starttls handshake: x509: certificate has expired or is not yet valid

[MnrGreg]

Recently start seeing TLS verification issues when using vacbot:

2019/01/27 19:45:45 login successful
2019/01/27 19:45:45 get auth code successful
2019/01/27 19:45:46 get user access token successful
2019/01/27 19:45:46 starttls handshake: x509: certificate has expired or is not yet valid

Ecovacs certificates appear to be valid.

* Server certificate:
*  subject: CN=*.ecouser.net
*  start date: Dec 24 00:00:00 2018 GMT
*  expire date: Feb 22 12:00:00 2020 GMT
*  subjectAltName: host "msg-ww.ecouser.net" matched cert's "*.ecouser.net"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=RapidSSL RSA CA 2018
*  SSL certificate verify ok.

* Server certificate:
*  subject: C=CN; L=\U82CF\U5DDE; O=\U82CF\U5DDE\U79D1\U6C83\U65AF\U673A\U5668\U4EBA\U7535\U5B50\U5546\U52A1\U6709\U9650\U516C\U53F8; OU=\U4FE1\U606F\U6280\U672F\U4E2D\U5FC3; CN=*.ecovacs.com
*  start date: Feb  6 00:00:00 2018 GMT
*  expire date: Dec 26 12:00:00 2020 GMT
*  subjectAltName: host "eco-us-api.ecovacs.com" matched cert's "*.ecovacs.com"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018
*  SSL certificate verify ok.

What could have changed? Is their another endpoint that vacbot connects to?

[RushHour2k5]

@MnrGreg, you may have noticed a few of my posts for the issue on your plugin and it appears to be in the XMPP portion of this script. Multiple people are reporting it with the Sucks platform as well and there were fixes released for it to resolve this issue temporarily, however it doesn't allow the information or commands to be transmitted securely. I cannot figure out what to modify in this GoLang script for XMPP to resolve the problem. I have gone as far as updating the cert information in the crypto.go file but it errors out after that or still present the same error. Any ideas from the information included at https://github.com/wpietri/sucks/issues/62 on how to resolve the issues with the XMPP file? It appears in Python people were removing the pyasn1 and pyasn1-modules portions from Python to fix it but don't know how to do that in this GoLang script.

[skburgart]

Hey thanks @MnrGreg for reporting this issue, and @pilot76103 for the deeper insight. It turns out the issue is the XMPP connection. It's getting upgraded to TLS via STARTTLS, but fails the cert check. #4 will fix the issue, but uses insecure connections by default (which I'm not a fan of). Looking for feedback on how we can maybe make it more secure 😄

[RushHour2k5]

@skburgart, thank you. Please let us know when the code is released and I'll re-compile @MnrGreg's Deebot.go file to make it an executable. Regarding the fix for secure connections it appears everything referenced in the issue at https://github.com/wpietri/sucks/issues/62 states the root cause could be related to the configuration of the Ecovacs servers. Being that the original certificate expired on 01/20/2019 and may have been resigned at some point they never reconfigured the Jabber server to see the new certificate within the setup. Not sure if we can make it more secure other than to ask the system to attempt STARTTLS but ignore the certificate error if it fails. This way when the STARTTLS is able to re-verify the certificate again at some point down the road it will just automatically work again.

[skburgart]

Alright, for simplicity we'll go with insecure connections for now just to get things working. If/when Ecovacs updates their certs (🙏) we can revert. The fix is in.

[RushHour2k5]

@skburgart thank you very much! Unfortunately I won't be home from work until about 8:00PM EST. I'll try to remotely recompile but it might be a pain.

[RushHour2k5]

@skburgart compiled and running without errors however I am not getting Status messages. I'm using @MnrGreg's code that compiles your's into an executable. I believe it calls the same information that your's uses within the JSON. What do you use for the DeviceID? Below is an example of my configuration.

{ "email": "e-mail address", "password_hash": "MD5 Hash of Password", "device_id": "DEEBOT OZMO 930's S/N", "country": "us", "continent": "na", "lang": "en", "app_code": "i_eco_e", "app_version": "1.3.5", "channel": "c_googleplay", "device_type": "1", "timezone": "GMT-5", "realm": "ecouser.net" }

[skburgart]

I haven't run this code on my own bot in a while, but I believe device_id refers to the device making the API calls. For example, if you were using the android app it would be the MD5 hash of the device ID of your phone.

To get things working, I don't think it matters what device ID you send, just as long as it's an MD5 hash.

[RushHour2k5]

@skburgart thanks. Unfortunately I don't believe it's working. Just the 3 lines for login similar to below and then no response. If I wanted to bypass @MnrGreg's plugin which file of yours would I use with "go build" or even "go run"? I'm using the Ecovacs DEEBOT OZMO 930 for reference.

2019/01/27 19:45:45 login successful 2019/01/27 19:45:45 get auth code successful 2019/01/27 19:45:46 get user access token successful

[skburgart]

I can't say how @MnrGreg's app is supposed to interact, but I've confirmed with my bot that the library appears to be working now. I used the example program in the README.md with this as my config:

{
  "email": "skburgart@gmail.com",
  "password_hash": "md5_of_my_password",
  "device_id": "random_md5",
  "country": "us",
  "continent": "na",
  "lang": "en",
  "app_code": "i_eco_e",
  "app_version": "1.3.5",
  "channel": "c_googleplay",
  "device_type": "1",
  "timezone": "GMT-5",
  "realm": "ecouser.net"
}

[RushHour2k5]

@skburgart glad to hear your library is running. How do I run your library and where to I place the config file? Also, what bot do you have? Wondering if the plug doesn't support commands for the OZMO 930.

[skburgart]

You'd need to make a program that consumes the library. For example, you could could create a new project with a main.go in:

$GOPATH/src/myprojects/test-gobot/main.go

The contents of main.go would be the example program in README.md. You would also need the config in the same director as main.go e.g.

$GOPATH/src/myprojects/test-gobot/vacbot.json

Then when you're in that directory, make sure all the dependencies are downloaded using go get ./... Finally, you can run the code directly with go run main.go.

The bot I'm using is ECOVACS DEEBOT N79S

[RushHour2k5]

@skburgart I think that's the problem. Your plugin may be developed around the sucks master fork where as for my bot being the OZMO 930 I would need the D901 fork of sucks. https://github.com/bmartin5692/sucks/blob/D901/protocol.md Appears there is a change of Ecovacs IOT devices versus non-IOT devices. The N79S falls under non-IOT. I suppose unless a whole new fork is made of yours to convert the Sucks D901 fork to GoLang and then get @MnrGreg to call a new D901 fork of your plugin I won't be able to accomplish what I'm looking to do. Looks like I'll need to find a way to port the Sucks D901 fork over to at least work with Homebridge. Thank you for your assistance, it is very much appreciated and at least your plugin should work for those who have had previous issues once the cert expired.

[skburgart]

Ah that must be it. Hope you can eventually get it working!