Starting rhasspy from hass.io won't use SSL settings

[gvs55]

Running the latest hass.io with rhasspy installed as an addon. It starts and runs fine over http, but no matter what i try it won't use the ssl cert provided in the configuration. I see ssl=none in the first line of the log. The certificate is in the ssl folder and is used by Home Assistant itself, which does work. It's not a self signed cert.

Thanks for your help

config: { "user_dir": "/share/rhasspy/profiles", "profile": "en", "ssl": true, "certfile": "cert.pem", "keyfile": "key.pem" }

log:

DEBUG:main:Namespace(host='0.0.0.0', log_level='DEBUG', port=12101, profile='en', set=[], ssl=None, system_profiles='/usr/share/rhasspy/profiles', user_profiles='/share/rhasspy/profiles') DEBUG:RhasspyCore:Loaded profile from /share/rhasspy/profiles/en/profile.json DEBUG:RhasspyCore:Profile files will be written to /share/rhasspy/profiles/en DEBUG:root:Loading default profile settings from /usr/share/rhasspy/profiles/defaults.json

....

[spencer-scott]

I can second this issue. I can reach it fine over http, just not https.

[synesthesiam]

Fix for this will be in 2.4.20.1

[litinoveweedle]

I can confirm, that now hassio add-on 2.4.20.2 is trying to load cert files. But it doesn't succeed, at least for ~standard hassio addon cert location, which is at /ssl/.

I have both 'server.crt', 'server.key' present in /ssl directory and there are used by other addons without issue (like for example node-red: https://github.com/hassio-addons/addon-node-red/blob/master/node-red/rootfs/etc/nginx/servers/direct-ssl.disabled)

At which path Rhasspy expect certs to be located? If it is not /ssl would it be possible to change it into this more common path used by other addons?

DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): XXXXXXXXXXXXXX:8123 DEBUG:DialogueManager:decoder started DEBUG:DialogueManager:speech started DEBUG:DialogueManager:recognizer started DEBUG:DialogueManager:speech_trainer started DEBUG:DialogueManager:word_pronouncer started DEBUG:DialogueManager:intent_trainer started DEBUG:DialogueManager:recorder started DEBUG:DialogueManager:wake started DEBUG:DialogueManager:command started DEBUG:urllib3.connectionpool:https:XXXXXXXXXXXXXXXXXX:8123 "GET /api/ HTTP/1.1" 200 29 DEBUG:DialogueManager:handler started DEBUG:DialogueManager:Actors loaded DEBUG:DialogueManager:loading -> ready DEBUG:InboxActor: -> stopped INFO:main:Started DEBUG:main:Using SSL with certfile, keyfile = ['server.crt', 'server.key'] DEBUG:main:Starting web server at https://0.0.0.0:12101 Running on https://0.0.0.0:12101 (CTRL + C to quit) [2020-04-21 00:11:34,168] ASGI Framework Lifespan error, continuing without Lifespan support WARNING:quart.serving:ASGI Framework Lifespan error, continuing without Lifespan support Traceback (most recent call last): File "app.py", line 1348, in app.run(host=args.host, port=args.port, certfile=certfile, keyfile=keyfile) File "/usr/share/rhasspy/.venv/lib/python3.7/site-packages/quart/app.py", line 1346, in run run_single(self, config, loop=loop) # type: ignore File "/usr/share/rhasspy/.venv/lib/python3.7/site-packages/hypercorn/asyncio/run.py", line 126, in run_single loop.run_until_complete(worker_serve(app, config)) File "/usr/lib/python3.7/asyncio/base_events.py", line 579, in run_until_complete return future.result() File "/usr/share/rhasspy/.venv/lib/python3.7/site-packages/hypercorn/asyncio/run.py", line 141, in worker_serve ssl_context = config.create_ssl_context() File "/usr/share/rhasspy/.venv/lib/python3.7/site-packages/hypercorn/config.py", line 160, in create_ssl_context context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile) FileNotFoundError: [Errno 2] No such file or directory

[litinoveweedle]

