ElkM1 not connecting after upgrade to 2023.6.2

[deanryan]

The problem

The ElkM1 integration was no longer able to connect to the ElkM1 panel after upgrading to 2023.6.1. I have been watching #94198 and HA is still unable to connect to the ElkM1 panel after upgrading to 2023.6.2. I am getting the following message in the log:

Logger: elkm1_lib.connection Source: runner.py:179 First occurred: 11:35:38 AM (669 occurrences) Last logged: 12:13:49 PM Error connecting to ElkM1 ([SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1002)). Retrying in 60

What version of Home Assistant Core has the issue?

2023.6.2

What was the last working version of Home Assistant Core?

2023.5.4

What type of installation are you running?

Home Assistant OS

Integration causing the issue

Elk M1

Link to integration documentation on our website

https://www.home-assistant.io/integrations/elkm1

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

Logger: elkm1_lib.connection
Source: runner.py:179
First occurred: 11:35:38 AM (669 occurrences)
Last logged: 12:13:49 PM
Error connecting to ElkM1 ([SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:1002)). Retrying in 60

Additional information

No response

[home-assistant[bot]]

Hey there @gwww, @bdraco, mind taking a look at this issue as it has been labeled with an integration (elkm1) you are listed as a code owner for? Thanks!

Code owner commands

Code owners of `elkm1` can trigger bot actions by commenting: - `@home-assistant close` Closes the issue. - `@home-assistant rename Awesome new title` Renames the issue. - `@home-assistant reopen` Reopen the issue. - `@home-assistant unassign elkm1` Removes the current integration label and assignees on the issue, add the integration domain after the command.

_{^{(message by CodeOwnersMention)}}

---

elkm1 documentation elkm1 source _{^{(message by IssueLinks)}}

[gwww]

What version of TLS are you using? When the integration is setup it was asked for.

What version of the XEP firmware are you running?

For completeness (I don’t think it matters) what version of the ElkM1 firmware are you running?

[deanryan]

I don't remember for sure, but I think I selected TLS 1.2. In retrospect it may have been a mistake, but I took the opportunity while the integration wasn't working to upgrade the XEP firmware. I was still all the way back at XEP firmware 1.3.28 prior to installing 2023.6.1. Now I'm at:

• XEP Firmware 2.0.48
• M1 Firmware 5.3.10

[wappinghigh]

I am a relative newbie. Elk connection is crucial to my whole home operation I downgraded back to 2023.5.4 after the Elk connection crashed going to 2023.6.1 What is the TLS firmware? What is the XEP firmware? What versions do I need to be on (to check) before I upgrade to 2023.6.2 - so I know I won't lose Elk connection again after the upgrade? Is there anything else I need to check?

This is the current HA "about" Home Assistant 2023.5.4 Supervisor 2023.06.2 Operating System 10.2 Frontend 20230503.3 - latest

Thanks

[dragonsoul84]

I was on XEP firmware 2.0.40 and it broke on HA 2023.6.1. I did the curl script and got back up and running. I thought maybe bringing my XEP to the latest version might help with TSL/SSL breakage in the future so I updated the XEP to 2.0.48 and now I can't communicate again ::sigh::. I understand it may be that I am on the wrong TLS version as mentioned above. The docs say the 2.0.46 and below (which is what I was) use a lower TLS. Now that I am on >2.0.46, I should be using the higher TLS, but I don't know how to change it. Do I have to remove the ELK integration and re-add it?

[dragonsoul84]

I just went ahead and removed the integration and re-added it, reconnected just fine. I have been using the ELK integration since day 1 pretty much and there were a lot of changes in the naming schemes and such that I was avoiding redoing. About 30 minutes or so of renaming some things in my dashboard and at least it is back to normal. Now I have to go and update the naming conventions in my Node Red automations.

