Closed sharbich closed 7 months ago
Athozs
commented
8 months ago Hello @sharbich
If you look at the logs, I think they should tell you that the path to your certificate wasn't found.
Could you try something like the following config, specify the relative path to the certificate instead of absolute path, like this:
default_config:
additional_ca:
Test: HarbichCA.pem
# ...
# here is the rest of your config
sharbich
commented
8 months ago Hello Athozs,
i deleted the decelerated path and only specified the file. Unfortunately, without success. I need to turn on an advanced logging.
Greeting from Stefan
Am 17.02.2024 um 18:14, Athozs @.***> schrieb:
Hello @sharbich
If you look at the logs, I think they should tell you that the path to your certificate doesn't exist.
Could you try something like the following config, specify the relative path to the certificate instead of absolute path, like this:
default_config: additional_ca: Test: HarbichCA.pem # ... # here is the rest of your config
— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.Message ID: @.***>
sharbich
commented
8 months ago Hello Athozs, i have the following questions: How do I turn on debug logging? How is integrity started? Could it be a rights issue? Is it a bug in the Python script? Thank you in advance for your support.
Athozs
commented
8 months ago Hi sharbich,
How do I turn on debug logging?
Add the following in configuration.yaml:
logger:
default: infoHow is integrity started?
See section How does Additional CA work under the hood ? in docs
Could it be a rights issue?
I don't think so, in my HAOS test VM I have
➜ additional_ca ll
total 4K
-rw-r--r-- 1 root root 1.1K Jan 29 12:02 ca.crtIs it a bug in the Python script?
I don't know yet.
If possible, could you copy-paste logs mentionning additional_ca ?
What is your use-case ?
Why do you have both a HarbichCA.pem and a HarbichCA.crt files ?
Why only adding HarbichCA.pem to your CA store ? Why not HarbichCA.crt ?
Your HarbichCA.pem has an empty line, seems unusual.
Could you check your certificate validity with the following command line:
openssl x509 -in config/additional_ca/HarbichCA.pem -text -noout Add the following in
configuration.yaml:logger: default: infoI have set the logging to debug and don't get any display when starting the device. So I can't see if your add-on is working properly. Why not? Does the add-on not work? I don't think so, in my HAOS test VM I have
➜ additional_ca ll total 4K -rw-r--r-- 1 root root 1.1K Jan 29 12:02 ca.crtThat's how it looks to me too. I don't know yet. If possible, could you copy-paste logs mentionning additional_ca ? What is your use-case ? Why do you have both a
HarbichCA.pemand aHarbichCA.crtfiles ? Why only addingHarbichCA.pemto your CA store ? Why notHarbichCA.crt? YourHarbichCA.pemhas an empty line, seems unusual.I deleted two extra columns in the certificate (data protection). I only tried HarbichCA.crt. Without success. How does the add-on work when Homeassistant starts? Which process starts the Python scripts in the "/config/custom_components/additional_ca/" directory? How can I check this?
Greetings from Stefan Harbich
sharbich
commented
8 months ago Hello Athozs, i copy the file HarbichCA.crt to the folder "/usr/local/share/ca-certificates/" and run the command "update-ca-certificates" the self-signed certificate is added. This means that your script no longer works.
Athozs
commented
8 months ago Hello,
It's an integration, not only a script, it is run by Home Assistant itself.
Could you try the following
Then provide the logs here, I cannot help without logs. Please describe your use case with details.
sharbich
commented
8 months ago Hello Athozs,
i have installed Home Assistant OS 11.5, Home Assistant Core 2024.2.2 on a Mini PC. The file “HarbichCA.crt” is located in the “/config/additional_ca” folder. Here is the logging information from the file "/config/home-assistant.log". I see in the log that "additional_ca" was started successfully and a file called "HarbichCA.crt" was found.
