v2.0.1 Setup error: certificate verify failed: unable to get local issuer certificate

[gadgetchnnel]

Describe the bug

After updating to version 2.0.1, setup is failing with the error certificate verify failed: unable to get local issuer certificate

Downgrading to 1.4.1 fixes it.

Full error log:

2019-09-01 15:24:57 ERROR (MainThread) [homeassistant.core] Error doing job: SSL handshake failed on verifying the certificate
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/asyncio/sslproto.py", line 625, in _on_handshake_complete
    raise handshake_exc
  File "/usr/local/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/local/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
2019-09-01 15:24:57 ERROR (MainThread) [homeassistant.core] Error doing job: SSL error in data received
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/asyncio/sslproto.py", line 526, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/local/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/local/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
2019-09-01 15:24:57 ERROR (MainThread) [homeassistant.setup] Error during setup of component alexa_media
Traceback (most recent call last):
  File "/srv/homeassistant/lib/python3.7/site-packages/aiohttp/connector.py", line 924, in _wrap_create_connection
    await self._loop.create_connection(*args, **kwargs))
  File "/usr/local/lib/python3.7/asyncio/base_events.py", line 986, in create_connection
    ssl_handshake_timeout=ssl_handshake_timeout)
  File "/usr/local/lib/python3.7/asyncio/base_events.py", line 1014, in _create_connection_transport
    await waiter
  File "/usr/local/lib/python3.7/asyncio/sslproto.py", line 526, in data_received
    ssldata, appdata = self._sslpipe.feed_ssldata(data)
  File "/usr/local/lib/python3.7/asyncio/sslproto.py", line 189, in feed_ssldata
    self._sslobj.do_handshake()
  File "/usr/local/lib/python3.7/ssl.py", line 763, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/srv/homeassistant/lib/python3.7/site-packages/homeassistant/setup.py", line 168, in _async_setup_component
    hass, processed_config
  File "/home/homeassistant/.homeassistant/custom_components/alexa_media/__init__.py", line 120, in async_setup
    await login.login_with_cookie()
  File "/srv/homeassistant/lib/python3.7/site-packages/alexapy/alexalogin.py", line 121, in login_with_cookie
    await self.login(cookies=self._cookies)
  File "/srv/homeassistant/lib/python3.7/site-packages/alexapy/alexalogin.py", line 240, in login
    if (cookies is not None and await self.test_loggedin(cookies)):
  File "/srv/homeassistant/lib/python3.7/site-packages/alexapy/alexalogin.py", line 195, in test_loggedin
    cookies=self._cookies
  File "/srv/homeassistant/lib/python3.7/site-packages/aiohttp/client.py", line 476, in _request
    timeout=real_timeout
  File "/srv/homeassistant/lib/python3.7/site-packages/aiohttp/connector.py", line 522, in connect
    proto = await self._create_connection(req, traces, timeout)
  File "/srv/homeassistant/lib/python3.7/site-packages/aiohttp/connector.py", line 854, in _create_connection
    req, traces, timeout)
  File "/srv/homeassistant/lib/python3.7/site-packages/aiohttp/connector.py", line 992, in _create_direct_connection
    raise last_exc
  File "/srv/homeassistant/lib/python3.7/site-packages/aiohttp/connector.py", line 974, in _create_direct_connection
    req=req, client_error=client_error)
  File "/srv/homeassistant/lib/python3.7/site-packages/aiohttp/connector.py", line 927, in _wrap_create_connection
    req.connection_key, exc) from exc
aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host alexa.amazon.co.uk:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)')]

To Reproduce
Steps to reproduce the behavior:

Update to version 2.0.1

Expected behavior
A clear and concise description of what you expected to happen.

Component setup successfully.

Screenshots
If applicable, add screenshots to help explain your problem.

System details

• Home-assistant (version): 0.98.1
• Hassio (Yes/No): No
• alexa_media (version from const.py or HA startup): 2.0.1
• alexapy (version from pip show alexapy or HA startup): 1.0.1

Additional context
Add any other context about the problem here.

Configuration:

alexa_media:
  accounts:
    - email: !secret alexa_email
      password: !secret alexa_password
      url: amazon.co.uk

[alandtse]

Are you on a Mac? Does this link help?

[gadgetchnnel]

Home Assistant is running on a Raspberry Pi 3 B+ in a virtual environment in Raspbian Stretch (with Python 3.7 installed from source).
This works fine with version 1.4.1 of the component, but not with 2.0.1.

[alandtse]

Ok. The difference between 2.0 and 1.4 is we actually now require that the SSL certificate is valid. In 1.4, we ignored any problems verifying SSL. From a security perspective, we probably won't go back to the 1.4 behavior since by ignoring that check, someone could proxy between you and Amazon.

I'm not sure it's a component error. Can you make sure your Raspbian has updated ca-certs?
sudo apt-get update && sudo apt-get install -y --reinstall ca-certificates

[gadgetchnnel]

@alandtse It seems that ca-certificates wasn't even installed. After installing it (and running sudo update-ca-certificates to be on the safe side) version 2.0.1 appears to be working (at least it's started up, I'm not actually at home so I can't fully check it).

[alandtse]

This is caused by the fact that aiohttp doesn't ship with certs and relies on the python install to have its own certs. HA actually installs certifi so we can probably use that despite the fact it's not recommended by aiohttp.

[alandtse]

For the adventurous, alexapy fix staged.

[nickbits1024]

Are you on a Mac? Does this link help?

Hey just wanted to say thanks for that comment. I just updated to the latest HA, python, alexa_media and OSX (Monterey) and have been struggling with that error for the last 3 hours. That link saved me!!! Command was slightly different from the link since I am on 3.9 now (/Applications/Python\ 3.9/Install\ Certificates.command) but I got the gist. Thanks again!!!