Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

private ca stopped working with update HAOS 14.0 #13

Open
Dede1441 opened this issue Dec 10, 2024 · 9 comments
Open

private ca stopped working with update HAOS 14.0 #13

Dede1441 opened this issue Dec 10, 2024 · 9 comments

Comments

@Dede1441
Copy link

Describe the issue

I added a private CA a while ago, everything was working fine. I updated from gui to latest HAOS and the CA isn't anymore trusted, integration using https like adguard or frigate proxy stopped working.

I tried to uninstall the additionnal_ca integration, but also frigate proxy integration, without success.

Describe your setup (please complete the following information):

  • Installation type: HAOS
  • HAOS version (if applicable): 14.0
  • Home Assistant core version: 2024.12.1
  • Additional CA integration version: 0.2.4
  • Kind of certificate you use: private root ca

YAML configuration extract

default_config:
...
additional_ca:
  my_private_ca: CA_VPN.crt
...

Logs

Supervisor logs :

2024-12-10 17:07:07.091 INFO (MainThread) [custom_components.additional_ca] my_private_ca (CA_VPN.crt) -> loaded.
2024-12-10 17:07:07.091 INFO (MainThread) [custom_components.additional_ca] Installation type = Home Assistant OS
2024-12-10 17:07:07.102 INFO (MainThread) [custom_components.additional_ca] Certifi bundle CA ready.
2024-12-10 17:07:07.124 INFO (MainThread) [custom_components.additional_ca] my_private_ca (CA_VPN.crt) -> loaded into Certifi CA bundle.
2024-12-10 17:07:07.124 INFO (MainThread) [homeassistant.setup] Setup of domain additional_ca took 0.29 seconds

Logs from frigate integration :

Error fetching information from https://frigateale.onehome.lan:543/api/stats: Cannot connect to host frigateale.onehome.lan:543 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)')]

Debug from ha cli :
image

Debug from another desktop in the same subnet, with the private CA :
image

CA Validity :

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 0 (0x0)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=vpn.team-lcbs.eu, C=FR, ST=Basse Normandie, L=Mouen, O=HomeUsers, OU=HomeUsers
        Validity
            Not Before: Jul  5 08:33:06 2020 GMT
            Not After : Jul  3 08:33:06 2030 GMT

Frigate nginx server certificate validity :

   v:NotBefore: Jul 24 10:40:48 2024 GMT; NotAfter: Jun  7 10:40:48 2035 GMT

Clock properly setup on haos.

Additional context

  • What service/device are you trying to reach from Home Assistant with TLS/SSL ?

Adguard and Frigate server, Frigate behind nginx.

I have a second running instance of home assistant not updated and still working with this CA on another adguard/frigate server, using same king of certificates
Latest known version working :

Core 2024.11.3
Supervisor 2024.11.4
Operating System 13.2
User interface 20241106.2
@Athozs
Copy link
Owner

Athozs commented Dec 12, 2024

Hello @Dede1441 ,
logs from HAOS say that your CA is correctly loaded.

Logs from your Frigate integration says that your CA is missing Basic Constraints marked as critical, see RFC here : https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9

Depending on your previous actions,

  • you may need to issue again a certificate from your root CA and replace it on your Frigate server
  • you may need to add basicConstraints=critical,CA:true in your ca.conf (configuration file to generate a root CA with openssl) and generate again your root CA, then issue again server certificates for Frigate and Adguard from that new root CA.

Hope that helps.

@Athozs
Copy link
Owner

Athozs commented Dec 12, 2024

Just got the same problem when testing with HAOS 14:

2024-12-12 12:20:25.942 ERROR (MainThread) [homeassistant.components.rest_command] Error fetching data: Cannot connect to host xxxxxxxxxxxxx ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Basic Constraints of CA cert not marked critical (_ssl.c:1020)')]
2024-12-12 12:20:25.943 ERROR (MainThread) [homeassistant.helpers.script.websocket_api_script] websocket_api script: Error executing script. Error for call_service at pos 1: Client error occurred when calling resource "https://xxxxxxxxxxxxx"
2024-12-12 12:20:25.943 ERROR (MainThread) [homeassistant.components.websocket_api.http.connection] [140482085501200] Error handling message: Client error occurred when calling resource "https://xxxxxxxxxxxxx" (home_assistant_error) bde from 10.19.0.2 (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:133.0) Gecko/20100101 Firefox/133.0)

Going to investigate on my side too.

@Dede1441
Copy link
Author

Dede1441 commented Dec 12, 2024
edited
Loading

Hi,
Thank you for these informations.

Here is the output about the CA basic Constraints :
image

And the one from the certificate frigate server :

image

If i understand your feedback correctly, the CA cert should have a line with "critical" somewhere ?

This seem related : home assistant core repo issue - cert missing critical basic constraint but ironically solved with additionnal_ca integration.

Thank you, i will wait for your feedback

@pc-bastler
Copy link

Hi, on my installation additional_CA also stopped working:

Core 2024.12.2
Supervisor 2024.11.4
Operating System 14.0
Frontend 20241127.7

Unfortunally I cannot find any Logs for the AddIn. I also cannot remember when exactly the Addin stopped working.

@Athozs
Copy link
Owner

Athozs commented Dec 14, 2024

At first look I'd say the SSL context loaded in Home Assistant has changed, to confirm I'll do more investigations next week : I have to test with a clean install of homeassistant core on a Linux OS without hass-additional-ca integration.

@Athozs
Copy link
Owner

Athozs commented Dec 18, 2024

Issue opened at home-assistant/core#133506 to get some help from HA team.

@pc-bastler
Copy link

Any news on this issue? - It's still persistent with 2015.1.0

`Logger: homeassistant.components.cert_expiry.coordinator
Quelle: components/cert_expiry/coordinator.py:48
Integration: Zertifikatsablauf (Dokumentation, Probleme)
Erstmals aufgetreten: 4. Januar 2025 um 23:59:42 (8 Vorkommnisse)
Zuletzt protokolliert: 4. Januar 2025 um 23:59:43

Certificate validation error: unifi.pxxxx.de [Missing Authority Key Identifier]
Certificate validation error: octoprint.pxxxxx.de [Missing Authority Key Identifier]
Certificate validation error: nas01.pxxxxxx.de [Missing Authority Key Identifier]
Certificate validation error: ha.pxxxxxxxx.de [Missing Authority Key Identifier]`

@Athozs
Copy link
Owner

Athozs commented Jan 6, 2025

Hello @pc-bastler ,

I can confirm it's still persistent with version 2025.1.0,

I'm unable to fix anything at the moment because issue exists even without using hass-additional-ca integration.

Issue still open on home-assistant core side, waiting for support from HA team.

@Athozs
Copy link
Owner

Athozs commented Jan 9, 2025

Well, from that comment : home-assistant/core#133506 (comment) , it confirms my first thought, our CAs now must be marked with 'Basic Constraints' as critical to be used from Python 3.13 and from HASS 2024.12 and after.

I have to recreate/update my own CA too, so I'll try to make a "how-to" by the end of January.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Dede1441 @pc-bastler @Athozs