Command Line Sensor broke in 2024.7, How do I fix?

Sensors created in configuration.yaml are still broken in 2024.7.2.

It broke in 2024.7.0

Here is what I have in configuration.yaml

command_line:
  - sensor:
      unique_id: xcel_meter_power
      name: "Smart Electric Meter Power"
      #command: "OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'"
      command: "export OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '([+-]?[0-9]+)'"
      unit_of_measurement: "W"
      device_class: "power"
      scan_interval: 5
      command_timeout: 5

  - sensor:
      unique_id: xcel_meter_consumption
      name: "Smart Electric Meter Consumption"
      command: "OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'"
      unit_of_measurement: "kWh"
      value_template: "{{ value | multiply(0.001) | round(3)}}"
      device_class: "energy"
      state_class: "total_increasing"
      #scan_interval: 86400
      scan_interval: 5
      command_timeout: 5

  - sensor:
      unique_id: xcel_meter_productiion
      name: "Smart Electric Meter Production"
      command: "OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/2/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'"
      unit_of_measurement: "kWh"
      value_template: "{{ value | multiply(0.001) | round(3)}}"
      device_class: "energy"
      state_class: "total_increasing"
      #scan_interval: 86400
      scan_interval: 5
      command_timeout: 5

I can poll the xcel power meter manually with the following command from a terminal window in 2024.7.2, but at restart, the sensors are not created by configuration.yaml command_line commands.

Here are the logs:

Logger: homeassistant.components.command_line.utils
Source: components/command_line/utils.py:56
integration: Command Line (documentation, issues)
First occurred: 12:15:12 PM (789 occurrences)
Last logged: 12:37:32 PM

Command failed (with return code 1): OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '([+-]?[0-9]+)'
Command failed (with return code 1): OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/2/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'
Command failed (with return code 1): OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'

I can execute the command_line command manually from a terminal window and the command works.

[core-ssh config]$ ./comman.txt
<Reading
     xmlns="urn:ieee:std:2030.5:ns"
     href="/upt/1/mr/3/r">
    <qualityFlags>01</qualityFlags>
    <timePeriod>
        <duration>1</duration>
        <start>1720636845</start>
    </timePeriod>
    <value>20758668</value>
</Reading>
[core-ssh config]$ cat comman.txt
OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem
[core-ssh config]$

I don’t know if this helps or not, but when I try to execute with a command_line command manually, I get an error.

That’s why I had to create the txt file and execute it with ./comman.txt

It’s probable unrelated.

Welcome to the Home Assistant command line.

System information
  IPv4 addresses for wlan0: 
  IPv4 addresses for end0:  10.0.0.10/24
  IPv6 addresses for end0:  2601:282:1900:3a50::a169/128, 2601:282:1900:3a50:76d2:a882:3bbc:4458/64, fe80::fe8e:cb19:c3ea:fe7d/64

  OS Version:               Home Assistant OS 12.3
  Home Assistant Core:      2024.7.2

  Home Assistant URL:       http://homeassistant.local:8123
  Observer URL:             http://homeassistant.local:4357
➜  ~ cd config     
➜  config ls
a                         cookies.txt               home-assistant.log.fault  known_devices.yaml        tts
automations.yaml          custom_components         home-assistant_v2.db      photos                    www
blueprints                deps                      home-assistant_v2.db-shm  scenes.yaml               xcelcerts
comman.txt                home-assistant.log        home-assistant_v2.db-wal  scripts.yaml              zigbee.db
configuration.yaml        home-assistant.log.1      index.html                secrets.yaml
➜  config cat coman.txt 
cat: can't open 'coman.txt': No such file or directory
➜  config cat comman.txt
OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem
➜  config OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem
curl: (35) OpenSSL/3.3.0: error:0A000410:SSL routines::ssl/tls alert handshake failure
➜  config 
1 Like

Sensors created in configuration.yaml are still broken in 2024.7.2.

