Custom CA does not appear to work for frigate integration

[Lucavon]

Describe the issue

Hi, thanks for making this addon. I have a small problem with it: While it works for me on HassOS itself, the Frigate integration appears to be unable to use the CA. I have already tried restarting everything.

Describe your setup (please complete the following information):

• Installation type: HAOS
• HAOS version (if applicable): 12.2
• Home Assistant core version: 2024.5.1
• Additional CA integration version: latest

YAML configuration extract

An extract of your YAML configuration:

default_config:

additional_ca:
  luca: luca.crt

Logs

Error fetching information from https://10.0.3.1/api/stats: Cannot connect to host 10.0.3.1:443 ssl:default [Connect call failed ('10.0.3.1', 443)] Error fetching information from https://10.0.3.1/api/stats: Cannot connect to host 10.0.3.1:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')]

Additional context

• What service/device are you trying to reach from Home Assistant with TLS/SSL ? Frigate, running at https://10.0.3.1:443

Add any other context about the problem here.

I believe this might also be the case with the opnsense integration: urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.0.0.1', port=1443): Max retries exceeded with url: /api/diagnostics/interface/getArp (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))

[Athozs]

Hello, thanks for using Additional CA integration,

it seems that you are using IP address instead of hostname to reach your services (Frigate and OPNsense), a common usage is to use hostnames, how did you create your certificates ?

Could you check the content of your certificate created for your Frigate service with the following command in a Shell:

openssl x509 -in frigate.crt -text -noout

And check the fields Subject: CN= and X509v3 Subject Alternative Name if any, they should contain the hostname of your Frigate instance (or IP address if using IP address).

[Lucavon]

Thanks for the response! Yes, I am indeed using IPs for this instead of hostnames due to DNS server issues I had. I generated the certificates using OPNSense's web GUI. I gave the IP as the common name and as an alternative name of type IP when creating it.

Here's the output of the command, with a few parts redacted:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = [REDACTED], L = [REDACTED], O = Lucavon, emailAddress = [REDACTED], CN = [REDACTED]
        Validity
            Not Before: Mar 29 11:22:20 2024 GMT
            Not After : Feb 10 11:22:20 2035 GMT
        Subject: C = DE, ST = [REDACTED], L = [REDACTED], O = Lucavon, emailAddress = [REDACTED], CN = 10.0.3.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus: [REDACTED]
                Exponent: [REDACTED]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OPNsense Generated Server Certificate
            X509v3 Subject Key Identifier:
                [REDACTED]
            X509v3 Authority Key Identifier:
                keyid:[REDACTED]
                DirName:/C=DE/ST=[REDACTED]/L=[REDACTED]/O=Lucavon/emailAddress=[REDACTED]/CN=[REDACTED]
                serial:00
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                IP Address:10.0.3.1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: [REDACTED]

As you can see, the names are as they should be. I know that this certificate works because my own browser accepts it (after installing the CA locally). I think the issue is that for some reason, the certificate isn't available system-wide. When I SSH into my HomeAssistant, and run curl -v https://10.0.3.1:443, I get a certificate error. If I then do docker exec <id of homeassistant container> curl -v https://10.0.3.1:443, the certificate is accepted.

So it seems like that for some reason, the additional CA is deployed in the homeassistant docker container, but will not work anywhere else, including, it seems, the Frigate integration, since that runs on the host HassOS without a container (? not sure)

[milizhang]

I am having the same issue. Things were working before, but just stopped working recently.

[Athozs]

@Lucavon

HAOS is actually a Linux OS running a homeassistant Docker container inside. Integrations have no control outside the container.

More details here: https://github.com/Athozs/hass-additional-ca?tab=readme-ov-file#42-haos---home-assistant-operating-system

See help for Troubleshooting: https://github.com/Athozs/hass-additional-ca?tab=readme-ov-file#82-haos---home-assistant-operating-system

[Athozs]

@milizhang

What operation did you do recently ? Did you upgrade your Home Assistant ? If so, don't forget to reboot 🙂

[Lucavon]

I see, thanks! So if I understand it correctly, Additional CA is not able to apply the CA to integrations running inside other containers (as part of HassOS)?

[Athozs]

@Lucavon

What Home Assistant integrations are running in other containers ? In which containers ?

[Lucavon]

Sorry, turns out I was wrong, it doesn't seem like Frigate is in a container. I will try to find another solution. Thanks for your time though!

[milizhang]

@milizhang

What operation did you do recently ? Did you upgrade your Home Assistant ? If so, don't forget to reboot 🙂

Yes that was my mistake - I forgot to reboot. (But did not the upgrade process triggers a reload/container restart?)

[Athozs]

@milizhang

Yes that was my mistake - I forgot to reboot. (But did not the upgrade process triggers a reload/container restart?)

I think the upgrade process actually triggers a container restart, but Additional CA needs a reboot of HAOS to load again Certificate Authority at start-up.

[Athozs]

@Lucavon

Sorry, turns out I was wrong, it doesn't seem like Frigate is in a container. I will try to find another solution. Thanks for your time though!

How did you install Frigate server ? With docker on a separate host or with Home Assistant Addon ?

[Lucavon]

@Athozs I installed the Frigate integration via HACS, as described here: https://docs.frigate.video/integrations/home-assistant

The Frigate server is a docker container (managed via docker compose) on another machine.

HOAS itself runs as a VM on my TrueNAS host, as 10.0.2.2. The Frigate server is a separate machine, running under 10.0.3.1, using the selfsigned certificate from the CA, with nginx as an SSL terminator, reverse-proxying the Frigate server. The SSL error is thrown by the HAOS Frigate Integration.

I suspect that the integration installed via HACS runs on the HAOS host directly.

[Athozs]

Home Assistant integrations are Python code loaded by Home Assistant core, in case of HAOS, HA core is running inside homeassistant container. If I'm correct, Home Assistant Addons are docker containers running alongside the homeassistant container in HAOS, this may be confusing.

Do you have any error logs from Home Assistant Settings > System > Logs regarding your Frigate integration ?

[Lucavon]

@Athozs I just checked the logs, but only saw the SSL error again. However, I decided to check the webserver configuration again and realized something. I only used the correct certificate for "/" (I had location = /), all the other paths used another old (invalid, for testing) selfsigned certificate. So https://10.0.3.1/ worked, while https://10.0.3.1/api/... did not because they used different certificates. After fixing the webserver config, it started working again.

So, sorry about all this confusion. In the end, the additional-ca addon was working as intended, and it was just me who made a mistake. Sorry for wasting your time, and once again thank you for creating this addon!

[Athozs]

I'm glad it's working again :)