SSL cert issues

[rossdargan]

I'm not following the standard install, so understand if you tell me to do one :-) I'm following the guide here: https://www.smartmotion.life/2024/04/23/tesla-custom-integration-with-home-assistant-on-docker/?v=6cc98ba2045f

The last step is basically adding the details to the proxy.

My home assistant is running on the ip 192.168.86.51 (with a hostname of docker-automation:) The tesla proxy is running on the ip 192.168.99.20 (with a hostname of mastodon.local)

From docker-automation I can get the ssl cert of the http proxy and see this:

ross@docker-automation:/docker/homeassistant/tesla_http_proxy$ openssl s_client -showcerts -connect mastodon.local:4430 | openssl x509 -noout -dates
depth=0 CN = 'mastodon.local'
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = 'mastodon.local'
verify return:1
notBefore=Jul  2 14:56:33 2024 GMT
notAfter=Jun 30 14:56:33 2034 GMT

When I configure the plugin: I can see this issue in the logs: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'mastodon.local'. (_ssl.c:1000)

and on the proxy I can see this: 2024/07/02 20:18:29 http: TLS handshake error from 192.168.86.51:55148: EOF

The pem file I link to inside home assistant when adding the information for the fleet api is the selfsigned.pem file generated in your docker container - this can be seen below

ross@docker-automation:/docker/homeassistant/tesla_http_proxy$ openssl x509 -in selfsigned.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            26:b2:6b:37:f1:cf:35:53:e3:15:6b:a8:c1:39:d6:b5:72:cf:47:ab
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: CN = 'mastodon.local'
...

NOTE: /docker/homeassistant maps to /config in docker - so this file is /config/docker/tesla_http_proxy/selfsigned.pem

Is that the correct file I should be using?

I've tried setting the hostname proprty on the docker container for the proxy to also be mastodon.local but that hasn't fixed it.

Any ideas would really be appreciated

[iainbullock]

No problem helping you with a non standard install, many of us have different setups / requirements.

I've not had time to properly digest what you are saying as I have to go to work shortly.

NOTE: /docker/homeassistant maps to /config in docker - so this file is /config/docker/tesla_http_proxy/selfsigned.pem

Should this be /config/tesla_http_proxy/selfsigned.pem to align with what you entered in the HA dialog box Proxy SSL Certificate?

[rossdargan]

Sorry that’s just bad typing you are correct and it does align to that!

On Wed, Jul 3, 2024 at 06:04, Iain Bullock - notifications at github.com @.***(mailto:On Wed, Jul 3, 2024 at 06:04, Iain Bullock - notifications at github.com < wrote:

No problem helping you with a non standard install, many of us have different setups / requirements.

I've not had time to properly digest what you are saying as I have to go to work shortly.

NOTE: /docker/homeassistant maps to /config in docker - so this file is /config/docker/tesla_http_proxy/selfsigned.pem

Should this be /config/tesla_http_proxy/selfsigned.pem to align with what you entered in the HA dialog box Proxy SSL Certificate?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

[iainbullock]

Ok. Next thing to check is DNS resolution for mastodon.local works on all relevant hosts. I see your docker host and HA hosts are on different subnets. Do they have different DNS?

What does mastodon.local resolve to when nslookup mastodon.local is run on the docker host.

Also try it inside the proxy docker container by running something like this on the host

docker exec -it id_of_proxy_container nslookup

[rossdargan]

That was my first thought but it does all resolve correctly. You can see the logs from the proxy showing the connection is made so it is able to resolve it.

I also used OpenSSL to see what the cert looked like from the home assistant pov and it was able to get the cert. I also used nslookup inside the home assistant container and this is what I see

docker-automation:/config# nslookup mastodon.local Server: 192.168.86.54 Address: 192.168.86.54#53

Name: mastodon.local Address: 192.168.99.20

Sent from Proton Mail for iOS

On Wed, Jul 3, 2024 at 06:24, Iain Bullock - notifications at github.com @.***(mailto:On Wed, Jul 3, 2024 at 06:24, Iain Bullock - notifications at github.com < wrote:

Ok. Next thing to check is DNS resolution for mastodon.local works on all relevant hosts. I see your docker host and HA hosts are on different subnets. Do they have different DNS?

What does mastodon.local resolve to when nslookup mastodon.local is run on the docker host.

Also try it inside the proxy docker container by running something like this on the host

docker exec -it id_of_proxy_container nslookup

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

[rossdargan]

Oh and they share the same dns across the subnets.

Sent from Proton Mail for iOS

On Wed, Jul 3, 2024 at 06:24, Iain Bullock - notifications at github.com @.***(mailto:On Wed, Jul 3, 2024 at 06:24, Iain Bullock - notifications at github.com < wrote:

Ok. Next thing to check is DNS resolution for mastodon.local works on all relevant hosts. I see your docker host and HA hosts are on different subnets. Do they have different DNS?

