Philips Hue SSL Handshake issue

[keydon]

• I confirm that this is an issue rather than a question.

Bug report

I cannot add my hue lights to my hyperion instance.
When starting the philips hue wizard, it finds my brige, but doesnt find a user. So far so good.
When click create new user and clientKey it times out.

in the logs I see this:

[WEBSOCKET] (DEBUG) (JsonAPI.cpp:1582:handleLedDeviceCommand()) message: [{"command":"leddevice","ledDeviceType":"philipshue","params":{"host":"Hue Bridge - A532A7._hue._tcp.local","port":443},"subcommand":"addAuthorization","tan":354}]
[LEDDEVICE] (DEBUG) (LedDevicePhilipsHue.cpp:1376:addAuthorization()) params: [{"host":"Hue Bridge - A532A7._hue._tcp.local","port":443}]
[LEDDEVICE] (INFO) Add authorized user for philipshue, hostname (Hue Bridge - A532A7._hue._tcp.local)
[LEDDEVICE] (INFO) Resolved service [Hue Bridge - A532A7._hue._tcp.local] to mDNS hostname [001788a532a7.local.], service port [443]
[LEDDEVICE] (INFO) Resolved hostname (Hue Bridge - A532A7._hue._tcp.local) to IP-address (192.168.178.22)
[LEDDEVICE] (DEBUG) (ProviderRestApi.cpp:273:executeOperation()) GET took 14ms, HTTP 200: [http://192.168.178.22/api/config] []
[LEDDEVICE] (DEBUG) (LedDevicePhilipsHue.cpp:743:isApiEntertainmentReady()) API version [1.67.0] is Entertainment API ready
[LEDDEVICE] (DEBUG) (LedDevicePhilipsHue.cpp:754:isAPIv2Ready()) Firmware version [1967054020] is API v2 ready
[LEDDEVICE] (ERROR) 'Trust on first use' - Certificate received does not match pinned certificate
[LEDDEVICE] (DEBUG) (ProviderRestApi.cpp:553:onSslErrors()) SSL Error occured: [9] The certificate is self-signed, and untrusted 
[LEDDEVICE] (DEBUG) (ProviderRestApi.cpp:273:executeOperation()) POST took 100ms, HTTP 0: [https://192.168.178.22/api] [{"devicetype":"hyperion#kodi","generateclientkey":true}]
[LEDDEVICE] (WARNING) philipshue generation of authorization/client key failed with error: 'SSL handshake failed'

This reminds me of a similar issue I found #1760

But removing and reinstalling hyperion multiple times did not help.
No idea where hyperion saves/pinnes the certificates on libereelec 12.

a find / -name '*.pem' did not yield something I want to delete.

/etc/pki/tls/cacert.pem
/etc/ssl/cacert.pem
/etc/ssl/cert.pem
/run/libreelec/cacert.pem
/storage/.config/cacert.pem
/storage/.kodi/addons/script.module.certifi/lib/certifi/cacert.pem
/usr/lib/ssl/cert.pem
/usr/share/kodi/system/certs/cacert.pem

I also tried to create the files, I assumed should have been created by hyperions cert pinning:

/storage/.hyperion/certificates/001788fffea532a7.pem
/storage/.local/share/Hyperion/certificates/001788fffea532a7.pem

with the contents of openssl s_client -showcerts -connect 192.168.178.22:443 </dev/null 2>/dev/null | openssl x509 -outform PEM
but this did not work either.

I thought I could work around this issue by just trusting the hue-cert by adding to it to the truststore libreelec, but hyperion seems to ignore it. (I did it like here https://wiki.libreelec.tv/configuration/ssl-tls-certificates)
at least curl is happy and trusting the hue-cert now when I do

$ curl -v https://001788fffea532a7/api/nouser/config
...
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256 / secp256r1 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: C=NL; O=Philips Hue; CN=001788fffea532a7
*  start date: Jan  1 00:00:00 2017 GMT
*  expire date: Jan  1 00:00:00 2038 GMT
*  common name: 001788fffea532a7 (matched)
*  issuer: C=NL; O=Philips Hue; CN=001788fffea532a7
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
* using HTTP/2
...

Steps to reproduce

I had already a working setup. but I updated from librelec 11 to 12.
But since hyperion did not start after the upgrade, I assumed it might have been because of an architecture switch from arm64 to aarch64 in librelec 12. So I reinstalled hyperion (curl -sSL https://releases.hyperion-project.org/install | bash -s -- --remove & curl -sSL https://releases.hyperion-project.org/install | bash), just to realize that the configs did not survive and sadly my last backup did contain only my actual ambilight configs, but not my hue setup.

What is expected?

