athozs / hass-additional-ca Goto Github PK
View Code? Open in Web Editor NEWAdd private Certificate Authority or self-signed certificate into Home Assistant to access 3rd-party service with TLS/SSL.
License: MIT License
Add private Certificate Authority or self-signed certificate into Home Assistant to access 3rd-party service with TLS/SSL.
License: MIT License
While working on enabling tls to the Frigate integration, I came across this error:
[custom_components.frigate.api] Error fetching information from https://redacted.dns.name:5000/api/stats: Cannot connect to host redacted.dns.name:5000 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)')]
According to below comment from file /usr/src/homeassistant/homeassistant/util/ssl.py
in docker container homeassistant
# Reuse environment variable definition from requests, since it's already a
# requirement. If the environment variable has no value, fall back to using
# certs from certifi package.
I found that when ca-certificate is also put into the CAFile provided by certifi, which is in my case /usr/local/lib/python3.11/site-packages/certifi/cacert.pem
, tls is working like a breeze.
Probably a better solution to the above hard wired path would be running the following command:
homeassistant:/config# python3 -m certifi
/usr/local/lib/python3.11/site-packages/certifi/cacert.pem
I did not know python module certifi provides its own implementation of a truststore which completely ignores /etc/ssl/certs
And this how most ssl.contexts seem to be created (according to the code in util/ssl.py)
Would be cool if you could extend this HACS Integration accordingly.
Hello,
the add-on does not add self-signed CA certificates. I have installed Home Assistant OS version 11.5 on a Mini PC. Here are my configurations:
...
cat /config/configuration.yaml
default_config:
additional_ca:
Test: /config/additional_ca/HarbichCA.pem # a cert file
tts:
platform: google_translate
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
http:
ip_ban_enabled: true
login_attempts_threshold: 3
server_port: 8123
use_x_forwarded_for: true
trusted_proxies:
127.0.0.1
192.168.0.0/16
::1
...
...
ls -la /config/additional_ca
total 16
drwxr-xr-x 2 root root 4096 Feb 17 00:27 .
drwxr-xr-x 13 root root 4096 Feb 17 12:57 ..
-rw-r--r-- 1 root root 1342 Feb 17 00:19 HarbichCA.crt
-rw-r--r-- 1 root root 1342 Feb 17 00:27 HarbichCA.pem
...
...
cat /config/additional_ca/HarbichCA.pem
-----BEGIN CERTIFICATE-----
MIIDsTCCApmgAwIBAgIUa5YTHxAZeFQbxtTHDusUqiQWj4owDQYJKoZIhvcNAQEL
BQAwYDESMBAGA1UEAwwJSGFyYmljaENBMQwwCgYDVQQLDANwa2kxEDAOBgNVBAoM
B0hhcmJpY2gxFjAUBgoJkiaJk/IsZAEZFgZoYXJuZXQxEjAQBgoJkiaJk/IsZAEZ
FgJkZTAeFw0yMzEwMzAxMzQ3MzdaFw0zMzEwMjcxMzQ3MzZaMGAxEjAQBgNVBAMM
CUhhcmJpY2hDQTEMMAoGA1UECwwDcGtpMRAwDgYDVQQKDAdIYXJiaWNoMRYwFAYK
CZImiZPyLGQBGRYGaGFybmV0MRIwEAYKCZImiZPyLGQBGRYCZGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUwckDbx98BnWFqT6BvlyUN05RtgvwywX1
6vXmm8DGq5fSjMmGuoy1dLbzliMywHS9qiQdd6Rh2YD4Z9GDJ5XmxMX38qhb+1dg
yl43PA12dTz61e0CZ7CmbcetTpEV4aukIEZTC/RUbWJDAY3JvVtB0Br9+mAb13+E
sEhEmOb4eBVdeo0gVTCezVdRJW7HJMgmXMsLIydKVaAx6SlrG2IjAgMBAAGjYzBh
MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU/fkF8a4ZDfBGFx/4JHM0sFgG
ptowHQYDVR0OBBYEFP35BfGuGQ3wRhcf+CRzNLBYBqbaMA4GA1UdDwEB/wQEAwIB
hjANBgkqhkiG9w0BAQsFAAOCAQEAiJS/ElJp3wDSjW3efcfFzT6A+QzkwwB71DX1
syuoroAPcnpP9IeAiBFfeHUjvJJP9PABDuMe2ABsN21sDkraT5lCD6odfCmWeg8f
6Bs5FhqCTg/m3i3GiUSa8PbMhspT12oxgHgNGS2tNjX1R1p2UyRP9FtiejeUJR3c
+6B+1V6Dp7nQVvx+onETi6AOpoUiC6GonLiomxeE8mQMqF1RvDMPYwWunOklQ5LK
GBTsfn6hmCpQ9Pi65cWhxXWHGNzYsGyzGzn5jUHYie+Gq9GNVAosbK3y1TCrJaW8
rTfdXW/BLVha2B7KDJ2AlgDNh+RuMDY9curxW5cssrv22w3bpQ==
-----END CERTIFICATE-----
...
...
ls -la /config/custom_components/additional_ca
total 36
drwxr-xr-x 3 root root 4096 Feb 17 12:44 .
drwxr-xr-x 4 root root 4096 Feb 17 12:43 ..
-rw-r--r-- 1 root root 5520 Feb 17 12:43 init.py
drwxr-xr-x 2 root root 4096 Feb 17 12:44 pycache
-rw-r--r-- 1 root root 204 Feb 17 12:43 const.py
-rw-r--r-- 1 root root 337 Feb 17 12:43 manifest.json
-rw-r--r-- 1 root root 462 Feb 17 12:43 storage.py
-rw-r--r-- 1 root root 2076 Feb 17 12:43 utils.py
...
...
cat /config/home-assistant.log
2024-02-17 12:57:18.554 WARNING (SyncWorker_3) [homeassistant.loader] We found a custom integration hacs which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
2024-02-17 12:57:18.555 WARNING (SyncWorker_3) [homeassistant.loader] We found a custom integration additional_ca which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
...
Why isn't my HarbichCA.pem certificate added?
Greetings from Stefan Harbich
Describe the issue
Hi, thanks for making this addon. I have a small problem with it: While it works for me on HassOS itself, the Frigate integration appears to be unable to use the CA. I have already tried restarting everything.
Describe your setup (please complete the following information):
YAML configuration extract
An extract of your YAML configuration:
default_config:
additional_ca:
luca: luca.crt
Logs
Error fetching information from https://10.0.3.1/api/stats: Cannot connect to host 10.0.3.1:443 ssl:default [Connect call failed ('10.0.3.1', 443)]
Error fetching information from https://10.0.3.1/api/stats: Cannot connect to host 10.0.3.1:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')]
Additional context
Add any other context about the problem here.
I believe this might also be the case with the opnsense integration: urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.0.0.1', port=1443): Max retries exceeded with url: /api/diagnostics/interface/getArp (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))
Hey @Athozs,
thanks for developing this integration!
I've got the following issue:
Do you have an Idea/fix for this? Thanks in advance!
My Setup:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.