It broke in 2024.7.0

Here is what I have in configuration.yaml

command_line:
  - sensor:
      unique_id: xcel_meter_power
      name: "Smart Electric Meter Power"
      #command: "OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'"
      command: "export OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '([+-]?[0-9]+)'"
      unit_of_measurement: "W"
      device_class: "power"
      scan_interval: 5
      command_timeout: 5

  - sensor:
      unique_id: xcel_meter_consumption
      name: "Smart Electric Meter Consumption"
      command: "OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'"
      unit_of_measurement: "kWh"
      value_template: "{{ value | multiply(0.001) | round(3)}}"
      device_class: "energy"
      state_class: "total_increasing"
      #scan_interval: 86400
      scan_interval: 5
      command_timeout: 5

  - sensor:
      unique_id: xcel_meter_productiion
      name: "Smart Electric Meter Production"
      command: "OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/2/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'"
      unit_of_measurement: "kWh"
      value_template: "{{ value | multiply(0.001) | round(3)}}"
      device_class: "energy"
      state_class: "total_increasing"
      #scan_interval: 86400
      scan_interval: 5
      command_timeout: 5

I can poll the xcel power meter manually with the following command from a terminal window in 2024.7.2, but at restart, the sensors are not created by configuration.yaml command_line commands.

Here are the logs:

Logger: homeassistant.components.command_line.utils
Source: components/command_line/utils.py:56
integration: Command Line (documentation, issues)
First occurred: 12:15:12 PM (789 occurrences)
Last logged: 12:37:32 PM

Command failed (with return code 1): OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '([+-]?[0-9]+)'
Command failed (with return code 1): OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/2/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'
Command failed (with return code 1): OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem 2>&1 | grep -o '<value>.*</value>' | grep -Eo '[0-9]+'

I can execute the command_line command manually from a terminal window and the command works.

[core-ssh config]$ ./comman.txt
<Reading
     xmlns="urn:ieee:std:2030.5:ns"
     href="/upt/1/mr/3/r">
    <qualityFlags>01</qualityFlags>
    <timePeriod>
        <duration>1</duration>
        <start>1720636845</start>
    </timePeriod>
    <value>20758668</value>
</Reading>
[core-ssh config]$ cat comman.txt
OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem
[core-ssh config]$

I don’t know if this helps or not, but when I try to execute with a command_line command manually, I get an error.

That’s why I had to create the txt file and execute it with ./comman.txt

It’s probable unrelated.

Welcome to the Home Assistant command line.

System information
  IPv4 addresses for wlan0: 
  IPv4 addresses for end0:  10.0.0.10/24
  IPv6 addresses for end0:  2601:282:1900:3a50::a169/128, 2601:282:1900:3a50:76d2:a882:3bbc:4458/64, fe80::fe8e:cb19:c3ea:fe7d/64

  OS Version:               Home Assistant OS 12.3
  Home Assistant Core:      2024.7.2

  Home Assistant URL:       http://homeassistant.local:8123
  Observer URL:             http://homeassistant.local:4357
➜  ~ cd config     
➜  config ls
a                         cookies.txt               home-assistant.log.fault  known_devices.yaml        tts
automations.yaml          custom_components         home-assistant_v2.db      photos                    www
blueprints                deps                      home-assistant_v2.db-shm  scenes.yaml               xcelcerts
comman.txt                home-assistant.log        home-assistant_v2.db-wal  scripts.yaml              zigbee.db
configuration.yaml        home-assistant.log.1      index.html                secrets.yaml
➜  config cat coman.txt 
cat: can't open 'coman.txt': No such file or directory
➜  config cat comman.txt
OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem
➜  config OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure --url https://10.0.0.226:8081/upt/1/mr/3/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem
curl: (35) OpenSSL/3.3.0: error:0A000410:SSL routines::ssl/tls alert handshake failure
➜  config 

Hey, I’m having the same issue. When reading through all of the change logs for 2024.7 I noticed that cryptography was bumped to 42.0.8 which updates OpenSSL from version 3.2.1 to 3.2.2. I have other command line sensors that still work, but it seems that the update did something to impact how a command line sensor using OpenSSL curl command works.

I think it’s an OpenSSL issue mostly because I have broken up my usual command to remove the pipe to grep parts (so isolating the curl command) and the error shifts from code 1 to code 35. Just like the above, it only doesn’t work through the command line sensor in the configuration.yaml, but the command still works fine when executing via terminal.

My above info isn’t a solution, but I’m hoping that someone smarter than me might be able to use that info. Many other folks in a topic dedicated to the Xcel energy reading (Xcel Energy ITron Gen 5 Riva) are also reporting this issue.


