AddOn "additional-ca" not start about hass-additional-ca HOT 15 CLOSED

HAOS is a linux OS with Home Assistant running in a container inside. You must look into the container to check your certificates.
From SSH prompt, run docker exec -ti homeassistant bash to go inside container. You need protection mode disabled in SSH Add-on config.
You may try Home Assistant Docker installation instead.

Hello Athozs,
how right you are. I wasn't in the Homeassistant container the whole time. Only on the Home Assistant OS Mini operating system. Everything now works in the Homeassistant container. I forgot that everything runs in containers. Also the add-ons.
Greetings from Stefan Harbich

from hass-additional-ca.

@sharbich what service/device are you trying to reach from Home Assistant with SSL ?

Hello Athozs,
because I log in to Homeassistant via my LDAP server. This is only possible in encrypted form.
Greetings from Stefan Harbich

from hass-additional-ca.

Hello @sharbich

If you look at the logs, I think they should tell you that the path to your certificate wasn't found.

Could you try something like the following config, specify the relative path to the certificate instead of absolute path, like this:

default_config:
additional_ca:
  Test: HarbichCA.pem
# ...
# here is the rest of your config

from hass-additional-ca.

from hass-additional-ca.

Hello Athozs,
i have the following questions:
How do I turn on debug logging?
How is integrity started?
Could it be a rights issue?
Is it a bug in the Python script?
Thank you in advance for your support.

from hass-additional-ca.

Hi sharbich,

How do I turn on debug logging?

Add the following in configuration.yaml:

logger:
  default: info

How is integrity started?

See section How does Additional CA work under the hood ? in docs

Could it be a rights issue?

I don't think so, in my HAOS test VM I have

➜  additional_ca ll
total 4K     
-rw-r--r--    1 root     root        1.1K Jan 29 12:02 ca.crt

Is it a bug in the Python script?

I don't know yet.
If possible, could you copy-paste logs mentionning additional_ca ?
What is your use-case ?
Why do you have both a HarbichCA.pem and a HarbichCA.crt files ?
Why only adding HarbichCA.pem to your CA store ? Why not HarbichCA.crt ?
Your HarbichCA.pem has an empty line, seems unusual.

Could you check your certificate validity with the following command line:

openssl x509 -in config/additional_ca/HarbichCA.pem -text -noout 

from hass-additional-ca.

Add the following in configuration.yaml:

logger:
  default: info

I have set the logging to debug and don't get any display when starting the device. So I can't see if your add-on is working properly. Why not? Does the add-on not work?

I don't think so, in my HAOS test VM I have

➜  additional_ca ll
total 4K     
-rw-r--r--    1 root     root        1.1K Jan 29 12:02 ca.crt

That's how it looks to me too.

I don't know yet. If possible, could you copy-paste logs mentionning additional_ca ? What is your use-case ? Why do you have both a HarbichCA.pem and a HarbichCA.crt files ? Why only adding HarbichCA.pem to your CA store ? Why not HarbichCA.crt ? Your HarbichCA.pem has an empty line, seems unusual.

I deleted two extra columns in the certificate (data protection).
I only tried HarbichCA.crt. Without success. How does the add-on work when Homeassistant starts? Which process starts the Python scripts in the "/config/custom_components/additional_ca/" directory? How can I check this?

Greetings from Stefan Harbich

from hass-additional-ca.

Hello Athozs,
i copy the file HarbichCA.crt to the folder "/usr/local/share/ca-certificates/" and run the command "update-ca-certificates" the self-signed certificate is added. This means that your script no longer works.

from hass-additional-ca.

Hello,

It's an integration, not only a script, it is run by Home Assistant itself.

Could you try the following

• Use only one cert, must be the same in path and in config (HarbichCA.crt)
• stop and remove your homeassistant container
• Reboot HAOS

Then provide the logs here, I cannot help without logs.
Please describe your use case with details.

from hass-additional-ca.

