Daikin suddenly failing on one endpoint with ssl context error

[ianmcginley]

The problem

Daikin integration stopped being able to talk to one of the CORA head units running firmware 1.16.0, the following is shown for this specific head unit end point in the Daikin Integration:

However my 3 other identical endpoints still work. This end point still works via the Daikin MobileController application.

Initially broke on HA 2024.6x3, upgrade to 2024.7.4 to eliminate as an issue. Still broken.

What version of Home Assistant Core has the issue?

2024.7.4

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Container

Integration causing the issue

Daikin

Link to integration documentation on our website

No response

Diagnostics information

home-assistant_daikin_2024-08-04T23-13-01.439Z.log

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

[home-assistant[bot]]

Hey there @fredrike, mind taking a look at this issue as it has been labeled with an integration (daikin) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of `daikin` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign daikin` Removes the current integration label and assignees on the issue, add the integration domain after the command. - `@home-assistant add-label needs-more-information` Add a label (needs-more-information, problem in dependency, problem in custom component) to the issue. - `@home-assistant remove-label needs-more-information` Remove a label (needs-more-information, problem in dependency, problem in custom component) on the issue.

_{^{(message by CodeOwnersMention)}}

---

daikin documentation daikin source _{^{(message by IssueLinks)}}

[brandon8782]

Im seeing the same behaviour, but with a different error message in the logs:

    2024-08-04 01:38:58.756 DEBUG (MainThread) [pydaikin.daikin_base] Calling: https://192.168.1.178/common/register_terminal {'key': 'XXXXXXXXXXXXXXX'}
    2024-08-04 01:38:58.769 DEBUG (MainThread) [homeassistant.components.daikin] ClientConnectionError to 192.168.1.178

The integration page was showing: SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED

[ianmcginley]

It might be a libcurl thing?

~$ curl https://192.168.0.66/

curl: (35) error:0A000152:SSL routines::unsafe legacy renegotiation disabled

I get this on all my 1.16.0 devices (only one doesn’t work in HA though). My 2.8.0 firmware device responds differently.

[BeauGiles]

I'm getting an SSL issue/error in Home Assistant now too, after updating to Core 2024.8.0;

Failed setup, will retry: Cannot connect to host 10.0.1.253:443 ssl:default [[SSL: UNSAFE_LEGACY_RENEGOTIATION_DISABLED] unsafe legacy renegotiation disabled (_ssl.c:1000)]

curl response in verbose mode

~ % curl -v https://10.0.1.253
*   Trying 10.0.1.253:443...
* Connected to 10.0.1.253 (10.0.1.253) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[BeauGiles]

Ok, downgraded back to Core 2024.7.4 - and it works fine again.

Some change in Core 2024.8 broke the integration for one of my split systems (the other three work fine, as well as a ducted unit)

[peedub]

I have one unit using the BRP072C42 wifi module (uses the API key), which is affected by this issue. I have another unit using the older BRP072A42 wifi module, which is fine (this one doesn't use the API key).

[mikey0000]

I imagine this may fix the problem?

    session = async_get_clientsession(hass, verify_ssl=False)

in daikin_api_setup

[marcbunyan]

I imagine this may fix the problem?

    session = async_get_clientsession(hass, verify_ssl=False)

in daikin_api_setup

^ where would we find this file?

[peedub]

I imagine this may fix the problem?

    session = async_get_clientsession(hass, verify_ssl=False)

in daikin_api_setup

^ where would we find this file?

https://github.com/home-assistant/core/blob/f8fa6e43094c7288fcf1cb9fe6a260d71c4f3e1b/homeassistant/components/daikin/__init__.py#L82

I think this is the line @mikey0000 was referring to.

[shadow7412]

I think so too - but that change seems to be giving me an "unknown error"... unsure if async_get_clientsession even takes that kwarg...

Though I might just be doing something wrong.

[peedub]

I think so too - but that change seems to be giving me an "unknown error"... unsure if async_get_clientsession even takes that kwarg...

Though I might just be doing something wrong.

Here's the original function, which defaults verify_ssl to True: https://github.com/home-assistant/core/blob/f8fa6e43094c7288fcf1cb9fe6a260d71c4f3e1b/homeassistant/helpers/aiohttp_client.py#L85

[mikey0000]

Was about to link that, yeah original function has verify_ssl

[shadow7412]

Yeah, I realised afterwards that it's dying during the call, and logging here;

https://github.com/home-assistant/core/blob/f8fa6e43094c7288fcf1cb9fe6a260d71c4f3e1b/homeassistant/components/daikin/__init__.py#L96

I'm trying to add a little more detail to the logs, but my HA is taking a while to wind back up...

[shadow7412]

Finally.

So, with that on I'm now getting HTTP 403 Forbidden from the device :/

[mikey0000]

Well that is at least some progress.

[cremor]

@bdraco wrote the following in https://github.com/fredrike/pydaikin/issues/3#issuecomment-2274868360

Similar fix for another lib assuming you need to turn on legacy: gwww/elkm1#69

[Khengsoon]

I won't be upgraded to the latest HA version. Daikin plugin is one of the main integration I don't want to missed out

[shadow7412]

@Khengsoon perfectly reasonable. I probably wouldn't have upgraded if I knew in advance - though I was looking forward to the reolink chime controls.