Edit 1
I also found another person running into issues with OpenSSL in the new update (Climate_IP - ClimateDevice for IP based units (not only Samsung AC) - #246 by CrackPT). Different call, but still an OpenSSL error. Sorry if this is unrelated.

1 Like

Here is a trace of the curl command from terminal window.

I’ll put the --trace in the command_line

[core-ssh config]$ cat curlTrace.txt
OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8  --trace troubleshoot \
--insecure --url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem

[core-ssh config]$ vi curlTrace.txt
[core-ssh config]$ ./curlTrace.txt
<Reading
     xmlns="urn:ieee:std:2030.5:ns"
     href="/upt/1/mr/1/r">
    <qualityFlags>01</qualityFlags>
    <timePeriod>
        <duration>1</duration>
        <start>1720723030</start>
    </timePeriod>
    <value>-6038</value>
</Reading>

cat troubleshoot

== Info:   Trying 10.0.0.226:8081...
== Info: Connected to 10.0.0.226 (10.0.0.226) port 8081
== Info: ALPN: curl offers h2,http/1.1
== Info: Cipher selection: ECDHE-ECDSA-AES128-CCM8
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 00 fe                                  .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 254 bytes (0xfe)
0000: 01 00 00 fa 03 03 44 b2 5f 73 11 8a 52 32 89 05 ......D._s..R2..
0010: 4a 31 46 48 f3 56 33 9e 11 00 cd 2d 32 21 d1 1f J1FH.V3....-2!..
0020: 1a 43 cc 0e cd cc 20 37 58 ad 36 1a 0a 1b 85 ff .C.... 7X.6.....
0030: 3c ef 0d ed 14 be 52 2b 05 00 74 92 b9 04 bc d7 <.....R+..t.....
0040: ed 71 ab fb 85 41 4a 00 0a 13 02 13 03 13 01 c0 .q...AJ.........
0050: ae 00 ff 01 00 00 a7 00 0b 00 04 03 00 01 02 00 ................
0060: 0a 00 16 00 14 00 1d 00 17 00 1e 00 19 00 18 01 ................
0070: 00 01 01 01 02 01 03 01 04 00 10 00 0e 00 0c 02 ................
0080: 68 32 08 68 74 74 70 2f 31 2e 31 00 16 00 00 00 h2.http/1.1.....
0090: 17 00 00 00 31 00 00 00 0d 00 2a 00 28 04 03 05 ....1.....*.(...
00a0: 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 ................
00b0: 05 08 06 04 01 05 01 06 01 03 03 03 01 03 02 04 ................
00c0: 02 05 02 06 02 00 2b 00 05 04 03 04 03 03 00 2d ......+........-
00d0: 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 cd b8 .....3.&.$... ..
00e0: f9 d1 3f 24 14 79 68 88 43 a4 d4 fa 39 a1 e6 2d ..?$.yh.C...9..-
00f0: 6b c6 45 01 cc ed e1 42 74 c3 6e 56 58 00       k.E....Bt.nVX.
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 07 ff                                  .....
== Info: TLSv1.3 (IN), TLS handshake, Server hello (2):
<= Recv SSL data, 82 bytes (0x52)
0000: 02 00 00 4e 03 03 66 90 26 56 ad 12 e9 da db e1 ...N..f.&V......
0010: e7 77 e4 a6 08 81 39 c8 e4 75 4a 24 da d4 21 18 .w....9..uJ$..!.
