athozs / hass-additional-ca Goto Github PK
View Code? Open in Web Editor NEWAdd private Certificate Authority or self-signed certificate into Home Assistant to access 3rd-party service with TLS/SSL.
License: MIT License
Add private Certificate Authority or self-signed certificate into Home Assistant to access 3rd-party service with TLS/SSL.
License: MIT License
Hey @Athozs,
thanks for developing this integration!
I've got the following issue:
Do you have an Idea/fix for this? Thanks in advance!
My Setup:
Describe the issue
Since update to HAOS 12.3 and/or 2024.6, I got those warnings in logs after HA start up:
Detected blocking call to open inside the event loop by custom integration 'additional_ca' at custom_components/
Describe your setup (please complete the following information):
YAML configuration extract
additional_ca:
my_awesome_ca: ca-cert.crt
environment_variable:
REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca.crt
Logs
Enregistreur: homeassistant.util.loop
Source: util/loop.py:84
S'est produit pour la première fois: 00:03:40 (7 occurrences)
Dernier enregistrement: 00:03:40
Detected blocking call to open inside the event loop by custom integration 'additional_ca' at custom_components/additional_ca/__init__.py, line 149: shutil.copyfile(certifi_bundle_path, certifi_backup) (offender: /usr/local/lib/python3.12/shutil.py, line 260: with open(src, 'rb') as fsrc:), please create a bug report at https://github.com/Athozs/hass-additional-ca/issues Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/usr/src/homeassistant/homeassistant/__main__.py", line 223, in <module> sys.exit(main()) File "/usr/src/homeassistant/homeassistant/__main__.py", line 209, in main exit_code = runner.run(runtime_conf) File "/usr/src/homeassistant/homeassistant/runner.py", line 190, in run return loop.run_until_complete(setup_and_run_hass(runtime_config)) File "/usr/local/lib/python3.12/asyncio/base_events.py", line 672, in run_until_complete self.run_forever() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 639, in run_forever self._run_once() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 1988, in _run_once handle._run() File "/usr/local/lib/python3.12/asyncio/events.py", line 88, in _run self._context.run(self._callback, *self._args) File "/usr/src/homeassistant/homeassistant/setup.py", line 165, in async_setup_component result = await _async_setup_component(hass, domain, config) File "/usr/src/homeassistant/homeassistant/setup.py", line 402, in _async_setup_component result = await task File "/config/custom_components/additional_ca/__init__.py", line 53, in async_setup await update_certifi_certificates(hass, config) File "/config/custom_components/additional_ca/__init__.py", line 149, in update_certifi_certificates shutil.copyfile(certifi_bundle_path, certifi_backup)
Detected blocking call to open inside the event loop by custom integration 'additional_ca' at custom_components/additional_ca/__init__.py, line 149: shutil.copyfile(certifi_bundle_path, certifi_backup) (offender: /usr/local/lib/python3.12/shutil.py, line 262: with open(dst, 'wb') as fdst:), please create a bug report at https://github.com/Athozs/hass-additional-ca/issues Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/usr/src/homeassistant/homeassistant/__main__.py", line 223, in <module> sys.exit(main()) File "/usr/src/homeassistant/homeassistant/__main__.py", line 209, in main exit_code = runner.run(runtime_conf) File "/usr/src/homeassistant/homeassistant/runner.py", line 190, in run return loop.run_until_complete(setup_and_run_hass(runtime_config)) File "/usr/local/lib/python3.12/asyncio/base_events.py", line 672, in run_until_complete self.run_forever() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 639, in run_forever self._run_once() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 1988, in _run_once handle._run() File "/usr/local/lib/python3.12/asyncio/events.py", line 88, in _run self._context.run(self._callback, *self._args) File "/usr/src/homeassistant/homeassistant/setup.py", line 165, in async_setup_component result = await _async_setup_component(hass, domain, config) File "/usr/src/homeassistant/homeassistant/setup.py", line 402, in _async_setup_component result = await task File "/config/custom_components/additional_ca/__init__.py", line 53, in async_setup await update_certifi_certificates(hass, config) File "/config/custom_components/additional_ca/__init__.py", line 149, in update_certifi_certificates shutil.copyfile(certifi_bundle_path, certifi_backup)