Hello Athozs,
i have installed Home Assistant OS 11.5, Home Assistant Core 2024.2.2 on a Mini PC. The file “HarbichCA.crt” is located in the “/config/additional_ca” folder. Here is the logging information from the file "/config/home-assistant.log". I see in the log that "additional_ca" was started successfully and a file called "HarbichCA.crt" was found.
cat /config/home-assistant.log | grep additional 2024-02-18 23:41:48.248 WARNING (SyncWorker_2) [homeassistant.loader] We found a custom integration additional_ca which has not been tested by Home Assistant. This component might cause stability problems, be sure to disable it if you experience issues with Home Assistant 2024-02-18 23:41:50.690 INFO (MainThread) [homeassistant.bootstrap] Setting up stage 2: {'blueprint', 'onboarding', 'auth', 'tts', 'trace', 'logbook', 'stream', 'diagnostics', 'input_select', 'device_automation', 'additional_ca', 'analytics', 'shopping_list', 'person', 'zone', 'lovelace', 'ffmpeg', 'scene', 'repairs', 'mobile_app', 'default_config', 'hardware', 'system_health', 'script', 'media_source', 'counter', 'history', 'input_boolean', 'input_button', 'assist_pipeline', 'file_upload', 'input_text', 'map', 'radio_browser', 'conversation', 'stt', 'openweathermap', 'automation', 'sun', 'homeassistant_alerts', 'config', 'image_upload', 'input_datetime', 'search', 'wake_word', 'timer', 'tag', 'input_number', 'google_translate', 'persistent_notification', 'hacs', 'my', 'schedule', 'energy', 'application_credentials', 'met'} 2024-02-18 23:41:51.158 INFO (MainThread) [homeassistant.setup] Setting up additional_ca 2024-02-18 23:41:51.580 INFO (MainThread) [custom_components.additional_ca] Ready. 2024-02-18 23:41:51.638 INFO (MainThread) [custom_components.additional_ca] Test (HarbichCA.crt) -> loaded. 2024-02-18 23:41:51.638 INFO (MainThread) [custom_components.additional_ca] Installation type = Home Assistant OS 2024-02-18 23:41:51.639 INFO (MainThread) [homeassistant.setup] Setup of domain additional_ca took 0.5 seconds 2024-02-18 23:56:52.130 INFO (MainThread) [homeassistant.components.analytics] Submitted analytics to Home Assistant servers. Information submitted includes {'uuid': 'dc2f8891f23a4071a22e88839d3fd529', 'version': '2024.2.2', 'installation_type': 'Home Assistant OS', 'supervisor': {'healthy': True, 'supported': True, 'arch': 'amd64'}, 'operating_system': {'board': 'generic-x86-64', 'version': '11.5'}, 'certificate': False, 'integrations': ['shopping_list', 'person', 'http', 'default_config', 'script', 'radio_browser', 'openweathermap', 'google_translate', 'met', 'logger', 'tts', 'scene', 'bluetooth', 'automation', 'sun', 'frontend', 'hassio'], 'custom_integrations': [{'domain': 'additional_ca', 'version': <AwesomeVersion SemVer '0.0.0'>}, {'domain': 'hacs', 'version': <AwesomeVersion SemVer '1.34.0'>}], 'addons': [{'slug': 'a0d7b954_ssh', 'protected': True, 'version': '17.1.0', 'auto_update': True}, {'slug': 'core_configurator', 'protected': True, 'version': '5.8.0', 'auto_update': True}], 'energy': {'configured': False}, 'recorder': {'engine': 'sqlite', 'version': <AwesomeVersion SimpleVer '3.44.2'>}, 'state_count': 46, 'automation_count': 0, 'integration_count': 17, 'addon_count': 2, 'user_count': 3}
This file was not copied to the /usr/local/share/ca-certificates directory. It is also not present in the “/etc/ssl/certs” directory. If I do everything manually I see the file in the "/etc/ssl/certs" directory like this:
cat /etc/ssl/certs/ca-cert-HarbichCA.pem -----BEGIN CERTIFICATE----- MIIDsTCCApmgAwIBAgIUa5YTHxAZeFQbxtTHDusUqiQWj4owDQYJKoZIhvcNAQEL BQAwYDESMBAGA1UEAwwJSGFyYmljaENBMQwwCgYDVQQLDANwa2kxEDAOBgNVBAoM B0hhcmJpY2gxFjAUBgoJkiaJk/IsZAEZFgZoYXJuZXQxEjAQBgoJkiaJk/IsZAEZ FgJkZTAeFw0yMzEwMzAxMzQ3MzdaFw0zMzEwMjcxMzQ3MzZaMGAxEjAQBgNVBAMM CUhhcmJpY2hDQTEMMAoGA1UECwwDcGtpMRAwDgYDVQQKDAdIYXJiaWNoMRYwFAYK CZImiZPyLGQBGRYGaGFybmV0MRIwEAYKCZImiZPyLGQBGRYCZGUwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCUwckDbx98BnWFqT6BvlyUN05RtgvwywX1 tns5H/xAu8cQwCjEvLWcrJq8H/i+7vC1ZwAuoudJRJdEkr1DeCzcWzEQgvthiqGE x3DRj7mE1hGqvEbFEH5XbMIfO+leV6SQDeOtOvGiMY2qfp74wDo2423681MR/ZPX 6vXmm8DGq5fSjMmGuoy1dLbzliMywHS9qiQdd6Rh2YD4Z9GDJ5XmxMX38qhb+1dg yl43PA12dTz61e0CZ7CmbcetTpEV4aukIEZTC/RUbWJDAY3JvVtB0Br9+mAb13+E sEhEmOb4eBVdeo0gVTCezVdRJW7HJMgmXMsLIydKVaAx6SlrG2IjAgMBAAGjYzBh MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAU/fkF8a4ZDfBGFx/4JHM0sFgG ptowHQYDVR0OBBYEFP35BfGuGQ3wRhcf+CRzNLBYBqbaMA4GA1UdDwEB/wQEAwIB hjANBgkqhkiG9w0BAQsFAAOCAQEAiJS/ElJp3wDSjW3efcfFzT6A+QzkwwB71DX1 syuoroAPcnpP9IeAiBFfeHUjvJJP9PABDuMe2ABsN21sDkraT5lCD6odfCmWeg8f 6Bs5FhqCTg/m3i3GiUSa8PbMhspT12oxgHgNGS2tNjX1R1p2UyRP9FtiejeUJR3c +6B+1V6Dp7nQVvx+onETi6AOpoUiC6GonLiomxeE8mQMqF1RvDMPYwWunOklQ5LK GBTsfn6hmCpQ9Pi65cWhxXWHGNzYsGyzGzn5jUHYie+Gq9GNVAosbK3y1TCrJaW8 rTfdXW/BLVha2B7KDJ2AlgDNh+RuMDY9curxW5cssrv22w3bpQ== -----END CERTIFICATE-----
Can you tell me how Homeassistant starts the add-on internally?