cat /config/home-assistant.log | grep additional 2024-02-18 23:41:48.248 WARNING (SyncWorker_2) [homeassistant.loader] We found a custom integration additional_ca which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant 2024-02-18 23:41:50.690 INFO (MainThread) [homeassistant.bootstrap] Setting up stage 2: {'blueprint', 'onboarding', 'auth', 'tts', 'trace', 'logbook', 'stream', 'diagnostics', 'input_select', 'device_automation', 'additional_ca', 'analytics', 'shopping_list', 'person', 'zone', 'lovelace', 'ffmpeg', 'scene', 'repairs', 'mobile_app', 'default_config', 'hardware', 'system_health', 'script', 'media_source', 'counter', 'history', 'input_boolean', 'input_button', 'assist_pipeline', 'file_upload', 'input_text', 'map', 'radio_browser', 'conversation', 'stt', 'openweathermap', 'automation', 'sun', 'homeassistant_alerts', 'config', 'image_upload', 'input_datetime', 'search', 'wake_word', 'timer', 'tag', 'input_number', 'google_translate', 'persistent_notification', 'hacs', 'my', 'schedule', 'energy', 'application_credentials', 'met'} 2024-02-18 23:41:51.158 INFO (MainThread) [homeassistant.setup] Setting up additional_ca 2024-02-18 23:41:51.580 INFO (MainThread) [custom_components.additional_ca] Ready. 2024-02-18 23:41:51.638 INFO (MainThread) [custom_components.additional_ca] Test (HarbichCA.crt) -> loaded. 2024-02-18 23:41:51.638 INFO (MainThread) [custom_components.additional_ca] Installation type = Home Assistant OS 2024-02-18 23:41:51.639 INFO (MainThread) [homeassistant.setup] Setup of domain additional_ca took 0.5 seconds 2024-02-18 23:56:52.130 INFO (MainThread) [homeassistant.components.analytics] Submitted analytics to Home Assistant servers. Information submitted includes {'uuid': 'dc2f8891f23a4071a22e88839d3fd529', 'version': '2024.2.2', 'installation_type': 'Home Assistant OS', 'supervisor': {'healthy': True, 'supported': True, 'arch': 'amd64'}, 'operating_system': {'board': 'generic-x86-64', 'version': '11.5'}, 'certificate': False, 'integrations': ['shopping_list', 'person', 'http', 'default_config', 'script', 'radio_browser', 'openweathermap', 'google_translate', 'met', 'logger', 'tts', 'scene', 'bluetooth', 'automation', 'sun', 'frontend', 'hassio'], 'custom_integrations': [{'domain': 'additional_ca', 'version': <AwesomeVersion SemVer '0.0.0'>}, {'domain': 'hacs', 'version': <AwesomeVersion SemVer '1.34.0'>}], 'addons': [{'slug': 'a0d7b954_ssh', 'protected': True, 'version': '17.1.0', 'auto_update': True}, {'slug': 'core_configurator', 'protected': True, 'version': '5.8.0', 'auto_update': True}], 'energy': {'configured': False}, 'recorder': {'engine': 'sqlite', 'version': <AwesomeVersion SimpleVer '3.44.2'>}, 'state_count': 46, 'automation_count': 0, 'integration_count': 17, 'addon_count': 2, 'user_count': 3}
This file was not copied to the /usr/local/share/ca-certificates directory. It is also not present in the “/etc/ssl/certs” directory. If I do everything manually I see the file in the "/etc/ssl/certs" directory like this:
cat /etc/ssl/certs/ca-cert-HarbichCA.pem -----BEGIN CERTIFICATE----- MIIDsTCCApmgAwIBAgIUa5YTHxAZeFQbxtTHDusUqiQWj4owDQYJKoZIhvcNAQEL BQAwYDESMBAGA1UEAwwJSGFyYmljaENBMQwwCgYDVQQLDANwa2kxEDAOBgNVBAoM B0hhcmJpY2gxFjAUBgoJkiaJk/IsZAEZFgZoYXJuZXQxEjAQBgoJkiaJk/IsZAEZ FgJkZTAeFw0yMzEwMzAxMzQ3MzdaFw0zMzEwMjcxMzQ3MzZaMGAxEjAQBgNVBAMM CUhhcmJpY2hDQTEMMAoGA1UECwwDcGtpMRAwDgYDVQQKDAdIYXJiaWNoMRYwFAYK CZImiZPyLGQBGRYGaGFybmV0MRIwEAYKCZImiZPyLGQBGRYCZGUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUwckDbx98BnWFqT6BvlyUN05RtgvwywX1 