V2.6 Kiosk mode no data is shown

[Joepiler11]

Hi Tijs,

Fellow Belgian here ;)

As i'm still waiting for my installer to wrap his head around creating an API user I decided to go ahead and set it up with the KIOSK method.

This is my first time working with HomeAssistant so it's a fresh install on vmware ESXI 8 litterally the only hting i've done to it is install HACS and your repository. Your work is pretty intuitive and had no problem setting up the kiosk however i'm not getting any data from it (even though the kiosk url works just fine in a web browser)

Any ideas?

[Joepiler11]

On closer inspection the error seems to be SSL related as it is in https://github.com/tijsverkoyen/HomeAssistant-FusionSolar/issues/103

This error originated from a custom integration.

Logger: custom_components.fusion_solar.sensor Source: helpers/update_coordinator.py:262 Integration: Fusion Solar (documentation, issues) First occurred: 5:00:00 PM (1 occurrences) Last logged: 5:00:00 PM

Error requesting FusionSolarKiosk data: HTTPSConnectionPool(host='region05eu5.fusionsolar.huawei.com', port=443): Max retries exceeded with url: /rest/pvms/web/kiosk/v1/station-kiosk-file?kk=NjOyGILu8PMwJa4hAHC37cPuLiBzGCc7 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)')))

[Joepiler11]

A quick inspection of /etc/ssl/certs does in fact reveal the globalsign root CA certificate valid until 2028:

[Joepiler11]

Doing more research:

The SSL certificate for the region05eu5.fusionsolar.huawei.com website is the following: GlobalSign_RSA_OV_SSL_CA_2018

-----BEGIN CERTIFICATE----- MIIETjCCAzagAwIBAgINAe5fIh38YjvUMzqFVzANBgkqhkiG9w0BAQsFADBMMSAw HgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFs U2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjAeFw0xODExMjEwMDAwMDBaFw0yODEx MjEwMDAwMDBaMFAxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52 LXNhMSYwJAYDVQQDEx1HbG9iYWxTaWduIFJTQSBPViBTU0wgQ0EgMjAxODCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKdaydUMGCEAI9WXD+uu3Vxoa2uP UGATeoHLl+6OimGUSyZ59gSnKvuk2la77qCk8HuKf1UfR5NhDW5xUTolJAgvjOH3 idaSz6+zpz8w7bXfIa7+9UQX/dhj2S/TgVprX9NHsKzyqzskeU8fxy7quRU6fBhM abO1IFkJXinDY+YuRluqlJBJDrnw9UqhCS98NE3QvADFBlV5Bs6i0BDxSEPouVq1 lVW9MdIbPYa+oewNEtssmSStR8JvA+Z6cLVwzM0nLKWMjsIYPJLJLnNvBhBWk0Cq o8VS++XFBdZpaFwGue5RieGKDkFNm5KQConpFmvv73W+eka440eKHRwup08CAwEA AaOCASkwggElMA4GA1UdDwEB/wQEAwIBhjASBgNVHRMBAf8ECDAGAQH/AgEAMB0G A1UdDgQWBBT473/yzXhnqN5vjySNiPGHAwKz6zAfBgNVHSMEGDAWgBSP8Et/qC5F JK5NUPpjmove4t0bvDA+BggrBgEFBQcBAQQyMDAwLgYIKwYBBQUHMAGGImh0dHA6 Ly9vY3NwMi5nbG9iYWxzaWduLmNvbS9yb290cjMwNgYDVR0fBC8wLTAroCmgJ4Yl aHR0cDovL2NybC5nbG9iYWxzaWduLmNvbS9yb290LXIzLmNybDBHBgNVHSAEQDA+ MDwGBFUdIAAwNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93d3cuZ2xvYmFsc2lnbi5j b20vcmVwb3NpdG9yeS8wDQYJKoZIhvcNAQELBQADggEBAJmQyC1fQorUC2bbmANz EdSIhlIoU4r7rd/9c446ZwTbw1MUcBQJfMPg+NccmBqixD7b6QDjynCy8SIwIVbb 0615XoFYC20UgDX1b10d65pHBf9ZjQCxQNqQmJYaumxtf4z1s4DfjGRzNpZ5eWl0 6r/4ngGPoJVpjemEuunl1Ig423g7mNA2eymw0lIYkN5SQwCuaifIFJ6GlazhgDEw fpolu4usBCOmmQDo8dIm7A9+O4orkjgTHY+GzYZSR+Y0fFukAj6KYXwidlNalFMz hriSqHKvoflShx8xpfywgVcvzfTO3PYkz6fiNJBonf6q8amaEsybwMbDqKWwIX7e SPY= -----END CERTIFICATE-----