What does mastodon.local resolve to when nslookup mastodon.local is run on the docker host.

Also try it inside the proxy docker container by running something like this on the host

docker exec -it id_of_proxy_container nslookup

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

[iainbullock]

Try doing an nslookup from inside the proxy docker container

[rossdargan]

hmm, that isn't working. that vlan is actually heavily restricted from accessing the vlan home assistant runs on. home assistant can call into that vlan, and established sessions will work, but the proxy can't call into home assistant. My gut says this should be fine, but I'll add an exception for now to allow it to call in the other way.

DNS doesn't work however from that vlan - instead I use public dns from there. I don't understand why the proxy would need to resolve mastodon.local though?

[rossdargan]

I fully opened up the vlan, and set the dns on the proxy host to match the lan. It can now nslookup mastodon.local from within the docker container and get it's host ip.

This is ran from inside the proxy docker container on the 192.168.99.20 host.

mastodon:/app# nslookup mastodon.local
Server:         192.168.86.54
Address:        192.168.86.54:53

Name:   mastodon.local
Address: 192.168.99.20

Non-authoritative answer:

Still having the same issue though.

[iainbullock]

Ok so it looks like DNS is good.

Please can you send the full logs from the proxy container from startup. Also your docker-compose.yml

Thanks!

[rossdargan]

Logs:

tesla_http_proxy | Configuration Options are: tesla_http_proxy | CLIENT_ID=8a2**** tesla_http_proxy | CLIENT_SECRET=Not Shown tesla_http_proxy | DOMAIN=tesla.dargan.uk tesla_http_proxy | PROXY_HOST=mastodon.local tesla_http_proxy | REGION=Europe, Middle East, Africa tesla_http_proxy | Found existing keypair tesla_http_proxy | Starting Tesla HTTP Proxy tesla_http_proxy | tesla_http_proxy | Do not listen on a network interface without adding client authentication. Unauthorized clients may tesla_http_proxy | be used to create excessive traffic from your IP address to Tesla's servers, which Tesla may respond tesla_http_proxy | to by rate limiting or blocking your connections. tesla_http_proxy | 2024-07-02T20:22:53Z [debug] Creating proxy tesla_http_proxy | 2024-07-02T20:22:53Z [info ] Listening on 0.0.0.0:443 tesla_http_proxy | 2024/07/02 20:23:33 http: TLS handshake error from 192.168.86.51:52216: EOF tesla_http_proxy | 2024/07/03 09:40:30 http: TLS handshake error from 192.168.86.51:40658: EOF tesla_http_proxy | 2024/07/03 10:16:48 http: TLS handshake error from 192.168.86.51:53394: EOF tesla_http_proxy | Configuration Options are: tesla_http_proxy | CLIENT_ID=8a27c579-6d75-45e9-80ff-9fe4c09a6677 tesla_http_proxy | CLIENT_SECRET=Not Shown tesla_http_proxy | DOMAIN=tesla.dargan.uk tesla_http_proxy | PROXY_HOST=mastodon.local tesla_http_proxy | REGION=Europe, Middle East, Africa tesla_http_proxy | Found existing keypair tesla_http_proxy | Starting Tesla HTTP Proxy tesla_http_proxy | tesla_http_proxy | Do not listen on a network interface without adding client authentication. Unauthorized clients may tesla_http_proxy | be used to create excessive traffic from your IP address to Tesla's servers, which Tesla may respond tesla_http_proxy | to by rate limiting or blocking your connections. tesla_http_proxy | 2024-07-03T10:18:48Z [debug] Creating proxy tesla_http_proxy | 2024-07-03T10:18:48Z [info ] Listening on 0.0.0.0:443 tesla_http_proxy | 2024/07/03 10:21:30 http: TLS handshake error from 192.168.86.51:49012: EOF

Docker compose:

tesla_http_proxy: container_name: tesla_http_proxy hostname: mastodon.local restart: always image: iainbullock/tesla_http_proxy:latest environment:

• TZ=Europe/London
• CLIENT_ID=8a2****
• CLIENT_SECRET=ta***
• DOMAIN=tesla.dargan.uk # Public FQDN
• PROXY_HOST=mastodon.local # Local hostname (not IP) of this docker host
• REGION=Europe, Middle East, Africa
• OPTIONS_COMPLETE=1 stdin_open: true tty: true entrypoint: /app/run.sh working_dir: /app volumes:
• /docker/tesla/data:/data
• type: bind source: /docker/tesla/nginx/htdocs target: /share/nginx
• type: bind source: /docker/tesla/tesla_http_proxy target: /share/home-assistant
• /data/tesla/config.sh:/data/config.sh network_mode: bridge ports:
• 4430:443
• 8099:8099

