-
-
Notifications
You must be signed in to change notification settings - Fork 410
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Home Assistant self-signed certificate support for integration with power component #799
Home Assistant self-signed certificate support for integration with power component #799
Conversation
Thanks. I wonder if its possible for you to install your own root certificate and have it work with no modifications. I'm not sure if the above procedure is what you meant by "appending the certificate directly." If the above does not work we could look into merging. We would need to change the |
@Arksine As I mentioned on the PS, I tried adding the self-signed certificate to the system exactly as described on that page (sudo cp my.crt /usr/local/share/ca-certificates/ ; sudo update-ca-certificates). wget stops complaining and working just fine, but thats not the case for moonraker (even after process restart). I did not try a system restart. After that if I launch a moonraker venv and import python request, it also keeps complaining. I could work around that by appending my self-signed certificate to venv python-certifi package as described on the first answer here https://stackoverflow.com/questions/34931378/certificate-verification-when-using-virtual-environments (which is already too much of a hack for my taste, since it would break on python-certifi update or venv rebuild), it starts working with the requests lib, but moonraker doesn't use that. With tornado, I could not figure out a way to hack this, I don't know which CA bundle it uses so I can append my self-signed there...
I am open to do more testing if desired. Regarding the ca_certs path, isn't the |
Interesting. There seems to be something strange about your system, as I can't reproduce. On Mainsailos (Debian Bullseye):
It also works on RPOS Bookworm for me. One thing I notice is that your exception is unhandled. It isn't providing the I think the best path forward is to attempt to determine why the handshake is failing on your system. It appears as if Python is picking up another cert for |
@Arksine I did a bit more testing and you were right, there was a problem on my side, not with the system (2 weeks old Raspberry PI OS + KIAUH install) but with the certificate itself. I had previously manipulated the cert in order to be able to import it into my windows machine as well as my android phone and ended up copying to my raspberry not the original rootCA.pem but a converted version that had "Bag Attributes" prepended to the cert. Apparently that is enough to cause this behavior on my Rasp. I am now able to use the current moonraker code without requiring any further modification 👍 I think it is reasonable to assume who is using moonraker will have root access and be able to add the rootCA directly into the system, so perhaps this can be closed, since this merge request would only make sense if that was not the case or if someone is not using the certificate in the proper format 😇 Do you agree? |
Yes, I agree. From a security perspective it is preferable to require root access in order add a ca root certificate. If in the future there is some compelling reason to add support for the |
Closing as this should not be required. Instead it is recommended to add the ca root certificate directly into the OS. |
The current version of moonraker has integration with Home Assistant allowing to control remote switches. There is the option to set the authentication protocol to HTTPS, but there was no option to define a certificate (.crt) to be used. This is required when using self-signed certificates, otherwise validation will fail and moonraker.log will log following error:
[iostream.py:_do_ssl_handshake()] - SSL Error on 12 ('192.168.1.X', 8123): [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)
This merge request allows a new variable called ca_certs (kept the same variable name used by the tornado httpclient library) to be defined inside the [power homeassistant_switch] config section, any request made to homeassistant will then use the certificate and succeed.
The ca_certs variable is optional and moonraker will behave the same if not defined. This variable should be used together with setting the protocol to https (instead of the default http).
PS: I tried appending the self-signed certificate directly into the system (wget starts working) and into python venv thru certifi (python requests lib starts working), but I could not make the tornado httpclient to work other than passing the certificate on the code.
Signed-off-by: Paulo Serrão [email protected]