[wappinghigh]

Geeez.. I don't even know what XEP and TLS firmware is. Or where to check. I have hundreds of logic scripts and programming hanging off the elk integration. Sensors, entities and automation. This Elk HA integration is the backbone of my smarthome. I'm not doing any upgrade from 2023.5.4 until the developers know 100% what is going on/wrong here. I'd pay extra to have this Elk integration failsafe robust into the future... It's really that important for me. Will follow the thread with interest. thanks for all the efforts to all concerned. W

[dragonsoul84]

Geeez.. I don't even know what XEP and TLS firmware is. Or where to check. I have hundreds of logic scripts and programming hanging off the elk integration. Sensors, entities and automation. This Elk HA integration is the backbone of my smarthome. I'm not doing any upgrade from 2023.5.4 until the developers know 100% what is going on/wrong here. I'd pay extra to have this Elk integration failsafe robust into the future... It's really that important for me. Will follow the thread with interest. thanks for all the efforts to all concerned. W

Your XEP (or M1-XEP which is the ELK part #) is the ethernet module connected to your ELK alarm. Its firmware can be found using the ELK-RP software. If your ELK is that rooted into the smart home I would expect that you have the software. If not, you can go to elkproducts.com and sign up as an owner and it will let you download the software and any firmware for the hardware connected to it. If you rely on your alarm installation company for all programming related to the ELK, you should be able to contact them to find out your firmware version the M1-XEP.

TLS is a secure communication protocol for encrypting the traffic between devices, in this case between the ELK M1-XEP ethernet module and Home Assistant. TLS has different compatibilities depending on the firmware/software of a product. You cannot tell a software (Home Assistant) to make a link with a device (M1-XEP) with TLS 1.2 if that device only supports TLS 1.0. With ELK, the XEP firmware is going to determine which firmware it has - TLS 1.0 or TLS 1.2.

If the M1-XEP gets updated by the user and now requires TLS 1.2, that is not the HA integration creators responsibility. He created the integration following the practices of how TLS works and it is on us - the ones implementing the integration - to use the correct option when installing. If we update our hardware and it breaks the link, that is on us to re-install the integration to use the updated TLS version that our hardware now wants.

Now in your case, if everything was working fine before the update to 2023.6.1 broke it, then upgrading to 2023.6.2 should work just fine. The particular issue in this thread is that the OP updated his ELK control panel firmware and M1-XEP firmware (just like I did) and it broke the connection to HA because he previously had the integration setup to use TLS 1.0. He needs to redo the integration and select TLS 1.2, then his issue should be resolved.

Depending on how long ago he first set up his integration he may have all the correct naming conventions that are being used now (they have gone through some variations over the years). The zones used to be sensor.zone_001 and the lighting was light.light001 and so forth. Now they actually populate with sensor.elkm1(zone_name) and light.(light_name). I just had to update my automations and custom cards to reflect those since I had been procrastinating updating the naming schemes.

[dragonsoul84]

Well, it was working when I went to sleep, and then I wake up to it not working again. Error in logs shows

Logger: elkm1_lib.connection
Source: custom_components/elkm1/__init__.py:389
Integration: Elk-M1 Control
First occurred: 10:17:02 AM (1 occurrences)
Last logged: 10:17:02 AM

ElkM1 at elksv1_2://192.168.1.50 disconnecting

followed by

Logger: elkm1_lib.connection
Source: runner.py:179
First occurred: 10:16:42 AM (11 occurrences)
Last logged: 10:17:20 AM

Error connecting to ElkM1 ([Errno 111] Connect call failed ('192.168.1.50', 2601)). Retrying in 2 seconds
Error connecting to ElkM1 ([Errno 111] Connect call failed ('192.168.1.50', 2601)). Retrying in 4 seconds
Error connecting to ElkM1 ([Errno 111] Connect call failed ('192.168.1.50', 2601)). Retrying in 8 seconds
Error connecting to ElkM1 ([Errno 111] Connect call failed ('192.168.1.50', 2601)). Retrying in 16 seconds
Error connecting to ElkM1 ([Errno 111] Connect call failed ('192.168.1.50', 2601)). Retrying in 32 seconds

[dragonsoul84]

Turns out I still had the ELK folders under custom integrations and I also still had the entries in configuration.yaml. I commented out the settings in the config file and also deleted the custom integration folder. I rebooted HA, rebooted the XEP and rebooted my ELK M1controller. I am now able to setup via the UI again. Now my problem is what is getting loaded and what isn't. I will open a separate ticket for that.

[gwww]

@deanryan I need to know for sure what you configured in HA for the TLS level. My suspicion is that you have configured the wrong one. My suspicion is based on the fact that you upgraded from an old version of XEP to the very latest - which use different versions of TLS. See the note in the docs about TLS and XEP versions here: https://www.home-assistant.io/integrations/elkm1#elk-m1xep-version.

