Closed soxfan1966 closed 4 years ago
Maybe it's an SSL certificate issue. You might try fixing by issuing this command:
sudo update-ca-certificates
I managed to view the jkutils pull request and it does use net.webservice getdata command as well but works, so I believe there is something else at play here. @genemars I'll try the coomand as I have same issue.
The SSL certificate on the remote end expired:
pi@raspberrypi:~ $ openssl s_client -connect api.openweathermap.org:443 -showcerts
CONNECTED(00000003)
depth=3 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify error:num=10:certificate has expired
notAfter=May 30 10:48:38 2020 GMT
verify return:0
---
SSL handshake has read 5373 bytes and written 415 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 8D5215A458CF027C3523CD877ED82D5D1A6611F5E70CDCAAFF1743EA7ACD0B34
Session-ID-ctx:
Master-Key: A51049F7CE3A318116C9E7ED4D7ADCA678BE12716F085D6D62ABC83303789DD062AFFE80C6F86C91A0392CFDFC8145A6
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 20 ea 54 a5 b9 50 47 7c-73 54 bc 01 f4 ca 61 9a .T..PG|sT....a.
0010 - cc 1b 99 f1 cb 3c 55 19-11 79 ea e3 2b 49 cd 57 .....<U..y..+I.W
0020 - c6 c8 e5 5e bd 31 34 24-78 e2 01 1a 55 19 fc 39 ...^.14$x...U..9
0030 - 7b 3b 43 79 fa ed 0f 7c-f3 19 2a ad a5 09 3b bb {;Cy...|..*...;.
0040 - 1a b1 08 f5 8a 72 33 74-87 b0 c1 e0 d3 fd 6c 9f .....r3t......l.
0050 - 2d 7e 9f e0 92 c4 f9 9e-d0 60 09 0d 33 64 a6 ca -~.......`..3d..
0060 - 41 32 23 3b 93 a5 94 49-86 f4 e9 ab 9c 4a c1 bc A2#;...I.....J..
0070 - 4a 86 a7 22 bc 1c 94 54-bf 47 be 84 bb 2d d2 d9 J.."...T.G...-..
0080 - 8f 86 e7 a5 2b f2 2d f1-9f 48 4d 77 1d eb 12 36 ....+.-..HMw...6
0090 - 11 2e 97 53 27 75 bc fc-34 b9 b1 3f b7 e5 0d 4e ...S'u..4..?...N
00a0 - af 75 34 d1 bb ae 4d 39-ea 38 b9 3d 0c 9e 3f f0 .u4...M9.8.=..?.
Start Time: 1590924102
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
@tuicemen and @soxfan1966 I also have the same issue =)
I guess this will be automatically fixed once OpenWeatherMap renew its SSL certificate that expired on May 30 10:48:38 2020 GMT
.
@genemars thanks for looking into this, I guess the jkutil open weather program doesn't use SSL being a HG add on program.?
I emailed Openweather map asking about their SSL certificate. That may bring the expiry to their attention faster.
Thank you - I'm glad to know I wasn't losing my mind :)
OpenHAB using OW service calls is suffering similar issues. Seems a user over there has found a solution so I’m looking into this now
You could use this as a workaround but ensure you take an image of your install SD card before editing security stores. This solution comes with a health warning.
cd /etc ls -al ca-certificates.conf sudo cp ca-certificates.conf ca-certificates.conf.BAK ls -al ca-certificates.conf sudo nano ca-certificates.conf
Edit
"AddTrust_External_Root.crt" to "!AddTrust_External_Root.crt" sudo update-ca-certificates
I can confirm that this allows the OpenWeatherMap program to function again - thank you 👍 After I went thru those steps, I used the command that Gene had posted earlier today: openssl s_client -connect api.openweathermap.org:443 -showcerts
and it returned a 0 (ok) after applying the certificate update. When OpenWeatherMap does something on their end, will there be any changes required in HG to accept the fix ?
Thank you all :)
All you’ll need to do is to revert to your previous certs settings once a solution is found. In your case assuming you took an image of your SD card just revert to that image. Would you reference that solution I provided in your post. It looks a little confusing as to what actually worked for you.
As @mralapete hints at disabling security certificates is a hazard. OW uses a https call simply editing the OW code to us http instead would be more advisable. Infact if the program were to be coded to use http if a https pull failed a future security certificate expiring wouldn't affect things with OW.
I remarked that editing security certs incorrectly can cause havoc if the editing is not carried out correctly.I clearly stated that my solution is only temporary until the offending issue is resolved. It can be clearly seen that using my solution you have a backup of your original certificates.conf file you can restore once the matter is resolved. Using http instead of https will also disable a secure connection to the OW server so all traffic is TX/RX unencrypted for all to see.
Just for clarity, the workaround I provided relates to relaxing of strict SSL connection to OpenWeather only. Every other aspect of HG functions as normal.
@soxfan1966 Openweathermap just responded to my email they've renewed their certificate thus fixing this. So I believe you can close this issue. It is working on my end at least (no work arround needed)
Expected behavior
Call to API returns json weather info
Actual behavior
I am getting an error with the Weather Widget that started this morning - its reported that it cannot find “sys” in a string - but after some troubleshooting, appears that this command in the Weather program (both the “standard” and my updated version):
var weatherData = Net.WebService(webserviceurl_conditions).GetData();
is no longer returning any data, so when the rest of the program tries to parse the results it ends up with the missing sys error.
If you add this line: Program.Notify("weatherData = " + weatherData);
to the weather program right after the line above, and then under Maintenence options turn on Event History you can see that weatherData is nil - it should be a list of data returned from the OpenWeatherMap API call.
Steps to reproduce the problem starting from a fresh install
Specifications
Additional configuration notes