Detected blocking call to open inside the event loop by custom integration 'additional_ca' at custom_components/additional_ca/__init__.py, line 154: with open(certifi_bundle_path, "r") as f: (offender: /config/custom_components/additional_ca/__init__.py, line 154: with open(certifi_bundle_path, "r") as f:), please create a bug report at https://github.com/Athozs/hass-additional-ca/issues Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/usr/src/homeassistant/homeassistant/__main__.py", line 223, in <module> sys.exit(main()) File "/usr/src/homeassistant/homeassistant/__main__.py", line 209, in main exit_code = runner.run(runtime_conf) File "/usr/src/homeassistant/homeassistant/runner.py", line 190, in run return loop.run_until_complete(setup_and_run_hass(runtime_config)) File "/usr/local/lib/python3.12/asyncio/base_events.py", line 672, in run_until_complete self.run_forever() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 639, in run_forever self._run_once() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 1988, in _run_once handle._run() File "/usr/local/lib/python3.12/asyncio/events.py", line 88, in _run self._context.run(self._callback, *self._args) File "/usr/src/homeassistant/homeassistant/setup.py", line 165, in async_setup_component result = await _async_setup_component(hass, domain, config) File "/usr/src/homeassistant/homeassistant/setup.py", line 402, in _async_setup_component result = await task File "/config/custom_components/additional_ca/__init__.py", line 53, in async_setup await update_certifi_certificates(hass, config) File "/config/custom_components/additional_ca/__init__.py", line 154, in update_certifi_certificates with open(certifi_bundle_path, "r") as f:
Detected blocking call to open inside the event loop by custom integration 'additional_ca' at custom_components/additional_ca/__init__.py, line 168: with open(additional_ca_fullpath, "r") as f: (offender: /config/custom_components/additional_ca/__init__.py, line 168: with open(additional_ca_fullpath, "r") as f:), please create a bug report at https://github.com/Athozs/hass-additional-ca/issues Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/usr/src/homeassistant/homeassistant/__main__.py", line 223, in <module> sys.exit(main()) File "/usr/src/homeassistant/homeassistant/__main__.py", line 209, in main exit_code = runner.run(runtime_conf) File "/usr/src/homeassistant/homeassistant/runner.py", line 190, in run return loop.run_until_complete(setup_and_run_hass(runtime_config)) File "/usr/local/lib/python3.12/asyncio/base_events.py", line 672, in run_until_complete self.run_forever() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 639, in run_forever self._run_once() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 1988, in _run_once handle._run() File "/usr/local/lib/python3.12/asyncio/events.py", line 88, in _run self._context.run(self._callback, *self._args) File "/usr/src/homeassistant/homeassistant/setup.py", line 165, in async_setup_component result = await _async_setup_component(hass, domain, config) File "/usr/src/homeassistant/homeassistant/setup.py", line 402, in _async_setup_component result = await task File "/config/custom_components/additional_ca/__init__.py", line 53, in async_setup await update_certifi_certificates(hass, config) File "/config/custom_components/additional_ca/__init__.py", line 168, in update_certifi_certificates with open(additional_ca_fullpath, "r") as f:
