMmGuoy1dLbzliMywHS9qiQdd6Rh2YD4Z9GDJ5XmxMX38qhb+1dg
yl43PA12dTz61e0CZ7CmbcetTpEV4aukIEZTC/RUbWJDAY3JvVtB0Br9+mAb13+E
sEhEmOb4eBVdeo0gVTCezVdRJW7HJMgmXMsLIydKVaAx6SlrG2IjAgMBAAGjYzBh
MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU/fkF8a4ZDfBGFx/4JHM0sFgG
ptowHQYDVR0OBBYEFP35BfGuGQ3wRhcf+CRzNLBYBqbaMA4GA1UdDwEB/wQEAwIB
hjANBgkqhkiG9w0BAQsFAAOCAQEAiJS/ElJp3wDSjW3efcfFzT6A+QzkwwB71DX1
syuoroAPcnpP9IeAiBFfeHUjvJJP9PABDuMe2ABsN21sDkraT5lCD6odfCmWeg8f
6Bs5FhqCTg/m3i3GiUSa8PbMhspT12oxgHgNGS2tNjX1R1p2UyRP9FtiejeUJR3c
+6B+1V6Dp7nQVvx+onETi6AOpoUiC6GonLiomxeE8mQMqF1RvDMPYwWunOklQ5LK
GBTsfn6hmCpQ9Pi65cWhxXWHGNzYsGyzGzn5jUHYie+Gq9GNVAosbK3y1TCrJaW8
rTfdXW/BLVha2B7KDJ2AlgDNh+RuMDY9curxW5cssrv22w3bpQ==
-----END CERTIFICATE-----
...
...
ls -la /config/custom_components/additional_ca
total 36
drwxr-xr-x 3 root root 4096 Feb 17 12:44 .
drwxr-xr-x 4 root root 4096 Feb 17 12:43 ..
-rw-r--r-- 1 root root 5520 Feb 17 12:43 init.py
drwxr-xr-x 2 root root 4096 Feb 17 12:44 pycache
-rw-r--r-- 1 root root 204 Feb 17 12:43 const.py
-rw-r--r-- 1 root root 337 Feb 17 12:43 manifest.json
-rw-r--r-- 1 root root 462 Feb 17 12:43 storage.py
-rw-r--r-- 1 root root 2076 Feb 17 12:43 utils.py
...
...
cat /config/home-assistant.log
2024-02-17 12:57:18.554 WARNING (SyncWorker_3) [homeassistant.loader] We found a custom integration hacs which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
2024-02-17 12:57:18.555 WARNING (SyncWorker_3) [homeassistant.loader] We found a custom integration additional_ca which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
...

Why isn't my HarbichCA.pem certificate added?
Greetings from Stefan Harbich

Describe the issue

Hi, thanks for making this addon. I have a small problem with it: While it works for me on HassOS itself, the Frigate integration appears to be unable to use the CA. I have already tried restarting everything.

Describe your setup (please complete the following information):

• Installation type: HAOS
• HAOS version (if applicable): 12.2
• Home Assistant core version: 2024.5.1
• Additional CA integration version: latest

YAML configuration extract

An extract of your YAML configuration:

default_config:

additional_ca:
  luca: luca.crt

Logs

Error fetching information from https://10.0.3.1/api/stats: Cannot connect to host 10.0.3.1:443 ssl:default [Connect call failed ('10.0.3.1', 443)]
Error fetching information from https://10.0.3.1/api/stats: Cannot connect to host 10.0.3.1:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')]

Additional context

• What service/device are you trying to reach from Home Assistant with TLS/SSL ? Frigate, running at https://10.0.3.1:443

Add any other context about the problem here.

I believe this might also be the case with the opnsense integration: urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.0.0.1', port=1443): Max retries exceeded with url: /api/diagnostics/interface/getArp (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))

Hey @Athozs,
thanks for developing this integration!

I've got the following issue:

• Added a CA via Additional CA
• Verification of SSL certificate works with some integrations (e.g. CalDav integration)
• It does not work with Synology DSM Integration (Error: ClientConnectorCertificateError)
  • My research showed Synology DSM integration uses synologydsm-api to connect to the Synology NAS (code reference)
  • synologydsm-api (code reference) uses the Sessions class from requests
• Certificate of CalDav Server and Synology NAS are signed by the same custom CA and are currently valid (and work in different tools e.g. browser)

Do you have an Idea/fix for this? Thanks in advance!

My Setup:

• Homassistant Container (homeassistant/home-assistant:2024.1.3)
• Additional CA v0.2.1 (Installation via HACS)