Steps how to unpinn the stuck certificate, or disable ssl-verification or trust the current hue certificate.

What is actually happening?

Cannot setup my hue lights :(

System

Hyperion Server:
- Build:             (HEAD detached at 2.0.16) (Paulchen-Panther-cb85d2d/a93d79b-1705568419)
- Build time:        Jan 18 2024 09:31:28
- Git Remote:        https://github.com/hyperion-project/hyperion.ng
- Version:           2.0.16
- UI Lang:           en (BrowserLang: de-DE)
- UI Access:         expert
- Avail Screen Cap.: dispmanx,framebuffer,qt
- Avail Video  Cap.: v4l2
- Avail Audio  Cap.: audio
- Avail Services:    boblight,cec,effectengine,forwarder,flatbuffer,protobuffer,mDNS,SSDP,borderdetection
- Config path:       /storage/.hyperion
- Database:          read/write
- Mode:              Non-GUI

Hyperion Server OS:
- Distribution:      LibreELEC (official): 12.0.1
- Architecture:      arm64
- CPU Type:          Raspberry Pi 4 Model B Rev 1.2
- CPU Revision:      c03112
- Kernel:            linux (6.6.45 (WS: 64))
- Root/Admin:        true
- Qt Version:        5.11.3
- Python Version:    3.7.3
- Browser:           Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36

thanks for this great project and all your work :)

[Lord-Grey]

@keydon Thanks for sharing your finding. I understand your frustration.
The reason of this behaviour is that the home directory for the hyperion service user is defined as "root".
That results in a path that is not valid to be created and the certificate can not be stored for pinning or validated later.
The outcome is always a certificate validation failure for for Hue Bridges still running with a self-signed certificate.

Workaround until a fix including more log lines is available:

cd /storage/.config/system.d/

edit hyperion@.service, e.g. nano hyperion@.service
add Environment=HOME=/storage

So it looks like

[Unit]
Description=Hyperion ambient light systemd service for user %i
Documentation=https://docs.hyperion-project.org
Requisite=network.target
Wants=network-online.target
After=network-online.target
After=systemd-resolved.service

[Service]
Environment=HOME=/storage
Environment=DISPLAY=:0.0
ExecStart=/storage/hyperion/bin/hyperiond --userdata /storage/.hyperion --service
WorkingDirectory=/storage/hyperion/bin
User=%i
TimeoutStopSec=5
KillMode=mixed
Restart=on-failure
RestartSec=10

[Install]
WantedBy=multi-user.target

Execute:

systemctl daemon-reload
systemctl restart hyperion@root

After Hue user creation, you should fin the certificate here:
ls -la /storage/.local/share/Hyperion/certificates

I will check, how to update the easy install script to make this correct after install....

[Lord-Grey]

@keydon I updated the easy install script. see update
Would be great, if you could do an uninstall and install.
After that the service should work correctly. The configuration will not be deleted.

Plus, I improved logging for certificate details, see PR #1812 :

Good case

2024-12-08T20:11:35.685 |__| LEDDEVICE         : <DEBUG> ProviderRestApi.cpp:479:matchesPinnedCertificate() | Directory used for pinned certificates: /home/thomas/.local/share/hyperiond/certificates
2024-12-08T20:11:35.686 |__| LEDDEVICE         : <DEBUG> ProviderRestApi.cpp:497:matchesPinnedCertificate() | First used certificate "000c29fffe9f8c9b.pem" loaded successfully
2024-12-08T20:11:35.686 |__| LEDDEVICE         : <DEBUG> ProviderRestApi.cpp:552:onSslErrors() | 'Trust on first use' - Certificate received matches pinned certificate

Directory string pinned certificates cannot be created:

2024-12-08T20:07:53.194 |__| LEDDEVICE         : <DEBUG> ProviderRestApi.cpp:479:matchesPinnedCertificate() | Directory used for pinned certificates: /root/certificates
2024-12-08T20:07:53.194 |__| LEDDEVICE         : <ERROR> Failed to create directory "/root/certificates" to store pinned certificates. 'Trust on first use' is rejected.
2024-12-08T20:07:53.194 |__| LEDDEVICE         : <ERROR> 'Trust on first use' - Certificate received does not match pinned certificate
2024-12-08T20:07:53.194 |__| LEDDEVICE         : <DEBUG> ProviderRestApi.cpp:571:onSslErrors() | SSL Error occured: [9] The certificate is self-signed, and untrusted 

[keydon]

oh wow, thanks for the quick response and updates. will check them out when I get home and report back here.
thank you!

[keydon]

certificate errors are gone after reinstall 👍
still cannot get the hue wizard to work, but maybe I will open a dedicated issue for that ;O

thank you