You can verify your version by looking at your config files. Look at the file config/.storage/core.config_entries. There should be a line something like "host": "elks://192.168.42.42". The elks part could be just that or it could be elksv1_2. I need to see the elk string before the ://.

@dragonsoul84 The problem that I suspect you are seeing is that deleting stuff from configuration.yaml does not really delete them from your system. This is not an ElkM1 integration issue, this is the way HA works. I ran into this exact problem when I was moving my stuff from being configured through the .yaml to being configured using the UI. My work around was to manually edit core.config_entries. There may be other (better) ways, but I'm unaware if there are.

[dragonsoul84]

I thought that might be the case. I wasn't sure where the info was stored so I removed the integration again and restarted HA a couple times. Then when I added the integration one last time all the zones came back. The only thing that was added through the auto-config that I didn't want was all 8 areas, but I just changed them to disabled except my main area. I love the Integration and so happy that it is evolving. Thanks for all the work. Hopefully the ssl and tls changes in the core are done for a while.

[deanryan]

Here is the configuration entry for my Elk integration:

      {
        "entry_id": "4407440ba70e727421ba43ce103cef03",
        "version": 1,
        "domain": "elkm1",
        "title": "ElkM1 2d703f",
        "data": {
          "host": "elks://192.168.0.251:2601",
          "username": "redacted",
          "password": "redacted",
          "auto_configure": true,
          "prefix": ""
        },
        "options": {},
        "pref_disable_new_entities": false,
        "pref_disable_polling": false,
        "source": "dhcp",
        "unique_id": "00:40:9d:2d:70:3f",
        "disabled_by": "user"
      },

Note that I currently have the integration disabled so that it stops retrying the connection.

[gwww]

So that won’t work with the version of the XEP firmware you’re using. You must be using TLS 1.2 (you’re using TLS 1.0). Unfortunately there’s no way to auto configure the TLS version.

The sanctioned way to fix that is to delete the integration and re-add with the correct TLS setting. The unsanctioned way is to change the elks to elksv1_2 and restarting HA.

[bdraco]

side note: I think we could probably move the abort so manual config would update the existing entry to avoid the need to manually edit the config entry

diff --git a/homeassistant/components/elkm1/config_flow.py b/homeassistant/components/elkm1/config_flow.py
index ac7fc90333..d54d24505a 100644
--- a/homeassistant/components/elkm1/config_flow.py
+++ b/homeassistant/components/elkm1/config_flow.py
@@ -239,9 +239,6 @@ class ConfigFlow(config_entries.ConfigFlow, domain=DOMAIN):
         self, user_input: dict[str, Any], importing: bool
     ) -> tuple[dict[str, str] | None, FlowResult | None]:
         """Try to connect and create the entry or error."""
-        if self._url_already_configured(_make_url_from_data(user_input)):
-            return None, self.async_abort(reason="address_already_configured")
-
         try:
             info = await validate_input(user_input, self.unique_id)
         except asyncio.TimeoutError:
@@ -252,6 +249,12 @@ class ConfigFlow(config_entries.ConfigFlow, domain=DOMAIN):
             _LOGGER.exception("Unexpected exception")
             return {"base": "unknown"}, None

+        self._abort_if_unique_id_configured(
+            updates={CONF_HOST: info[CONF_HOST], CONF_PREFIX: info[CONF_PREFIX]}
+        )
+        if self._url_already_configured(_make_url_from_data(user_input)):
+            return None, self.async_abort(reason="address_already_configured")
+
         if importing:
             return None, self.async_create_entry(title=info["title"], data=user_input)

@@ -312,7 +315,6 @@ class ConfigFlow(config_entries.ConfigFlow, domain=DOMAIN):
                 await self.async_set_unique_id(
                     dr.format_mac(device.mac_address), raise_on_progress=False
                 )
-                self._abort_if_unique_id_configured()
                 # Ignore the port from discovery since its always going to be
                 # 2601 if secure is turned on even though they may want insecure
                 user_input[CONF_ADDRESS] = device.ip_address

There would have to be some other changes as well though since other callers are expecting _url_already_configured to run before validation.

[deanryan]

Thank you! I manually updated the TLS version (after a backup), restarted HA, and re-enabled the integration. Everything seems to be working well again.

I am deeply grateful for the help and for the excellent integration!

[gwww]

@homeassistant close

[deanryan]

Updating integration to use TLS 1.2 fixed the issue.