0020: 67 0b f9 1e d3 8b 20 84 79 6f 72 7e 2f 32 85 70 g..... .yor~/2.p
0030: 6b 45 f4 81 f0 36 0e 34 8d 0b ea b5 52 98 9b 0a kE...6.4....R...
0040: ec 4a b4 49 e3 62 84 c0 ae 00 00 06 00 0b 00 02 .J.I.b..........
0050: 01 00                                           ..
== Info: TLSv1.2 (IN), TLS handshake, Certificate (11):
<= Recv SSL data, 1802 bytes (0x70a)
0000: 0b 00 07 06 00 07 03 00 01 b1 30 82 01 ad 30 82 ..........0...0.
0010: 01 54 a0 03 02 01 02 02 03 43 25 8c 30 0a 06 08 .T.......C%.0...
0020: 2a 86 48 ce 3d 04 03 02 30 44 31 0b 30 09 06 03 *.H.=...0D1.0...
0030: 55 04 06 13 02 55 53 31 0e 30 0c 06 03 55 04 0a U....US1.0...U..
0040: 0c 05 49 74 72 6f 6e 31 19 30 17 06 03 55 04 03 ..Itron1.0...U..
0050: 0c 10 49 45 45 45 20 32 30 33 30 2e 35 20 4d 49 ..IEEE 2030.5 MI
0060: 43 41 31 0a 30 08 06 03 55 04 05 13 01 37 30 20 CA1.0...U....70 
0070: 17 0d 32 32 30 32 30 38 31 38 34 36 31 37 5a 18 ..220208184617Z.
0080: 0f 39 39 39 39 31 32 33 31 32 33 35 39 30 30 5a .99991231235900Z
0090: 30 00 30 59 30 13 06 07 2a 86 48 ce 3d 02 01 06 0.0Y0...*.H.=...
00a0: 08 2a 86 48 ce 3d 03 01 07 03 42 00 04 c7 af 2d .*.H.=....B....-
00b0: 44 b3 7a 9b 31 26 42 9b 3d ad a9 5b df a5 7b 7b D.z.1&B.=..[..{{
00c0: ea 23 81 c9 7e 4b 89 53 29 ed e2 31 4a b1 0d 4e .#..~K.S)..1J..N
00d0: ff 34 06 3b b1 ea 39 49 19 6f 0a 59 8b 69 63 69 .4.;..9I.o.Y.ici
00e0: 27 35 a3 42 80 bb f8 3e 30 96 2b 18 0c a3 77 30 '5.B...>0.+...w0
00f0: 75 30 1a 06 03 55 1d 20 01 01 ff 04 10 30 0e 30 u0...U. .....0.0
0100: 0c 06 0a 2b 06 01 04 01 82 be 1c 01 01 30 0e 06 ...+.........0..
0110: 03 55 1d 0f 01 01 ff 04 04 03 02 07 80 30 13 06 .U...........0..
0120: 03 55 1d 23 04 0c 30 0a 80 08 44 56 ee 91 8e 6c .U.#..0...DV...l
0130: c6 d8 30 32 06 03 55 1d 11 01 01 ff 04 28 30 26 ..02..U......(0&
0140: a0 24 06 08 2b 06 01 05 05 07 08 04 a0 18 30 16 .$..+.........0.
0150: 06 0a 2b 06 01 04 01 81 ae 60 0c 01 04 08 00 00 ..+......`......
0160: 00 66 00 43 25 8c 30 0a 06 08 2a 86 48 ce 3d 04 .f.C%.0...*.H.=.
0170: 03 02 03 47 00 30 44 02 20 68 43 d7 b3 7a 2a 1b ...G.0D. hC..z*.
0180: f2 bc bd a2 8e d8 22 b7 a8 23 f4 49 ad f1 dd 85 ......"..#.I....
0190: b9 8f 51 e9 8a 91 06 7a 1b 02 20 6c 68 f7 ad f3 ..Q....z.. lh...
01a0: a3 0d 6f aa d8 1a d5 36 a6 47 41 5e f0 c3 ee 3b ..o....6.GA^...;
01b0: 1f 8d cb 8e f1 b5 e6 1d 15 74 ee 00 01 e7 30 82 .........t....0.
01c0: 01 e3 30 82 01 88 a0 03 02 01 02 02 01 07 30 0a ..0...........0.
01d0: 06 08 2a 86 48 ce 3d 04 03 02 30 43 31 0b 30 09 ..*.H.=...0C1.0.
01e0: 06 03 55 04 06 13 02 55 53 31 0e 30 0c 06 03 55 ..U....US1.0...U
01f0: 04 0a 0c 05 49 74 72 6f 6e 31 18 30 16 06 03 55 ....Itron1.0...U
0200: 04 03 0c 0f 49 45 45 45 20 32 30 33 30 2e 35 20 ....IEEE 2030.5 
