Cert_expiry work?

jriker1 · January 25, 2020, 5:51pm

I just added cert_expiry and a couple of my sites but after reboot lots of log errors:

2020-01-25 11:47:53 ERROR (MainThread) [homeassistant.core] Error doing job: Task exception was never retrieved
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 109, in async_init
    result = await self._async_handle_step(flow, flow.init_step, data)
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 172, in _async_handle_step
    result: Dict = await getattr(flow, method)(user_input)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/config_flow.py", line 116, in async_step_import
    return await self.async_step_user(user_input)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/config_flow.py", line 79, in async_step_user
    if await self._test_connection(user_input):
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/config_flow.py", line 50, in _test_connection
    get_cert, host, user_input.get(CONF_PORT, DEFAULT_PORT)
  File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/helper.py", line 12, in get_cert
    with socket.create_connection(address, timeout=TIMEOUT) as sock:
  File "/usr/local/lib/python3.7/socket.py", line 728, in create_connection
    raise err
  File "/usr/local/lib/python3.7/socket.py", line 716, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
2020-01-25 11:47:53 ERROR (MainThread) [homeassistant.core] Error doing job: Task exception was never retrieved
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/config_flow.py", line 50, in _test_connection
    get_cert, host, user_input.get(CONF_PORT, DEFAULT_PORT)
  File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/helper.py", line 13, in get_cert
    with ctx.wrap_socket(sock, server_hostname=address[0]) as ssock:
  File "/usr/local/lib/python3.7/ssl.py", line 423, in wrap_socket
    session=session
  File "/usr/local/lib/python3.7/ssl.py", line 870, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.7/ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 109, in async_init
    result = await self._async_handle_step(flow, flow.init_step, data)
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 172, in _async_handle_step
    result: Dict = await getattr(flow, method)(user_input)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/config_flow.py", line 116, in async_step_import
    return await self.async_step_user(user_input)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/config_flow.py", line 79, in async_step_user
    if await self._test_connection(user_input):
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/config_flow.py", line 60, in _test_connection
    if "doesn't match" in err.args[0]:

Don’t really want to share my URL’s so not sure it’s value add but my sensor_ssl.yaml file:

- platform: cert_expiry
  name: Smart Home Cert
  host: <address for HA>
  port: 8123

- platform: cert_expiry
  name: Home Server Cert
  host: <address for a remote access server>
  port: 443

for both of the above it’s just the server address, no https or anything.

And note these are GoDaddy certs not like DuckDNS or whatever.

jwelter · January 25, 2020, 10:55pm

This is mine:

- platform: cert_expiry
  host: xxx.yyy.com
  port: 443
  name: "SSL cert expiry"

It’s working, no exceptions in the logs. For the host you are putting in the FQDN right?

jriker1 · January 26, 2020, 12:00am

Yep and mine is basically the same.

DavidFW1960 · January 26, 2020, 12:54am

There’s actually been a certificate expiry integration available for some time… I’m on 0.104.3 but it’s been an integration for a while now.

Maybe comment out the manual config and add the integration

jriker1 · January 26, 2020, 1:18am

Same here. I see it. Question though. Does this support one host or do you keep adding it?

DavidFW1960 · January 26, 2020, 1:21am

I just added a second one…

jriker1 · January 26, 2020, 2:59am

Brilliant. So I got at least my HA server added. My other server is erroring. Kind of odd as they are both exposed to the internet. Only difference is HA is on 8123 and because of some Alexa integration I have a reverse proxy going on between my homeserver and HA on different URL’s but if you go to URL directly it comes up so no clue what’s happening with that one.

Basically giving me in the logs:

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)

DavidFW1960 · January 26, 2020, 3:00am

your cert will never be on 8123… should be 443… even if yo use a reverse proxy it won’t be validating on 8123.

jriker1 · January 26, 2020, 3:09am

SSL doesn’t have to be on 443. It can be on whatever port you bind it to.