Detected blocking call to open inside the event loop by custom integration 'additional_ca' at custom_components/additional_ca/__init__.py, line 179: with open(certifi_bundle_path, "a") as cafile: (offender: /config/custom_components/additional_ca/__init__.py, line 179: with open(certifi_bundle_path, "a") as cafile:), please create a bug report at https://github.com/Athozs/hass-additional-ca/issues Traceback (most recent call last): File "<frozen runpy>", line 198, in _run_module_as_main File "<frozen runpy>", line 88, in _run_code File "/usr/src/homeassistant/homeassistant/__main__.py", line 223, in <module> sys.exit(main()) File "/usr/src/homeassistant/homeassistant/__main__.py", line 209, in main exit_code = runner.run(runtime_conf) File "/usr/src/homeassistant/homeassistant/runner.py", line 190, in run return loop.run_until_complete(setup_and_run_hass(runtime_config)) File "/usr/local/lib/python3.12/asyncio/base_events.py", line 672, in run_until_complete self.run_forever() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 639, in run_forever self._run_once() File "/usr/local/lib/python3.12/asyncio/base_events.py", line 1988, in _run_once handle._run() File "/usr/local/lib/python3.12/asyncio/events.py", line 88, in _run self._context.run(self._callback, *self._args) File "/usr/src/homeassistant/homeassistant/setup.py", line 165, in async_setup_component result = await _async_setup_component(hass, domain, config) File "/usr/src/homeassistant/homeassistant/setup.py", line 402, in _async_setup_component result = await task File "/config/custom_components/additional_ca/__init__.py", line 53, in async_setup await update_certifi_certificates(hass, config) File "/config/custom_components/additional_ca/__init__.py", line 179, in update_certifi_certificates with open(certifi_bundle_path, "a") as cafile:
Additional context
Warnings appear after HA has started, everything works after that.
Hello,
the add-on does not add self-signed CA certificates. I have installed Home Assistant OS version 11.5 on a Mini PC. Here are my configurations:
...
cat /config/configuration.yaml
default_config:
additional_ca:
Test: /config/additional_ca/HarbichCA.pem # a cert file
tts:
platform: google_translate
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
http:
ip_ban_enabled: true
login_attempts_threshold: 3
server_port: 8123
use_x_forwarded_for: true
trusted_proxies:
127.0.0.1
192.168.0.0/16
::1
...
...
ls -la /config/additional_ca
total 16
drwxr-xr-x 2 root root 4096 Feb 17 00:27 .
drwxr-xr-x 13 root root 4096 Feb 17 12:57 ..
-rw-r--r-- 1 root root 1342 Feb 17 00:19 HarbichCA.crt
-rw-r--r-- 1 root root 1342 Feb 17 00:27 HarbichCA.pem
...
...
cat /config/additional_ca/HarbichCA.pem
-----BEGIN CERTIFICATE-----
MIIDsTCCApmgAwIBAgIUa5YTHxAZeFQbxtTHDusUqiQWj4owDQYJKoZIhvcNAQEL
BQAwYDESMBAGA1UEAwwJSGFyYmljaENBMQwwCgYDVQQLDANwa2kxEDAOBgNVBAoM
B0hhcmJpY2gxFjAUBgoJkiaJk/IsZAEZFgZoYXJuZXQxEjAQBgoJkiaJk/IsZAEZ
FgJkZTAeFw0yMzEwMzAxMzQ3MzdaFw0zMzEwMjcxMzQ3MzZaMGAxEjAQBgNVBAMM
CUhhcmJpY2hDQTEMMAoGA1UECwwDcGtpMRAwDgYDVQQKDAdIYXJiaWNoMRYwFAYK
CZImiZPyLGQBGRYGaGFybmV0MRIwEAYKCZImiZPyLGQBGRYCZGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUwckDbx98BnWFqT6BvlyUN05RtgvwywX1
6vXmm8DGq5fSjMmGuoy1dLbzliMywHS9qiQdd6Rh2YD4Z9GDJ5XmxMX38qhb+1dg
yl43PA12dTz61e0CZ7CmbcetTpEV4aukIEZTC/RUbWJDAY3JvVtB0Br9+mAb13+E
sEhEmOb4eBVdeo0gVTCezVdRJW7HJMgmXMsLIydKVaAx6SlrG2IjAgMBAAGjYzBh
MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU/fkF8a4ZDfBGFx/4JHM0sFgG
ptowHQYDVR0OBBYEFP35BfGuGQ3wRhcf+CRzNLBYBqbaMA4GA1UdDwEB/wQEAwIB
hjANBgkqhkiG9w0BAQsFAAOCAQEAiJS/ElJp3wDSjW3efcfFzT6A+QzkwwB71DX1
syuoroAPcnpP9IeAiBFfeHUjvJJP9PABDuMe2ABsN21sDkraT5lCD6odfCmWeg8f
6Bs5FhqCTg/m3i3GiUSa8PbMhspT12oxgHgNGS2tNjX1R1p2UyRP9FtiejeUJR3c
+6B+1V6Dp7nQVvx+onETi6AOpoUiC6GonLiomxeE8mQMqF1RvDMPYwWunOklQ5LK
GBTsfn6hmCpQ9Pi65cWhxXWHGNzYsGyzGzn5jUHYie+Gq9GNVAosbK3y1TCrJaW8
rTfdXW/BLVha2B7KDJ2AlgDNh+RuMDY9curxW5cssrv22w3bpQ==
-----END CERTIFICATE-----
...
