Host not reachable in Home Assistant 2022.07.0

[deviantintegral]

Describe the bug

After upgrading, the thermostat is unavailable and the following is logged:

Logger: custom_components.lennoxs30
Source: custom_components/lennoxs30/init.py:326
Integration: Lennox S30/E30 (documentation, issues)
First occurred: 6:42:08 PM (1 occurrences)
Last logged: 6:42:08 PM

async_setup unexpected error login Client Connector Error - failed due host not reachable url [https://thermostat.lan/Endpoints/homeassistant/Connect]

To Reproduce
Steps to reproduce the behavior:

• Upgrade to Home Assistant 2022.07.1
• See the above error in the logs

Expected behavior

The integration starts

Version

• Home Assistant: 2022.07.01
• This Integration: 0.2.7 and 0.2.9

**Integration Configuration **

• Cloud or Local Connection: Local
• Inverter or Sensor Diagnostics Enabled: No

Additional context

I'm running HAOS which influences DNS resolution. I was able to reach the thermostat both from the OS and inside the homeassistant container, so I don't think this is a more general issue.

I downgraded back to 2022.06 to fix this (thanks zfs!), but I can upgrade to test dependingon my family's schedule.

[digihed]

I’m having the same problem after updating to 2022.07.0. I’m running ha core in a Proxmox LXC.

[PeteRager]

Looks like a problem. I’ll upgrade my test system to 2022.07.0 and see if I can repro it.

[PeteRager]

It's indeed broken on 2022.07.0. Looks like they upgraded to python 3.10. Not sure of the solve yet.

[HyperActiveJ]

Several custom interpretations are broken, including my own. Might want to check some other repositories and see what their doing about it.

[dresslerc]

Same issue here.

[PeteRager]

Several custom interpretations are broken, including my own. Might want to check some other repositories and see what their doing about it.

Thanks. I am on the hunt, let me know if you find anything. Getting a 2022.7.0 dev environment setup.

[PeteRager]

Looks like the root cause is the default TLS version in python 3.10 is not compatible with the TLS version on the Lennox Thermostat.

2022-07-07 09:07:03 DEBUG (MainThread) [asyncio] <asyncio.sslproto.SSLProtocol object at 0x7f7d2750fdc0>: SSL handshake failed
Traceback (most recent call last):
  File "/home/pete/.pyenv/versions/3.10.0/lib/python3.10/asyncio/sslproto.py", line 631, in _on_handshake_complete
    raise handshake_exc
  File "/home/pete/.pyenv/versions/3.10.0/lib/python3.10/asyncio/sslproto.py", line 188, in feed_ssldata
    self._sslobj.do_handshake()
  File "/home/pete/.pyenv/versions/3.10.0/lib/python3.10/ssl.py", line 974, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)
2022-07-07 09:07:03 DEBUG (MainThread) [asyncio] <asyncio.sslproto.SSLProtocol object at 0x7f7d2750fdc0>: SSL error in data received
Traceback (most recent call last):
  File "/home/pete/.pyenv/versions/3.10.0/lib/python3.10/asyncio/sslproto.py", line 528, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/home/pete/.pyenv/versions/3.10.0/lib/python3.10/asyncio/sslproto.py", line 188, in feed_ssldata
    self._sslobj.do_handshake()
  File "/home/pete/.pyenv/versions/3.10.0/lib/python3.10/ssl.py", line 974, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:997)

Next step is to figure out how to change ths.

[HyperActiveJ]

Presuming ssl is still used for the thermostats comms to the cloud, it seems like more reason to block internet access and switch to local only.

If the built in library doesn't have an override flag then might need to switch to a 3dd part ssl library. Unlike the other device I have I don't see a means to upgrade the thermostat or other wise enable tls.

[PeteRager]

I've tried a variety of combinations setting the SSL content. without much luck. Line 235 of s30api_async.py

            context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
            context.options = ssl.OP_NO_SSLv3 | ssl.OP_NO_TICKET
            context.check_hostname = False
            context.verify_mode = ssl.CERT_NONE
            self.ssl = context
            self.initialize_urls_local()

[PeteRager]

This is the cipher setup we need

SSL connection using TLSv1.2 / AES256-GCM-SHA384

[coagentpai]

I couldn't figure out how to get to the API code in HA to test with the time I had. But I am hoping this is moving in the right direction.

context.set_ciphers('DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384')

If that doesn't work context.set_ciphers('ALL:@SECLEVEL=1') is more permissive but shouldn't be needed.

[PeteRager]

after a long and painful morning i have a fix! It'll take a day or so to test.

            context = ssl.create_default_context()
            context.set_ciphers("DEFAULT")
            context.check_hostname = False
            context.verify_mode = ssl.CERT_NONE
            self.ssl = context
            self.initialize_urls_local()

[PeteRager]

I've patched the API. If you are on 2022.7.0, you can try the patch by editing the custom_components/lennoxs30/manifest.json file. Bump the API version from 0.1.11 to 0.1.12. It takes a minute or so for HA to download the new API on startup.

    "requirements": ["lennoxs30api==0.1.12"],

I'll work on getting a new release of the integration put together.

[PeteRager]

I couldn't figure out how to get to the API code in HA to test with the time I had. But I am hoping this is moving in the right direction.

context.set_ciphers('DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384')

If that doesn't work context.set_ciphers('ALL:@SECLEVEL=1') is more permissive but shouldn't be needed.

Excellent and thank you!

I did create a patch with ALL, I will test with the more restrictive approach.

[PeteRager]

Link to api pull request for review.

PeteRager/lennoxs30api#45

[Tovrin]

Running 4 RLC-520A with latest firmware. None are working.

[PeteRager]

This issue should now be resolved in this release, that was just published now.

https://github.com/PeteRager/lennoxs30/releases/tag/0.2.10

[Tovrin]

What's the average delay before it appears in HACS?

[PeteRager]

What's the average delay before it appears in HACS?

Good question. Should be available now. Can you refresh HACS?

[PeteRager]

Closing this as should be fixed, reopen or create new if problems persist.