search

home-assistant / core

:house_with_garden: Open source home automation that puts local control and privacy first.
https://www.home-assistant.io
Apache License 2.0
68.78k stars 28.1k forks source link

HA REST integration doesn't accept SSL certificate from the Polish Atomic Agency's website #116170

Open jacek-dargiel opened 1 week ago

jacek-dargiel commented 1 week ago

The problem

I have a REST sensor that polls the Polish Atomic Agency's API to get the current radiation readings in some areas of Poland. Here's the URL I'm polling:

https://monitoring.paa.gov.pl/_api/maps/MapLayer/15d20873-f8a7-8899-5d69-960cc9ebbbb6/DetailsTable/f5af6ec4-d759-3163-344e-cbf147d28e28/Data/b974aef7-d428-4d4a-a8c0-43a3a0ae2570?dateFrom=2024-03-26T00:00:00.000Z&dateTo=2024-04-25T00:00:00.000Z

Yesterday, this sensor stopped working. HA Core logs say it's because:

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

I guess the website certificate might have changed, but it's a valid certificate according to my Windows/Edge browser. I haven't installed any custom certs for it to work.

What version of Home Assistant Core has the issue?

core-2024.4.4

What was the last working version of Home Assistant Core?

core-2024.4.3 ?

What type of installation are you running?

Home Assistant OS

Integration causing the issue

RESTful

Link to integration documentation on our website

https://www.home-assistant.io/integrations/rest/

Diagnostics information

No response

Example YAML snippet

sensor:
  - platform: rest
    unique_id: "1c06e55d-323c-4b1b-84fe-0a64ff180900"
    name: Radiation in Warsaw
    resource_template: https://monitoring.paa.gov.pl/_api/maps/MapLayer/15d20873-f8a7-8899-5d69-960cc9ebbbb6/DetailsTable/f5af6ec4-d759-3163-344e-cbf147d28e28/Data/b974aef7-d428-4d4a-a8c0-43a3a0ae2570
    params:
      dateFrom: >
        {{ (now() + timedelta(days = -1)).strftime('%Y-%m-%d') }}
      dateTo: >
        {{ (now() + timedelta(days = 1)).strftime('%Y-%m-%d') }}
    scan_interval: 1800 # 30m
    unit_of_measurement: μSv/h 
    value_template: '{{ (value_json | last).moc_dawki }}'
    json_attributes_path: "$.[-1:]"
    json_attributes:
      - date_start_str
      - date_end_str
    headers:
      Content-Type: application/json

Anything in the logs that might be useful for us?

Logger: homeassistant.components.rest.sensor
Source: components/rest/sensor.py:90
integration: RESTful (documentation, issues)
First occurred: 2:22:45 PM (3 occurrences)
Last logged: 2:22:45 PM

Error connecting https://monitoring.paa.gov.pl/_api/maps/MapLayer/15d20873-f8a7-8899-5d69-960cc9ebbbb6/DetailsTable/f5af6ec4-d759-3163-344e-cbf147d28e28/Data/b974aef7-d428-4d4a-a8c0-43a3a0ae2570 failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
Error connecting https://monitoring.paa.gov.pl/_api/maps/MapLayer/15d20873-f8a7-8899-5d69-960cc9ebbbb6/DetailsTable/f5af6ec4-d759-3163-344e-cbf147d28e28/Data/<redacted due to privacy> failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)
Error connecting https://monitoring.paa.gov.pl/_api/maps/MapLayer/15d20873-f8a7-8899-5d69-960cc9ebbbb6/DetailsTable/f5af6ec4-d759-3163-344e-cbf147d28e28/Data/<redacted due to privacy> failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)

Additional information

No response

home-assistant[bot] commented 1 week ago

rest documentation rest source

mib1185 commented 1 week ago

the message [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: indicates that the target URL does not use (anymore?) a valid ssl certificate. this should be reported to the administrator/maintainer of the target URL, or you might want to have a look to the verify_ssl paramater.

jacek-dargiel commented 1 week ago

The certificate is valid as you can see by checking the URL I've provided.

mib1185 commented 1 week ago

the root ca in the used ca-certificate bundle does not match the certificate chain of the server certificate of monitoring.paa.gov.pl

homeassistant:/config# apk info ca-certificates
ca-certificates-20240226-r0 description:
Common CA certificates PEM files from Mozilla

ca-certificates-20240226-r0 webpage:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/

ca-certificates-20240226-r0 installed size:
712 KiB

homeassistant:/config#  openssl s_client -connect monitoring.paa.gov.pl:443 -servername monitoring.paa.gov.pl -verify 3
verify depth is 3
CONNECTED(00000003)
depth=0 CN = *.paa.gov.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.paa.gov.pl
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.paa.gov.pl
verify return:1
---
Certificate chain
 0 s:CN = *.paa.gov.pl
   i:C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Domain Validation CA SHA2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 13 08:37:56 2024 GMT; NotAfter: Feb 12 08:37:55 2025 GMT
---

homeassistant:/config# openssl s_client -connect monitoring.paa.gov.pl:443 -servername monitoring.paa.gov.pl -verify 3 -CAfile /etc/ssl/certs/ca-cert-Certum_Trusted_Network_CA.pem -CAfile /etc/ssl/certs/ca-cert-Certum_Trusted_Root_CA.pem -CAfile /etc/ssl/certs/ca-cert-Certum_Trusted_Network_CA_2.pem 
verify depth is 3
CONNECTED(00000003)
depth=0 CN = *.paa.gov.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.paa.gov.pl
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = *.paa.gov.pl
verify return:1
---
Certificate chain
 0 s:CN = *.paa.gov.pl
   i:C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Domain Validation CA SHA2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Feb 13 08:37:56 2024 GMT; NotAfter: Feb 12 08:37:55 2025 GMT
---