from hass-additional-ca.

Can you tell me how Homeassistant starts the add-on internally?

Home Assistant looks for integrations in config/custom_components directory and loads them automatically, accordingly with the domain key additional_ca in configuration.yaml for this integration.

In case of HAOS, using update-ca-certificates is not enough because you cannot set permanently the environment variable REQUESTS_CA_BUNDLE.

In case of HAOS, this is why Additional CA integration adds also your certificate into Certifi CA bundle, located at /usr/local/lib/python3.12/site-packages/certifi/cacert.pem.

You may need to reset the Certifi CA bundle.

I updated the docs, could you follow the trouble shooting guide for HAOS at https://github.com/Athozs/hass-additional-ca?tab=readme-ov-file#82-haos---home-assistant-operating-system in order to reset the homeassistant container inside HAOS.

from hass-additional-ca.

In case of HAOS, this is why Additional CA integration adds also your certificate into Certifi CA bundle, located at /usr/local/lib/python3.12/site-packages/certifi/cacert.pem.

The directory mentioned above does not exist for me. All of your suggestions don't work either. The add-on doesn't work. I'm thinking about a supervisor installation. It just bothers me with Homeassistant that everything is so limited. Reminds me a little of Microsoft. Not open source. I'm thinking about an alternative.

from hass-additional-ca.

HAOS is a linux OS with Home Assistant running in a container inside. You must look into the container to check your certificates.

From SSH prompt, run docker exec -ti homeassistant bash to go inside container. You need protection mode disabled in SSH Add-on config.

You may try Home Assistant Docker installation instead.

from hass-additional-ca.

@sharbich what service/device are you trying to reach from Home Assistant with SSL ?

from hass-additional-ca.

Glad to know it's working now :)

Hello Athozs, because I log in to Homeassistant via my LDAP server. This is only possible in encrypted form. Greetings from Stefan Harbich

Very good reason 👍

from hass-additional-ca.