[iainbullock]

A quick look (sorry I'm travelling)

source: /docker/tesla/tesla_http_proxy target: /share/home-assistant

I think should be

source: /docker/homeassistant/tesla_http_proxy target: /share/home-assistant

In docker-compose.yml

I'm using my phone so hard to properly look at it

This mapping should allow the proxy container to write the selfsigned.pem file into the folder that HA container sees as whatever you entered into the dialog Proxy SSL Certificate

[iainbullock]

Or locate selfsigned.pem manually inside the HA container and reference it accordingly in the dialog

[rossdargan]

So the docker host running tesla proxy and the docker host running home assistant are different VMs (in different vlans), so they don't share a volume - I manually coped the selfsigned.pem from the tesla_http_proxy manually into the folder /docker/homeassistant/tesla_http_proxy on the home assistant host so it can see that certificate.

I really appreciate the help especially given you are travelling!

[iainbullock]

Did it work?

[rossdargan]

Sorry, no it didn’t. I was just explaining what I’d done.

Sent from Proton Mail for iOS

On Thu, Jul 4, 2024 at 04:54, Iain Bullock - notifications at github.com @.***(mailto:On Thu, Jul 4, 2024 at 04:54, Iain Bullock - notifications at github.com < wrote:

Did it work?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>

[iainbullock]

Oh dear. I'm running out of ideas. I would try using curl from within the HA container with and without the -k option to debug further

[rossdargan]

Not sure if this helps?!

ross@docker-automation:~$ docker exec -it home-assistant /bin/bash
docker-automation:/config# curl https://mastodon.local:4430
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
docker-automation:/config# curl https://mastodon.local:4430 -k
{"response":null,"error":"client did not provide an OAuth token","error_description":""}
docker-automation:/config#

[rossdargan]

I enabled debug logging on the custom component as this is the error from there:

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'mastodon.local'. (_ssl.c:1000)
2024-07-04 19:39:15.482 DEBUG (MainThread) [custom_components.tesla_custom] Trusting CA: {'subject': ((('countryName', 'TR'),), (('localityName', 'Gebze - Kocaeli'),), (('organizationName', 'Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK'),), (('organizationalUnitName', 'Kamu Sertifikasyon Merkezi - Kamu SM'),), (('commonName', 'TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1'),)), 'issuer': ((('countryName', 'TR'),), (('localityName', 'Gebze - Kocaeli'),), (('organizationName', 'Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK'),), (('organizationalUnitName', 'Kamu Sertifikasyon Merkezi - Kamu SM'),), (('commonName', 'TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1'),)), 'version': 3, 'serialNumber': '01', 'notBefore': 'Nov 25 08:25:55 2013 GMT', 'notAfter': 'Oct 25 08:25:55 2043 GMT'}
2024-07-04 19:44:40.135 DEBUG (MainThread) [custom_components.tesla_custom] Trusting CA: {'subject': ((('countryName', 'TR'),), (('localityName', 'Gebze - Kocaeli'),), (('organizationName', 'Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK'),), (('organizationalUnitName', 'Kamu Sertifikasyon Merkezi - Kamu SM'),), (('commonName', 'TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1'),)), 'issuer': ((('countryName', 'TR'),), (('localityName', 'Gebze - Kocaeli'),), (('organizationName', 'Turkiye Bilimsel ve Teknolojik Arastirma Kurumu - TUBITAK'),), (('organizationalUnitName', 'Kamu Sertifikasyon Merkezi - Kamu SM'),), (('commonName', 'TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1'),)), 'version': 3, 'serialNumber': '01', 'notBefore': 'Nov 25 08:25:55 2013 GMT', 'notAfter': 'Oct 25 08:25:55 2043 GMT'}

Now that feels a lot closer to the issue!

I have absolutely no idea what that cert is coming from though. Looking at the source code that log comes from here: https://github.com/alandtse/tesla/blob/d7c87318f4261709eae295f0c2cef7a3e6d131a7/custom_components/tesla_custom/__init__.py#L148

My guess is this code:

            SSL_CONTEXT.load_verify_locations(config[CONF_API_PROXY_CERT])
            _LOGGER.debug("Trusting CA: %s", SSL_CONTEXT.get_ca_certs()[-1])

should have added the proxy as the last trusted CA, but for some reason it hasn't - however what it does look like is not an issue with the proxy, and more an issue with the custom component :/

[iainbullock]

Sorry I don't. I'm sure youve tried already but maybe delete the container and the selfsigned.pem and start agsain, in case the key is wrong for some reason. Running out of ideas.....

[hallsbyra]

Ensure the self signed cert is for mastodon.local and not 'mastodon.local'.

I carried over some settings from config.sh to docker-compose.yml and forgot to remove the single quotes around the strings. Got the exact same problem.

[iainbullock]

Good feedback thanks for this