update ca-store provided by python3 library «certifi» using this HASS Integration about hass-additional-ca HOT 9 CLOSED

@Athozs
I came accross this long thread: aiohttp ignoring SSL_CERT_DIR and or SSL_CERT_FILE environment vars. Results in [SSL: CERTIFICATE_VERIFY_FAILED]. At the end of this comment, the fix was adding the certificate to the system truststore. In this thread is also mention that some python maintainers are reluctant adding the ENV variable approach for security concerns.

There are a number of libraries (request, ssl, aiohttp, ...) and each allows for a variety of approaches to define which truststore to use. Each homeassistant integration is free to choose its libraries.

I (and others) are unaware of a method allowing HASS OS based homeassistant installations to add environment variables to the homeassistant container.

In the end, I think there is no way around updating all truststores or replacing certifi truststore with a softlink to /etc/ssl/certs/ca-certificates.crt.

What I like on hass-additional-ca is that it is automating this once and for all. So after container homeassistant is updated, the fixes are re-applied.

from hass-additional-ca.

Hello @satnerd
Could you try to set the environment variable REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt ?
As per described here : https://github.com/Athozs/hass-additional-ca#5-requests_ca_bundle-environment-variable

from hass-additional-ca.

@satnerd
I guess you're using frigate-hass-integration ?
If so, I can see frigate-hass-integration is using aiohttp as a Python requirement.
I had a similar issue for my own custom CA with RESTful Command integration, I opened an issue at Home Assistant Core project : home-assistant/core#94164

from hass-additional-ca.

Hi @Athozs

I setup my homeassistant following the guide How to Install and Configure KVM on Debian 11 Bullseye Linux.
This type of installation is loading Home Assistant OS into a VM. It comes with Supervisor. The same approach is used for RPi.

My installation has no docker-compose.yaml I could add REQUESTS_CA_BUNDLE. This is the only way I know how to add an environment variable in a persistent way.¹⁾
Please elaborate a bit how to do this.

I ran 'docker execute -ti homeassistant /bin/bash' and added my root certifiate into /usr/local/lib/python3.11/site-packages/certifi/cacert.pem using vi.
It works. And it will stop working when homeassistant container is updated or I pull the image again.

And yes, I am on the frigate integration.
I am hesitant to bother the frigate developer, because Python libraries like ssl, aiohttp keep this abstract from the frigate project.

I tried to find out more on my Home Assistant OS installation. It uses containerd:

# systemctl status containerd.service|grep "$(docker ps --no-trunc --filter name=homeassistant --format='{{ .ID }}')"
             └─757407 /usr/bin/containerd-shim-runc-v2 -namespace moby -id fa0a71d856db49980da62de2f5e1768daf1b4c75fab31359dd96305c06b1b2ba -address /run/containerd/containerd.sock

According to Docker daemon (not containers) can't read environment variables variables can be set in /etc/systemd/system/docker.service.d/env.conf.

I tried. Unfortunately, /etc/ is in the root partition which is ro mounted. Back to ¹⁾.

from hass-additional-ca.

@satnerd
It sounds you're getting to an interesting point because I could not find on the internet a reliable way to set permanently an environment variable in Home Assistant OS (some kind of hack may be possible I guess though).

But, if your integration is using aiohttp under the hood (which seems to be the case for frigate-hass-integration), it may be useless to set REQUESTS_CA_BUNDLE env var, because as you mentioned in your first message, there is an SSL context coded inside Home Assistant Core.

If I understand well, frigate-hass-integration will inherit from Hass Core aiohttp client but Hass Core aiohttp client cannot see custom CA, I don't know why (home-assistant/core#94164).

from hass-additional-ca.

I completely agree with your last message.
May I close this issue or do you have any suggestion ? :)

from hass-additional-ca.

well, the issue is unresolved.
If I find some time, I might pull the repo and change the code.

• replace the truststore provided by certifi with a link to /etc/ssl/certs/ca-certificates.crt

from hass-additional-ca.

I understand your concern. Here is why I did not modify certifi:

Certifi does not support any addition/removal or other modification of the CA trust store content. This project is intended to provide a reliable and highly portable root of trust to python deployments. Look to upstream projects for methods to use alternate trust.

from hass-additional-ca.

ok, I guess it is best to close this issue then.

from hass-additional-ca.