Custom CA does not appear to work for frigate integration about hass-additional-ca HOT 15 CLOSED

I'm glad it's working again :)

from hass-additional-ca.

Hello, thanks for using Additional CA integration,

it seems that you are using IP address instead of hostname to reach your services (Frigate and OPNsense), a common usage is to use hostnames, how did you create your certificates ?

Could you check the content of your certificate created for your Frigate service with the following command in a Shell:

openssl x509 -in frigate.crt -text -noout

And check the fields Subject: CN= and X509v3 Subject Alternative Name if any, they should contain the hostname of your Frigate instance (or IP address if using IP address).

from hass-additional-ca.

Thanks for the response! Yes, I am indeed using IPs for this instead of hostnames due to DNS server issues I had. I generated the certificates using OPNSense's web GUI. I gave the IP as the common name and as an alternative name of type IP when creating it.

Here's the output of the command, with a few parts redacted:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = DE, ST = [REDACTED], L = [REDACTED], O = Lucavon, emailAddress = [REDACTED], CN = [REDACTED]
        Validity
            Not Before: Mar 29 11:22:20 2024 GMT
            Not After : Feb 10 11:22:20 2035 GMT
        Subject: C = DE, ST = [REDACTED], L = [REDACTED], O = Lucavon, emailAddress = [REDACTED], CN = 10.0.3.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus: [REDACTED]
                Exponent: [REDACTED]
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            Netscape Comment:
                OPNsense Generated Server Certificate
            X509v3 Subject Key Identifier:
                [REDACTED]
            X509v3 Authority Key Identifier:
                keyid:[REDACTED]
                DirName:/C=DE/ST=[REDACTED]/L=[REDACTED]/O=Lucavon/emailAddress=[REDACTED]/CN=[REDACTED]
                serial:00
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                IP Address:10.0.3.1
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value: [REDACTED]

As you can see, the names are as they should be. I know that this certificate works because my own browser accepts it (after installing the CA locally). I think the issue is that for some reason, the certificate isn't available system-wide. When I SSH into my HomeAssistant, and run curl -v https://10.0.3.1:443, I get a certificate error. If I then do docker exec <id of homeassistant container> curl -v https://10.0.3.1:443, the certificate is accepted.

So it seems like that for some reason, the additional CA is deployed in the homeassistant docker container, but will not work anywhere else, including, it seems, the Frigate integration, since that runs on the host HassOS without a container (? not sure)

from hass-additional-ca.

I am having the same issue. Things were working before, but just stopped working recently.

from hass-additional-ca.

@Lucavon

HAOS is actually a Linux OS running a homeassistant Docker container inside. Integrations have no control outside the container.

More details here: https://github.com/Athozs/hass-additional-ca?tab=readme-ov-file#42-haos---home-assistant-operating-system

See help for Troubleshooting: https://github.com/Athozs/hass-additional-ca?tab=readme-ov-file#82-haos---home-assistant-operating-system

from hass-additional-ca.

@milizhang

What operation did you do recently ? Did you upgrade your Home Assistant ? If so, don't forget to reboot 🙂

from hass-additional-ca.

I see, thanks! So if I understand it correctly, Additional CA is not able to apply the CA to integrations running inside other containers (as part of HassOS)?

from hass-additional-ca.

@Lucavon

What Home Assistant integrations are running in other containers ? In which containers ?

from hass-additional-ca.

Sorry, turns out I was wrong, it doesn't seem like Frigate is in a container. I will try to find another solution. Thanks for your time though!

from hass-additional-ca.

@milizhang

What operation did you do recently ? Did you upgrade your Home Assistant ? If so, don't forget to reboot 🙂

Yes that was my mistake - I forgot to reboot. (But did not the upgrade process triggers a reload/container restart?)

from hass-additional-ca.

@milizhang

Yes that was my mistake - I forgot to reboot. (But did not the upgrade process triggers a reload/container restart?)

I think the upgrade process actually triggers a container restart, but Additional CA needs a reboot of HAOS to load again Certificate Authority at start-up.

from hass-additional-ca.

@Lucavon

Sorry, turns out I was wrong, it doesn't seem like Frigate is in a container. I will try to find another solution. Thanks for your time though!

How did you install Frigate server ? With docker on a separate host or with Home Assistant Addon ?

from hass-additional-ca.

@Athozs I installed the Frigate integration via HACS, as described here: https://docs.frigate.video/integrations/home-assistant

The Frigate server is a docker container (managed via docker compose) on another machine.

HOAS itself runs as a VM on my TrueNAS host, as 10.0.2.2. The Frigate server is a separate machine, running under 10.0.3.1, using the selfsigned certificate from the CA, with nginx as an SSL terminator, reverse-proxying the Frigate server. The SSL error is thrown by the HAOS Frigate Integration.

I suspect that the integration installed via HACS runs on the HAOS host directly.

from hass-additional-ca.

Home Assistant integrations are Python code loaded by Home Assistant core, in case of HAOS, HA core is running inside homeassistant container.
If I'm correct, Home Assistant Addons are docker containers running alongside the homeassistant container in HAOS, this may be confusing.

Do you have any error logs from Home Assistant Settings > System > Logs regarding your Frigate integration ?

from hass-additional-ca.

@Athozs I just checked the logs, but only saw the SSL error again. However, I decided to check the webserver configuration again and realized something. I only used the correct certificate for "/" (I had location = /), all the other paths used another old (invalid, for testing) selfsigned certificate. So https://10.0.3.1/ worked, while https://10.0.3.1/api/... did not because they used different certificates. After fixing the webserver config, it started working again.

So, sorry about all this confusion. In the end, the additional-ca addon was working as intended, and it was just me who made a mistake. Sorry for wasting your time, and once again thank you for creating this addon!

from hass-additional-ca.