Which SHOULD be signed by: GlobalSign_RootCA-_R3

-----BEGIN CERTIFICATE----- MIIDXzCCAkegAwIBAgILBAAAAAABIVhTCKIwDQYJKoZIhvcNAQELBQAwTDEgMB4G A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjMxEzARBgNVBAoTCkdsb2JhbFNp Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDkwMzE4MTAwMDAwWhcNMjkwMzE4 MTAwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEG A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI hvcNAQEBBQADggEPADCCAQoCggEBAMwldpB5BngiFvXAg7aEyiie/QV2EcWtiHL8 RgJDx7KKnQRfJMsuS+FggkbhUqsMgUdwbN1k0ev1LKMPgj0MK66X17YUhhB5uzsT gHeMCOFJ0mpiLx9e+pZo34knlTifBtc+ycsmWQ1z3rDI6SYOgxXG71uL0gRgykmm KPZpO/bLyCiR5Z2KYVc3rHQU3HTgOu5yLy6c+9C7v/U9AOEGM+iCK65TpjoWc4zd QQ4gOsC0p6Hpsk+QLjJg6VfLuQSSaGjlOCZgdbKfd/+RFO+uIEn8rUAVSNECMWEZ XriX7613t2Saer9fwRPvm2L7DWzgVGkWqQPabumDk3F2xmmFghcCAwEAAaNCMEAw DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI/wS3+o LkUkrk1Q+mOai97i3Ru8MA0GCSqGSIb3DQEBCwUAA4IBAQBLQNvAUKr+yAzv95ZU RUm7lgAJQayzE4aGKAczymvmdLm6AC2upArT9fHxD4q/c2dKg8dEe3jgr25sbwMp jjM5RcOO5LlXbKr8EpbsU8Yt5CRsuZRj+9xTaGdWPoO4zzUhw8lo/s7awlOqzJCK 6fBdRoyV3XpYKBovHd7NADdBj+1EbddTKJd+82cEHhXXipa0095MJ6RMG3NzdvQX mcIfeg7jLQitChws/zyrVQ4PkX4268NXSb7hLi18YIvDQVETI53O9zJrlAGomecs Mx86OyXShkDOOyyGeMlhLxS67ttVb9+E7gUJTb0o2HLO02JQZR7rkpeDMdmztcpH WD9f -----END CERTIFICATE-----

So the chain goes as:

GlobalSign_RootCA-_R3 <--- Root CA GlobalSign_RSA_OV_SSL_CA_2018 <--- website

Inspection of the /etc/ssl/certs/ca-certificates.crt file reveals that the Root CA is in fact installed however running: openssl s_client -connect region05eu5.fusionsolar.huawei.com:443

gives me the errors: verify error:num=20:unable to get local issuer certificate verify error:num=21:unable to verify the first certificate

Now when i manually add the website SSL cert to the /etc/ssl/certs/ca-certificates.crt file the command works openssl s_client -connect region05eu5.fusionsolar.huawei.com:443

However that does not translate to a successfull connection in the hoas web interface

AND WHAT'S MORE when i restart homeassistant to try to get it to take effect all my changes are reset :(

Hopefully someone with better knowledge of how Home assistant handles it's SSL certs will come along here?

[tijsverkoyen]

I don't know that much about SSL but could it be that you are running Home Assistant on an outdated (host-)system?

[Joepiler11]

I don't know that much about SSL but could it be that you are running Home Assistant on an outdated (host-)system?

I'm a support engineer aspiring to become system engineer so i know just enough to get me in trouble :p

Hmm the Home Assistant itself is only a day old I got the vmware vmdk file from the home assistant website I can replicate the behavior on a completely up to date windows 10 VM running on the same host machine HOWEVER another up to date windows 10 running on bare metal instance can access the site just fine

so... there could be some merit in your suggestion!

The Host is an ESXi 8 machine, I will look into this and report back

[tijsverkoyen]

Probably the image on the home assistant is using an older version of some SSL library.

