TLS error in DWD weather warnings

[jckoester]

Home Assistant release with the issue: 77.2

Last working Home Assistant release (if known): Did work in 70 for sure. Not sure about 71.

Operating environment (Hass.io/Docker/Windows/etc.): HassOS on virtual machine

Component/platform: https://www.home-assistant.io/components/sensor.dwd_weather_warnings/

Description of problem: Sensor show 'unavailable' as status instead of providing data.

Problem-relevant configuration.yaml entries and (fill out even if it seems unimportant):

- platform: dwd_weather_warnings
  region_name: Karlsruhe

Traceback (if applicable):

Error fetching data: <PreparedRequest [GET]> from https://www.dwd.de/DWD/warnungen/warnapp_landkreise/json/warnings.json?jsonp=loadWarnings failed with HTTPSConnectionPool(host='www.dwd.de', port=443): Max retries exceeded with url: /DWD/warnungen/warnapp_landkreise/json/warnings.json?jsonp=loadWarnings (Caused by SSLError(SSLError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:841)'),))

Additional information: Trying wget wget https://www.dwd.de/DWD/warnungen/warnapp_landkreise/json/warnings.json?jsonp=loadWarnings from ssh console results in a similar error. Accessing the URL in a recent browser (Firefox 61 or Chrome 68) works fine and shows the JSON string as expected. The certificate is verified succesfully in both browsers. I don't know where in the hassos - home assistant stack tls certificates are handled, so this might as well be a problem of hassos. Trying different other websites using wget in home assistant / hassos did work well, so this does not seem to be a general problem with TLS encryption. Also pages using the same CA (like https://www.dfn.de) work fine on wget. The problem seems to be limited to this specific certificate.

[VDRainer]

+1, Same for me. https://community.home-assistant.io/t/dwd-warnapp-sensor-amtliche-warnungen-des-deutschen-wetterdienstes/22699/10?u=vdrainer

CC @runningman84

[VDRainer]

Digged a little because also my generic cameras with dwd images don't work anymore.

If i wget an image from dwd, i get the same error about certificate verify failed. If i use wget with --no-check-certificate the image gets downloaded.

If i change the line https://github.com/home-assistant/home-assistant/blob/976626d0ab4f40334867ebe06da53e414fab7f81/homeassistant/components/sensor/dwd_weather_warnings.py#L178 to self._rest = RestData('GET', resource, None, None, None, False)

the component works again and i get a warning in the log

/srv/ha/lib/python3.6/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings InsecureRequestWarning)

Wondering now where the issue could be.

• DWD Certificate?

[jckoester]

Just tried the wget https://www.dwd.de/DWD/warnungen/warnapp_landkreise/json/warnings.json?jsonp=loadWarnings on my local machine. Output:

--2018-09-02 21:16:40--  https://www.dwd.de/DWD/warnungen/warnapp_landkreise/json/warnings.json?jsonp=loadWarnings
Loaded CA certificate '/etc/ssl/certs/ca-certificates.crt'
Resolving www.dwd.de (www.dwd.de)... 141.38.3.62
Connecting to www.dwd.de (www.dwd.de)|141.38.3.62|:443... connected.
ERROR: The certificate of 'www.dwd.de' is not trusted.
ERROR: The certificate of 'www.dwd.de' hasn't got a known issuer.

Looks like wget can't validate the certificate although the browsers can. Looking at the certificate details shows it has been issued on August 31st. So it indeed seems to be the certificate.

[chrisrummel]

The SSL-cert for www.dwd.de is signed by T-TeleSec GlobalRoot Class 2, which is actually in /etc/ssl/certs of my RasPi, but wget and home-assistant still show the DWD-cert as not valid. My guess is the problem is with the intermediate CA certs between T-Telesec GlobalRoot Class2 and www.dwd.de.

I've added the following certs to /etc/ssl/certs: https://www.pki.dfn.de/fileadmin/PKI/zertifikate/DFN-Verein_Certification_Authority_2.pem http://cdp.pca.dfn.de/dfn-ca-global-g2/pub/cacert/cacert.pem and did a c_rehash.

Now wget https://www.dwd.de/DWD/warnungen/warnapp_landkreise/json/warnings.json?jsonp=loadWarnings works fine, but home-assistant still fails. I guess it doesn't check against the local system CA-chain.

Edit: After adding the missing CA certs to lib/python3.5/site-packages/certifi/cacert.pem the DWD weather warnings are working!

[VDRainer]

After DWD made some modifications, everthing works as before. https://community.home-assistant.io/t/dwd-warnapp-sensor-amtliche-warnungen-des-deutschen-wetterdienstes/22699/22?u=vdrainer @dasmaeh, i think this can be closed.