I checked how to use hassio certificates in SSL in standard path and there are two things to be done:

1. Add "ssl" directory to "map" in the hassio-addons/rhasspy/config.json:

   "map": [
   "share:rw",
   "ssl"
   ],

   This will at least allow to work when changing Rhasspy hassio addon cert configuration to:

   /ssl/key
   /ssl/cert

2. To allow using hassio certificates without path (i.e. same as other hassio addons) change in rhasspy/docker/run.sh is needed:

    if [[ "${ssl}" == 'true' ]]; then
        certfile="$(jq --raw-output '.certfile' "${CONFIG_PATH}")"
        keyfile="$(jq --raw-output '.keyfile' "${CONFIG_PATH}")"
        RHASSPY_ARGS+=('--ssl' /ssl/"${certfile}" /ssl/"${keyfile}")
    fi

As this part of run.sh is in use only for hassio addon Docker, it will have no impact to standalone Rhasspy Docker.

Please let me know if you will accept pull request as above, or you are ok to implement this (as it seems to be simple change). Thank you.

[synesthesiam]

I've got a fix in the pipeline now, per your suggestion. Thanks! It will behave like other add-ons, not requiring a full path.

[litinoveweedle]

Thank you very much, I can confirm, that ssl now works in the way of other hassio addons:

INFO:__main__:Started
DEBUG:__main__:Using SSL with certfile, keyfile = ['/ssl/server.crt', '/ssl/server.key']
DEBUG:__main__:Starting web server at https://0.0.0.0:12101
WARNING:quart.serving:ASGI Framework Lifespan error, continuing without Lifespan support
Running on https://0.0.0.0:12101 (CTRL + C to quit)
[2020-04-25 18:22:13,380] ASGI Framework Lifespan error, continuing without Lifespan support

There seems to be one last thing missing: to add correct handling for 'OPEN WEB UI" link from Rhasspy hassio addon page. It seems to be hardcoded to http (actually no protocol is specified and http is default)

I took a look again into node-red hassio addon and they use following approach in config.json:

"webui": "[PROTO:ssl]://[HOST]:[PORT:80]",

Hassio addon docs says:

_webui | string | A URL for web interface of this add-on. Like http://[HOST]:[PORT:2839]/dashboard, the port needs the internal port, which will be replaced with the effective port. It is also possible to bind the proto part to a config options with: [PROTO:option_name]://[HOST]:[PORT:2839]/dashboard and he lookup if they is True and going to https._

As Rhasspy config options for https is "ssl" as well I suppose this change in the config.json shall be enough:

"webui": "[PROTO:ssl]://[HOST]:[PORT:12101]/

I tried to test it locally, but it seems that local changes to config.json are not taken into account??? Very honestly this is my first hassio addon troubleshooting, so I am also sorry for this lengthy approach. Thank you for your patience. :-)

[litinoveweedle]

Errrrr one more thing, it seems that Rhasspy in 2.4.20.3 addon is compiled with DEBUG on? I see lot of DEBUG level messages in the log:

DEBUG:hpack.hpack:Decoded 74, consumed 1 bytes DEBUG:hpack.hpack:Decoded (b'sec-websocket-extensions', b'permessage-deflate'), consumed 1 DEBUG:hpack.hpack:Decoded 73, consumed 1 bytes DEBUG:hpack.hpack:Decoded (b'cookie', b'TASMO_SESSION=1htmkjl2luisbudqk8h8vjbaql'), consumed 1 DEBUG:hpack.hpack:Decoded 72, consumed 1 bytes DEBUG:hpack.hpack:Decoded (b'cookie', b'portainer.LOGIN_STATE_UUID=2dbc0f50-983b-4a4f-a6ca-986416712f91'), consumed 1 ....

[synesthesiam]

Please try again with the rhasspy25 add-on (same Hass.IO add-on repo) and see if this works better.

[litinoveweedle]

Hello, I can confirm that SSL including link works fine in Rhasspy25 addon. Thank you.

[Romkabouter]

@synesthesiam this one can be closed