tns5H/xAu8cQwCjEvLWcrJq8H/i+7vC1ZwAuoudJRJdEkr1DeCzcWzEQgvthiqGE x3DRj7mE1hGqvEbFEH5XbMIfO+leV6SQDeOtOvGiMY2qfp74wDo2423681MR/ZPX 6vXmm8DGq5fSjMmGuoy1dLbzliMywHS9qiQdd6Rh2YD4Z9GDJ5XmxMX38qhb+1dg yl43PA12dTz61e0CZ7CmbcetTpEV4aukIEZTC/RUbWJDAY3JvVtB0Br9+mAb13+E sEhEmOb4eBVdeo0gVTCezVdRJW7HJMgmXMsLIydKVaAx6SlrG2IjAgMBAAGjYzBh MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU/fkF8a4ZDfBGFx/4JHM0sFgG ptowHQYDVR0OBBYEFP35BfGuGQ3wRhcf+CRzNLBYBqbaMA4GA1UdDwEB/wQEAwIB hjANBgkqhkiG9w0BAQsFAAOCAQEAiJS/ElJp3wDSjW3efcfFzT6A+QzkwwB71DX1 syuoroAPcnpP9IeAiBFfeHUjvJJP9PABDuMe2ABsN21sDkraT5lCD6odfCmWeg8f 6Bs5FhqCTg/m3i3GiUSa8PbMhspT12oxgHgNGS2tNjX1R1p2UyRP9FtiejeUJR3c +6B+1V6Dp7nQVvx+onETi6AOpoUiC6GonLiomxeE8mQMqF1RvDMPYwWunOklQ5LK GBTsfn6hmCpQ9Pi65cWhxXWHGNzYsGyzGzn5jUHYie+Gq9GNVAosbK3y1TCrJaW8 rTfdXW/BLVha2B7KDJ2AlgDNh+RuMDY9curxW5cssrv22w3bpQ== -----END CERTIFICATE-----
Can you tell me how Homeassistant starts the add-on internally?
Athozs
commented
8 months ago Can you tell me how Homeassistant starts the add-on internally?
Home Assistant looks for integrations in config/custom_components directory and loads them automatically, accordingly with the domain key additional_ca in configuration.yaml for this integration.
In case of HAOS, using update-ca-certificates is not enough because you cannot set permanently the environment variable REQUESTS_CA_BUNDLE.
In case of HAOS, this is why Additional CA integration adds also your certificate into Certifi CA bundle, located at /usr/local/lib/python3.12/site-packages/certifi/cacert.pem.
You may need to reset the Certifi CA bundle.
I updated the docs, could you follow the trouble shooting guide for HAOS at https://github.com/Athozs/hass-additional-ca?tab=readme-ov-file#82-haos---home-assistant-operating-system in order to reset the homeassistant container inside HAOS.
sharbich
commented
8 months ago In case of HAOS, this is why Additional CA integration adds also your certificate into Certifi CA bundle, located at
/usr/local/lib/python3.12/site-packages/certifi/cacert.pem.
The directory mentioned above does not exist for me. All of your suggestions don't work either. The add-on doesn't work. I'm thinking about a supervisor installation. It just bothers me with Homeassistant that everything is so limited. Reminds me a little of Microsoft. Not open source. I'm thinking about an alternative.
Athozs
commented
8 months ago HAOS is a linux OS with Home Assistant running in a container inside. You must look into the container to check your certificates.
From SSH prompt, run docker exec -ti homeassistant bash to go inside container. You need protection mode disabled in SSH Add-on config.
You may try Home Assistant Docker installation instead.
Athozs
commented
8 months ago @sharbich what service/device are you trying to reach from Home Assistant with SSL ?
sharbich
commented
8 months ago HAOS is a linux OS with Home Assistant running in a container inside. You must look into the container to check your certificates. From SSH prompt, run
docker exec -ti homeassistant bashto go inside container. You need protection mode disabled in SSH Add-on config. You may try Home Assistant Docker installation instead.
Hello Athozs, how right you are. I wasn't in the Homeassistant container the whole time. Only on the Home Assistant OS Mini operating system. Everything now works in the Homeassistant container. I forgot that everything runs in containers. Also the add-ons. Greetings from Stefan Harbich
sharbich
commented
8 months ago @sharbich what service/device are you trying to reach from Home Assistant with SSL ?