[Joepiler11]

Might be a moment before I find the time to dig into the host machine as I'm currently at work and I don't like to f*** around with the host remotely.

Here's what GPT has to say:

`Yes, the behavior you are observing could potentially be influenced by the host hypervisor in a virtualized environment. Hypervisors are responsible for managing and allocating resources to virtual machines (VMs), and they can have an impact on various aspects of VM behavior, including networking and SSL/TLS certificate verification.

Here are a few ways in which the host hypervisor might affect SSL resolution in guest VMs:

Time Synchronization: SSL/TLS certificates are time-sensitive, and if there is a significant time discrepancy between the host and the guest VMs, it can lead to SSL verification issues. Hypervisors often provide time synchronization services to guest VMs, and any misconfiguration or issues in this synchronization process can lead to certificate validation errors.

Networking Configuration: Hypervisors manage the networking infrastructure for virtual machines. If there are misconfigurations or limitations in the network setup, such as firewall rules, NAT (Network Address Translation) settings, or DNS resolution, it could result in SSL/TLS connection errors.

Root CA Trust: While the root CA certificate you provided should be trusted by default, there might be situations where the trust chain is not being established properly due to configuration issues on the hypervisor or the VMs. It's worth double-checking the trust store and SSL settings on both the host and the VMs.

Virtualized Hardware: Virtualized hardware can sometimes introduce quirks or limitations that affect the behavior of SSL/TLS connections. Although this is less common, it's possible that certain SSL-related operations might be impacted by virtualized hardware.

Interference: Hypervisor-level security features, such as intrusion detection or network monitoring, could potentially interfere with SSL connections if they are not properly configured.

Since you mentioned that the issue is reproducible on both Windows and Linux guest VMs running on the same host, it's more likely that the issue is related to host-level configurations or settings that affect the behavior of the VMs. I would recommend reviewing the time synchronization, network settings, and security configurations on the host hypervisor as well as the guest VMs to ensure they are properly aligned with your requirements. Additionally, verifying the trust stores and SSL configurations on both the host and the VMs could help pinpoint the cause of the SSL errors you are experiencing.`

[tijsverkoyen]

Ok, thx for your effort!

So this is not related to this integration but to the virtualisation of the host-system, or the image used to run Home Assistant. Probably better to report it there?

[bugoff]

The problem you have is because huawei isn't including the intermediate certificate on their chain. I don't think you can fix this locally.

https://www.ssllabs.com/ssltest/analyze.html?d=region05eu5.fusionsolar.huawei.com&hideResults=on

[Joepiler11]

The problem you have is because huawei isn't including the intermediate certificate on their chain. I don't think you can fix this locally.

https://www.ssllabs.com/ssltest/analyze.html?d=region05eu5.fusionsolar.huawei.com&hideResults=on

Yes after letting it sink in for a while i came to the same conclusion, the ssl lab link just drove the point home. (Great resource thanks for that)

Options: -Find a way to permanently add the intermediary certificate to the trusted store of my home assistant

I've figured out that placing a .crt in /usr/local/share/ca-certificates and then running update-ca-certificates will do just that but i have yet to get the web ui to actually pick it up and it does not persist with a reboot.

-Get Huawei to fix their certificate

-Try to get the intermediary into a future release of home assistant

[tijsverkoyen]

Thx @bugoff and @Joepiler11 for your efforts.

I have sent an email to eu_inverter_support@huawei.com to report this issue. Feel free to do the same. I will close this issue as the root cause is the same as reported in https://github.com/tijsverkoyen/HomeAssistant-FusionSolar/issues/103

[Joepiler11]

Email sent, fingers crossed

[Joepiler11]

I've finally recieved an answer from Huawei support and it just shows they don't really grasp the issue :)

Solution Description

[Problem Description]

[Problem Analysis]

[Root Cause]

[Solution]We figure out that this problem came out because the customer connect with our domain name by Home assistant OS.

That is not our supported scenes to be used.

Please recommend the customer that use Chrome or Edge browser and FusionSolar App to experience our products.

[tijsverkoyen]

From what I can see the issue is fixed: https://www.ssllabs.com/ssltest/analyze.html?d=region05eu5.fusionsolar.huawei.com&hideResults=on&latest