search

SynoCommunity / spksrc

Cross compilation framework to create native packages for the Synology's NAS
https://synocommunity.com
Other
3.03k stars 1.23k forks source link

Home Assistant: SSL errors when using 'ssl_peer_certificate' HTTP option (intermediate certificate (CA)) #4319

Closed donatas-xyz closed 3 years ago

donatas-xyz commented 3 years ago

Setup

Package Name: Home Assistant Package Version: 0.118.5-10

NAS Model: DS220j NAS Architecture: rtd1296 DSM version: DSM 6.2.3-25426 Update 2

Expected behavior

  1. Home Assistant web UI should be accessible via HTTPS just like it is of no intermediate certificate is being used.
  2. SSL validators should not find any issues with the SSL installation.
  3. 'Alexa Smart Home' trigger in AWS should run connectivity tests via HTTPS successfully just as it does via HTTP.

Actual behavior

  1. Home Assistant web UI shows 'Unable to connect to Home Assistant. RETRY' message.
  2. SSL validators finds NO any issues with the SSL installation.
  3. 'Alexa Smart Home' trigger in AWS returns '_EOF occurred in violation of protocol (ssl.c:1091)' error.

Steps to reproduce

1. Get a valid SSL certificate files for custom domain: private key, certificate and intermediate certificate (CA bundle) 2. Optionally test all 3 files elsewhere (e.g. Control Panel > Security > Certificate > Add) 3. Save them somewhere on your synology, e.g. /etc/ssl/private 4. Add following lines to configuration.yaml: 

http:
  server_port: 8123 
  ssl_certificate: /path/to/cert.pem  
  ssl_key: /path/to/private.pem

5. Restart HA and open web UI via HTTPS - everything should work without any issues internally and externally. 6. Validate SSL installation online - it should say 'The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate'. 7. 'Alexa Smart Home' trigger in AWS should return '[SSL: CERTIFICATE VERIFY FAILED] certificate verify failed: unable to get local issuer certificate (ssl.c:1091)' error. 8. Add following line under the lines in config above: ssl_peer_certificate: /path/to/cacert.pem 9. Restart HA and open web UI via HTTPS - 'Unable to connect to Home Assistant. RETRY' message is shown. 10. 'Alexa Smart Home' trigger in AWS returns '_EOF occurred in violation of protocol (ssl.c:1091)' error. 11. Validate SSL installation online - it will say that this time everything is great: 'The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed)'

Package log

No errors in HA logs.

Other logs

N/A

donatas-xyz commented 3 years ago

Was able to run AWS test successfully after using "Key = NOT_VERIFY_SSL, Value = True" variable, but that's not ideal.

donatas-xyz commented 3 years ago

I've been able to resolve this issue by using so called 'full chain' PEM file, that combines both certificates (cert.pem and cacert.pem) into one like so: ssl_certificate: /path/to/full_chain.pem

My HA web UI is now working fine, SSL validators are not complaining about missing intermediate certificates anymore and AWS tests are running without without disabling SSL verifications.

Also Alexa is now able to link my skill with HA.

All these issues just for missing intermediate certificate...

I'm closing this ticket, but it's still unclear when would I use ssl_peer_certificate option?