Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error setting up platform Luci [SSL: CERTIFICATE_VERIFY_FAILED] #1258

Closed
rschapman opened this issue Feb 14, 2016 · 6 comments
Closed

Error setting up platform Luci [SSL: CERTIFICATE_VERIFY_FAILED] #1258

rschapman opened this issue Feb 14, 2016 · 6 comments

Comments

@rschapman
Copy link

The self-signed ssl cert used for logging into luci openwrt appears to be causing trouble with using the luci presence detection.

16-02-14 11:32:07 homeassistant.components.device_tracker: Error setting up platform luci
Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 559, in urlopen
    body=body, headers=headers)
  File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 345, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 784, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connection.py", line 252, in connect
    ssl_version=resolved_ssl_version)
  File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/util/ssl_.py", line 305, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3.4/ssl.py", line 364, in wrap_socket
    _context=self)
  File "/usr/lib/python3.4/ssl.py", line 577, in __init__
    self.do_handshake()
  File "/usr/lib/python3.4/ssl.py", line 804, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/requests/adapters.py", line 376, in send
    timeout=timeout
  File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 588, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/homeassistant/components/device_tracker/__init__.py", line 124, in setup_platform
    scanner = platform.get_scanner(hass, {DOMAIN: p_config})
  File "/usr/local/lib/python3.4/dist-packages/homeassistant/components/device_tracker/luci.py", line 35, in get_scanner
    scanner = LuciDeviceScanner(config[DOMAIN])
  File "/usr/local/lib/python3.4/dist-packages/homeassistant/components/device_tracker/luci.py", line 65, in __init__
    self.token = _get_token(host, username, password)
  File "/usr/local/lib/python3.4/dist-packages/homeassistant/components/device_tracker/luci.py", line 161, in _get_token
    return _req_json_rpc(url, 'login', username, password)
  File "/usr/local/lib/python3.4/dist-packages/homeassistant/components/device_tracker/luci.py", line 132, in _req_json_rpc
    res = requests.post(url, data=data, timeout=5, **kwargs)
  File "/usr/local/lib/python3.4/dist-packages/requests/api.py", line 107, in post
    return request('post', url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python3.4/dist-packages/requests/api.py", line 53, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 468, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 597, in send
    history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 597, in <listcomp>
    history = [resp for resp in gen] if allow_redirects else []
  File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 195, in resolve_redirects
    **adapter_kwargs
  File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 576, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.4/dist-packages/requests/adapters.py", line 447, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:600)
@JshWright
Copy link
Contributor

There would be two possible solutions here:

  1. Get a real cert (this is trivial with Let's Encrypt, though pushing the new cert every three months might be a pain to automate)
  2. Add a config option to disable cert verification or this component.

I would lean strongly towards the first option.

@rschapman
Copy link
Author

I would totally do that for an external facing setup. But for this case where it's a hobby level project in my house I'm not that concerned. It's not to say I'm not concerned with security but the effort vs payoff without more automation isn't there. Maybe Openwrt or Lede will make that easier but for the time being I was just hoping to be able to work around it.

@balloob
Copy link
Member

balloob commented Jun 7, 2016

I would suggest to copy the platform to custom components folder and add
verify =false to the requests call

On Mon, Jun 6, 2016, 15:57 Rob Chapman notifications@github.com wrote:

I would totally do that for an external facing setup. But for this case
where it's a hobby level project in my house I'm not that concerned. It's
not to say I'm not concerned with security but the effort vs payoff without
more automation isn't there. Maybe Openwrt or Lede will make that easier
but for the time being I was just hoping to be able to work around it.


You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#1258 (comment),
or mute the thread
https://github.com/notifications/unsubscribe/ABYJ2tEr2Jfox8DAWeCV95_2T0_hVNlFks5qJKXBgaJpZM4HZ6iL
.

@JshWright
Copy link
Contributor

JshWright commented Jun 7, 2016
edited

What's the point of using TLS at all then? If someone has compromised your network to the point that they can snoop on that traffic, then they can man-in-the-middle the traffic just as easily.

An untrusted self-signed cert provides absolutely 0 protection.

If you're set on using a self-signed cert, you should add it to your local trust store (which will also fix your verification issue).

@javefang
Copy link

javefang commented Oct 9, 2016
edited

I had the same problem with custom root certificate when running this on raspberry pi. here is how I fixed it

I . Copy your CA cert (make sure file extension is .crt) to /usr/share/ca-certificates/
2. $ sudo update-ca-certificates (make sure you see "1 added" in the output
3. Set environment variable REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt when you starts home assistant.

The "requests" library used for making HTTPS requests to openwrt seems to bundle its own CA bundle by default and this should override the behavior.

@fabaff fabaff mentioned this issue Nov 11, 2016
Closed
@dale3h
Copy link
Member

dale3h commented Mar 13, 2017

Closing this issue because valid workarounds have been provided.

@dale3h dale3h closed this as completed Mar 13, 2017
@Sellig28 Sellig28 mentioned this issue Jul 8, 2017
Closed
@home-assistant home-assistant locked and limited conversation to collaborators Jul 17, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@JshWright @dale3h @javefang @rschapman @balloob