Netgear Integration fails due to a self certified SSL cert on the router

dugancom commented 11 months ago

The problem

When attempting to setup the Netgear integration I receive a Connection or login error: please check your configuration error. This happens if all of the fields in the UI are filled in or if only the password is. I attempted to connect to the router myself to verify the IP and receive a ERR_SSL_KEY_USAGE_INCOMPATIBLE in Chrome, but not in Edge. In researching this it appears to be an issue with the SSL cert used by Netgear on the router admin page, specifically that it is self certified.

https://community.netgear.com/t5/Orbi-Pro-WiFi-for-Small-Business/SSL-error/m-p/2347112#M6504

To verify if this was happening I attempted to curl to my router from my HA instance and received the following error:

ALPN: curl offers h2,http/1.1
TLSv1.3 (OUT), TLS handshake, Client hello (1):
CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, unknown CA (560):
SSL certificate problem: self-signed certificate
Closing connection curl: (60) SSL certificate problem: self-signed certificate More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.

If I attempt to curl again but add the --insecure parameter my connection is successful.

What version of Home Assistant Core has the issue?

core-2023.11.3

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant OS

Integration causing the issue

Netgear

Link to integration documentation on our website

https://www.home-assistant.io/integrations/netgear/

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

home-assistant[bot] commented 11 months ago

Hey there @hacf-fr, @quentame, @starkillerog, mind taking a look at this issue as it has been labeled with an integration (netgear) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of `netgear` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign netgear` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

netgear documentation netgear source _{^{(message by IssueLinks)}}

Ascendor commented 10 months ago

I see the same behaviour with a netgear GC110

IgnacioHR commented 8 months ago

I found a way to fix this problem but it is quite complex for non expert users. I've warned you!

Enable telnet access to the router. This can be done by opening page https://[your router ip]/debug.htm and clicking on the telnet checkbox
Use telnet client to root into your router. User is 'root' and use your router password
cd /etc/lighthttp/certs
edit file called crtconfig.conf

[req]
distinguished_name  = req_distinguished_name
x509_extensions     = v3_req
prompt              = no
[req_distinguished_name]
C           = US
ST          = California
L           = San Jose
O           = Netgear
CN          = www.routerlogin.net

[v3_req]
keyUsage           = keyEncipherment, dataEncipherment, digitalSignature
extendedKeyUsage   = serverAuth
basicConstraints   = critical, CA:FALSE
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.routerlogin.net
DNS.2 = routerlogin.net
DNS.3 = www.orbilogin.com
DNS.4 = orbilogin.net
DNS.5 = routerlogin.com
DNS.6 = orbilogin.com
DNS.7 = www.routerlogin.com
DNS.8 = www.orbilogin.net

note I changed keyUsage and added basicConstraints

copy current config cp server.pem server.pem.bk
create new config ./https_cert.sh
restart http service /etc/init.d/lighttpd restart
Test with new chrome session

dugancom commented 8 months ago

Hey thanks! This worked for me relative to Chrome, but the integration still doesn't load. At least not initially. Busy now but I'll check the logs and see if it's still giving the same error and report back,

issue-triage-workflows[bot] commented 5 months ago

There hasn't been any activity on this issue recently. Due to the high number of incoming GitHub notifications, we have to clean some of the old issues, as many of them have already been resolved with the latest updates. Please make sure to update to the latest Home Assistant version and check if that solves the issue. Let us know if that works for you by adding a comment 👍 This issue has now been marked as stale and will be closed if no further activity occurs. Thank you for your contributions.

home-assistant / core