Hello Athozs, because I log in to Homeassistant via my LDAP server. This is only possible in encrypted form. Greetings from Stefan Harbich
Athozs
commented
8 months ago Glad to know it's working now :)
Hello Athozs, because I log in to Homeassistant via my LDAP server. This is only possible in encrypted form. Greetings from Stefan Harbich
Very good reason 👍
Hello, the add-on does not add self-signed CA certificates. I have installed Home Assistant OS version 11.5 on a Mini PC. Here are my configurations: ... cat /config/configuration.yaml default_config: additional_ca: Test: /config/additional_ca/HarbichCA.pem # a cert file tts: platform: google_translate frontend: themes: !include_dir_merge_named themes automation: !include automations.yaml script: !include scripts.yaml scene: !include scenes.yaml http: ip_ban_enabled: true login_attempts_threshold: 3 server_port: 8123 use_x_forwarded_for: true trusted_proxies: 127.0.0.1 192.168.0.0/16 ::1 ... ... ls -la /config/additional_ca total 16 drwxr-xr-x 2 root root 4096 Feb 17 00:27 . drwxr-xr-x 13 root root 4096 Feb 17 12:57 .. -rw-r--r-- 1 root root 1342 Feb 17 00:19 HarbichCA.crt -rw-r--r-- 1 root root 1342 Feb 17 00:27 HarbichCA.pem ... ... cat /config/additional_ca/HarbichCA.pem -----BEGIN CERTIFICATE----- MIIDsTCCApmgAwIBAgIUa5YTHxAZeFQbxtTHDusUqiQWj4owDQYJKoZIhvcNAQEL BQAwYDESMBAGA1UEAwwJSGFyYmljaENBMQwwCgYDVQQLDANwa2kxEDAOBgNVBAoM B0hhcmJpY2gxFjAUBgoJkiaJk/IsZAEZFgZoYXJuZXQxEjAQBgoJkiaJk/IsZAEZ FgJkZTAeFw0yMzEwMzAxMzQ3MzdaFw0zMzEwMjcxMzQ3MzZaMGAxEjAQBgNVBAMM CUhhcmJpY2hDQTEMMAoGA1UECwwDcGtpMRAwDgYDVQQKDAdIYXJiaWNoMRYwFAYK CZImiZPyLGQBGRYGaGFybmV0MRIwEAYKCZImiZPyLGQBGRYCZGUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUwckDbx98BnWFqT6BvlyUN05RtgvwywX1
6vXmm8DGq5fSjMmGuoy1dLbzliMywHS9qiQdd6Rh2YD4Z9GDJ5XmxMX38qhb+1dg yl43PA12dTz61e0CZ7CmbcetTpEV4aukIEZTC/RUbWJDAY3JvVtB0Br9+mAb13+E sEhEmOb4eBVdeo0gVTCezVdRJW7HJMgmXMsLIydKVaAx6SlrG2IjAgMBAAGjYzBh MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU/fkF8a4ZDfBGFx/4JHM0sFgG ptowHQYDVR0OBBYEFP35BfGuGQ3wRhcf+CRzNLBYBqbaMA4GA1UdDwEB/wQEAwIB hjANBgkqhkiG9w0BAQsFAAOCAQEAiJS/ElJp3wDSjW3efcfFzT6A+QzkwwB71DX1 syuoroAPcnpP9IeAiBFfeHUjvJJP9PABDuMe2ABsN21sDkraT5lCD6odfCmWeg8f 6Bs5FhqCTg/m3i3GiUSa8PbMhspT12oxgHgNGS2tNjX1R1p2UyRP9FtiejeUJR3c +6B+1V6Dp7nQVvx+onETi6AOpoUiC6GonLiomxeE8mQMqF1RvDMPYwWunOklQ5LK GBTsfn6hmCpQ9Pi65cWhxXWHGNzYsGyzGzn5jUHYie+Gq9GNVAosbK3y1TCrJaW8 rTfdXW/BLVha2B7KDJ2AlgDNh+RuMDY9curxW5cssrv22w3bpQ== -----END CERTIFICATE----- ... ... ls -la /config/custom_components/additional_ca total 36 drwxr-xr-x 3 root root 4096 Feb 17 12:44 . drwxr-xr-x 4 root root 4096 Feb 17 12:43 .. -rw-r--r-- 1 root root 5520 Feb 17 12:43 init.py drwxr-xr-x 2 root root 4096 Feb 17 12:44 pycache -rw-r--r-- 1 root root 204 Feb 17 12:43 const.py -rw-r--r-- 1 root root 337 Feb 17 12:43 manifest.json -rw-r--r-- 1 root root 462 Feb 17 12:43 storage.py -rw-r--r-- 1 root root 2076 Feb 17 12:43 utils.py ... ... cat /config/home-assistant.log 2024-02-17 12:57:18.554 WARNING (SyncWorker_3) [homeassistant.loader] We found a custom integration hacs which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant 2024-02-17 12:57:18.555 WARNING (SyncWorker_3) [homeassistant.loader] We found a custom integration additional_ca which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant ...
Why isn't my HarbichCA.pem certificate added? Greetings from Stefan Harbich