The 8123 work fine and shows the number of days. It’s the server running on 443 that it can’t validate. Says refused below but anyone can get to the page without issue. It’s just a dummy page but is still SSL. You just have to append /remote to the end of it to pull up the login page.

2020  ======-01-25 21:04:21 ERROR (MainThread) [homeassistant.helpers.entity] Update for sensor.home_assistant_certificate fails
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 279, in async_update_ha_state
    await self.async_device_update()
  File "/usr/src/homeassistant/homeassistant/helpers/entity.py", line 461, in async_device_update
    await self.hass.async_add_executor_job(self.update)
  File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/sensor.py", line 122, in update
    cert = get_cert(self.server_name, self.server_port)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/helper.py", line 12, in get_cert
    with socket.create_connection(address, timeout=TIMEOUT) as sock:
  File "/usr/local/lib/python3.7/socket.py", line 728, in create_connection
    raise err
  File "/usr/local/lib/python3.7/socket.py", line 716, in create_connection
    sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
2020-01-25 21:05:28 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/config_flow.py", line 50, in _test_connection
    get_cert, host, user_input.get(CONF_PORT, DEFAULT_PORT)
  File "/usr/local/lib/python3.7/concurrent/futures/thread.py", line 57, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/src/homeassistant/homeassistant/components/cert_expiry/helper.py", line 13, in get_cert
    with ctx.wrap_socket(sock, server_hostname=address[0]) as ssock:
  File "/usr/local/lib/python3.7/ssl.py", line 423, in wrap_socket
    session=session
  File "/usr/local/lib/python3.7/ssl.py", line 870, in _create
    self.do_handshake()
  File "/usr/local/lib/python3.7/ssl.py", line 1139, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_protocol.py", line 418, in start
    resp = await task
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_app.py", line 458, in _handle
    resp = await handler(request)
  File "/usr/local/lib/python3.7/site-packages/aiohttp/web_middlewares.py", line 119, in impl
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/real_ip.py", line 39, in real_ip_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 72, in ban_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 135, in auth_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/view.py", line 123, in handle
    result = await result
  File "/usr/src/homeassistant/homeassistant/components/config/config_entries.py", line 160, in post

DavidFW1960 · January 26, 2020, 3:10am

is port 443 opened/forwarded?

Yeah… I don’t use port 443 for certs either… The port I do use is forwarded to home assistant server…

jriker1 · January 26, 2020, 3:17am

Yeah I tried HA on 443 which I also have setup and that passed so apparently my Windows Home Server is rejecting requests or something. I tried hitting it from several site checkers and they all give rejected. It’s odd as I literally can go to the page and it just has some basic text on it, I can click on the lock on the nav bar and see the cert.

jriker1 · January 26, 2020, 3:25am

Though maybe I should just give this up. I rebooted and my other cert is no longer showing and erroring refused and showing Unknown on the sensor now. Obviously used to work in order to be added in the first place and showed the right number of days. Seeming more annoying than it’s worth since GoDaddy emails me before it’s going to expire anyway.

DavidFW1960 · January 26, 2020, 3:27am

Do you renew cert manually? I have my domain at namecheap and I use their API with DNS validation for renewing the certs automatically in Caddy. The cert sensor still displays the days correctly anyway. Are you running HA on a Windows Server? Not sure how windows would block it

jriker1 · January 26, 2020, 3:41am

No, on Linux, Ubuntu. What I think happening is it’s not loading on startup or right away or something. Feel this way because when I added the sensor initially it was there but on reboot it came up unknown. I read others talking about something similar where an integration or platform didn’t load so things wouldn’t show until 24 hours later when it updated again.

DavidFW1960 · January 26, 2020, 3:45am

ok so it can come up unknown until it refreshes and gets the state… I think that’s normal. It might post 0.104 use last state due to changes but it’s been quite a while since I’ve seen unknown on startup…

jriker1 · January 26, 2020, 3:55am

Well not actually. I was mentioning other users talk about other entities doing this so “maybe” this would eventually do the same. But I don’t like the errors in my logs so removed it unfortunately.