[TheDJVG]

Based on my own problems I figured that the pydaikin module is not setting the SSL Context correctly and it's (no longer?) sending the X-Daikin-uuid header causing the 403 error.

More context here: https://github.com/fredrike/pydaikin/issues/3#issuecomment-2277101760

After patching both locally I was able to restore functionality on my daikin BRP072C42

[adprom]

I am also having this exact same issue. Watchtower updated the package this morning and this issue appeared.

[Khengsoon]

Based on my own problems I figured that the pydaikin module is not setting the SSL Context correctly and it's (no longer?) sending the X-Daikin-uuid header causing the 403 error.

More context here: fredrike/pydaikin#3 (comment)

After patching both locally I was able to restore functionality on my daikin BRP072C42

Hi @TheDJVG , do you mind share where is the file located? I try to search and can't locate anywhere inside the /custom_components

[TheDJVG]

Based on my own problems I figured that the pydaikin module is not setting the SSL Context correctly and it's (no longer?) sending the X-Daikin-uuid header causing the 403 error. More context here: fredrike/pydaikin#3 (comment) After patching both locally I was able to restore functionality on my daikin BRP072C42

Hi @TheDJVG , do you mind share where is the file located? I try to search and can't locate anywhere inside the /custom_components

I've you're running the official integration pydaikin will be installed as part of the python environment. For reference this file (and line) is where I changed the ssl context (part of HA) and this file (and line) is where I added the missing headers.

Where the files are located depend also on your installation method (I personally run the container image).

(slight remark, I just made the changes to get back up and running locally, the actual fix(es) need to be more refined I believe)

[mattyway]

I've raised a PR in pydaikin with a fix: https://github.com/fredrike/pydaikin/pull/13

I got my instance of Home Assistant working by uninstalling the official pydaikin and then installing a "fixed" version from my fork on Github, like this:

pip uninstall pydaikin

pip install git+https://github.com/mattyway/pydaikin.git@e7766cfd96520b39df033451479754e4f344dc95

[Khengsoon]

Thank you very much buddy. Let me try on my backup copy

On Sat, Aug 10, 2024, 2:12 PM Matt Way @.***> wrote:

I've raised a PR in pydaikin with a fix: fredrike/pydaikin#13 https://github.com/fredrike/pydaikin/pull/13

I got my instance of Home Assistant working by uninstalling the official pydaikin and then installing a "fixed" version from my fork on Github, like this:

pip uninstall pydaikin

pip install @.***

— Reply to this email directly, view it on GitHub https://github.com/home-assistant/core/issues/123160#issuecomment-2279609279, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADNUWTJ3CE7VKU6F4YIR6U3ZQWVOLAVCNFSM6AAAAABL7HMMDGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENZZGYYDSMRXHE . You are receiving this because you were mentioned.Message ID: @.***>

[sokanaar]

pip install git+https://github.com/mattyway/pydaikin.git@e7766cfd96520b39df033451479754e4f344dc95

works perfectly for my 5 aircons! You sir are a life saver

[fredrike]

I've pushed a new version of the underlaying library (https://github.com/fredrike/pydaikin/pull/13) and I think @mattyway is on the way to fix this on the HA side too.

pip install git+https://github.com/mattyway/pydaikin.git@e7766cfd96520b39df033451479754e4f344dc95

works perfectly for my 5 aircons! You sir are a life saver

pip install pydaikin==2.13.2 is enough now.

[ZuluPilgrim]

@fredrike do I just run the pip command from the HA terminal? I tried but got

So I am guessing I am in the wrong place. I tried to install pip too but not sure how to.

[PanJ]

Is there any workaround to install new package of pydaikin without waiting for the next release of HA?

[bestknee]

I've pushed a new version of the underlaying library (fredrike/pydaikin#13) and I think @mattyway is on the way to fix this on the HA side too.

pip install git+https://github.com/mattyway/pydaikin.git@e7766cfd96520b39df033451479754e4f344dc95

works perfectly for my 5 aircons! You sir are a life saver

pip install pydaikin==2.13.2 is enough now.

thank you for working on this

I've noticed that pydaikin reverts to 2.13.1 each time HA is restarted. Is there anything else I need to do to make this persistent?

[peedub]

This has fixed the unit that stopped working but it has caused my two older units that don't use the api key to stop working.

The following error comes up in the HA logs.

Logger: pydaikin.daikin_base
Source: components/daikin/__init__.py:88
First occurred: 7:36:58 AM (2 occurrences)
Last logged: 7:36:58 AM

Exception in TaskGroup: 'DaikinBRP069' object has no attribute 'headers'

[mike4001]

Yes, all my 4 units do not work anymore since HA 2024.8.1 update :-/

[kalpik]

Yes, all my 4 units do not work anymore since HA 2024.8.1 update :-/

Same here.

[andrepalma]

Any knews on the solution? I have to downgrade to 2024.7.4 to get the climates to work again... At documentation they say it needs to have the connection to onecta, but I have old models with local connection... I hope they will fix this.

[mikey0000]

Solution is known, fix can't be far away