...
ls -la /config/custom_components/additional_ca
total 36
drwxr-xr-x 3 root root 4096 Feb 17 12:44 .
drwxr-xr-x 4 root root 4096 Feb 17 12:43 ..
-rw-r--r-- 1 root root 5520 Feb 17 12:43 init.py
drwxr-xr-x 2 root root 4096 Feb 17 12:44 pycache
-rw-r--r-- 1 root root 204 Feb 17 12:43 const.py
-rw-r--r-- 1 root root 337 Feb 17 12:43 manifest.json
-rw-r--r-- 1 root root 462 Feb 17 12:43 storage.py
-rw-r--r-- 1 root root 2076 Feb 17 12:43 utils.py
...
...
cat /config/home-assistant.log
2024-02-17 12:57:18.554 WARNING (SyncWorker_3) [homeassistant.loader] We found a custom integration hacs which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
2024-02-17 12:57:18.555 WARNING (SyncWorker_3) [homeassistant.loader] We found a custom integration additional_ca which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant
...
Why isn't my HarbichCA.pem certificate added?
Greetings from Stefan Harbich
Describe the issue
Hi, thanks for making this addon. I have a small problem with it: While it works for me on HassOS itself, the Frigate integration appears to be unable to use the CA. I have already tried restarting everything.
Describe your setup (please complete the following information):
YAML configuration extract
An extract of your YAML configuration:
default_config:
additional_ca:
luca: luca.crt
Logs
Error fetching information from https://10.0.3.1/api/stats: Cannot connect to host 10.0.3.1:443 ssl:default [Connect call failed ('10.0.3.1', 443)]
Error fetching information from https://10.0.3.1/api/stats: Cannot connect to host 10.0.3.1:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')]
Additional context
Add any other context about the problem here.
I believe this might also be the case with the opnsense integration: urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='10.0.0.1', port=1443): Max retries exceeded with url: /api/diagnostics/interface/getArp (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)'))
While working on enabling tls to the Frigate integration, I came across this error:
[custom_components.frigate.api] Error fetching information from https://redacted.dns.name:5000/api/stats: Cannot connect to host redacted.dns.name:5000 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1002)')]
According to below comment from file /usr/src/homeassistant/homeassistant/util/ssl.py
in docker container homeassistant
# Reuse environment variable definition from requests, since it's already a
# requirement. If the environment variable has no value, fall back to using
# certs from certifi package.
I found that when ca-certificate is also put into the CAFile provided by certifi, which is in my case /usr/local/lib/python3.11/site-packages/certifi/cacert.pem
, tls is working like a breeze.
Probably a better solution to the above hard wired path would be running the following command:
homeassistant:/config# python3 -m certifi
/usr/local/lib/python3.11/site-packages/certifi/cacert.pem
I did not know python module certifi provides its own implementation of a truststore which completely ignores /etc/ssl/certs
And this how most ssl.contexts seem to be created (according to the code in util/ssl.py)
Would be cool if you could extend this HACS Integration accordingly.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.