0210: 4d 43 41 31 0a 30 08 06 03 55 04 05 13 01 31 30 MCA1.0...U....10
0220: 20 17 0d 32 31 30 34 31 32 31 37 35 34 31 34 5a  ..210412175414Z
0230: 18 0f 39 39 39 39 31 32 33 31 32 33 35 39 35 39 ..99991231235959
0240: 5a 30 44 31 0b 30 09 06 03 55 04 06 13 02 55 53 Z0D1.0...U....US
0250: 31 0e 30 0c 06 03 55 04 0a 0c 05 49 74 72 6f 6e 1.0...U....Itron
0260: 31 19 30 17 06 03 55 04 03 0c 10 49 45 45 45 20 1.0...U....IEEE 
0270: 32 30 33 30 2e 35 20 4d 49 43 41 31 0a 30 08 06 2030.5 MICA1.0..
0280: 03 55 04 05 13 01 37 30 59 30 13 06 07 2a 86 48 .U....70Y0...*.H
0290: ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 42 .=....*.H.=....B
02a0: 00 04 be b5 cd a2 a6 41 73 6b 90 75 21 62 1d 66 .......Ask.u!b.f
02b0: 46 a7 08 01 99 77 1a 32 ea 76 f1 59 21 b7 b0 3a F....w.2.v.Y!..:
02c0: d4 ee 0a 08 15 06 b0 4b 75 ec 2e ca 1a d4 60 1a .......Ku.....`.
02d0: ce e3 07 85 74 88 4c 64 69 9c f8 0a ad 45 c9 50 ....t.Ldi....E.P
02e0: 64 c6 a3 6a 30 68 30 0e 06 03 55 1d 0f 01 01 ff d..j0h0...U.....
02f0: 04 04 03 02 02 04 30 1a 06 03 55 1d 20 01 01 ff ......0...U. ...
0300: 04 10 30 0e 30 0c 06 0a 2b 06 01 04 01 82 be 1c ..0.0...+.......
0310: 01 01 30 12 06 03 55 1d 13 01 01 ff 04 08 30 06 ..0...U.......0.
0320: 01 01 ff 02 01 00 30 11 06 03 55 1d 0e 04 0a 04 ......0...U.....
0330: 08 44 56 ee 91 8e 6c c6 d8 30 13 06 03 55 1d 23 .DV...l..0...U.#
0340: 04 0c 30 0a 80 08 4b 45 f8 24 df 63 5f 38 30 0a ..0...KE.$.c_80.
0350: 06 08 2a 86 48 ce 3d 04 03 02 03 49 00 30 46 02 ..*.H.=....I.0F.
0360: 21 00 a3 83 3f 04 4f 53 06 75 5f fe db a6 ff 46 !...?.OS.u_....F
0370: b8 b3 e4 a6 a9 44 6a 84 9d 1a ae af d6 1e 77 fd .....Dj.......w.
0380: f4 4c 02 21 00 9a a7 d7 56 66 89 f6 46 e2 b5 07 .L.!....Vf..F...
0390: 3c d7 5b 79 bd bd 1f 54 b2 9f d7 97 6b b2 e4 65 <.[y...T....k..e
03a0: 70 fb 1b 17 72 00 01 c7 30 82 01 c3 30 82 01 69 p...r...0...0..i
03b0: a0 03 02 01 02 02 01 01 30 0a 06 08 2a 86 48 ce ........0...*.H.
03c0: 3d 04 03 02 30 2b 31 0e 30 0c 06 03 55 04 0a 0c =...0+1.0...U...
03d0: 05 49 74 72 6f 6e 31 19 30 17 06 03 55 04 03 0c .Itron1.0...U...
03e0: 10 49 45 45 45 20 32 30 33 30 2e 35 20 52 6f 6f .IEEE 2030.5 Roo
03f0: 74 30 20 17 0d 32 30 31 30 31 36 32 31 34 37 32 t0 ..20101621472
0400: 36 5a 18 0f 39 39 39 39 31 32 33 31 32 33 35 39 6Z..999912312359
0410: 35 39 5a 30 43 31 0b 30 09 06 03 55 04 06 13 02 59Z0C1.0...U....
0420: 55 53 31 0e 30 0c 06 03 55 04 0a 0c 05 49 74 72 US1.0...U....Itr
0430: 6f 6e 31 18 30 16 06 03 55 04 03 0c 0f 49 45 45 on1.0...U....IEE
0440: 45 20 32 30 33 30 2e 35 20 4d 43 41 31 0a 30 08 E 2030.5 MCA1.0.
0450: 06 03 55 04 05 13 01 31 30 59 30 13 06 07 2a 86 ..U....10Y0...*.
0460: 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 07 03 H.=....*.H.=....
0470: 42 00 04 22 bd 6b 3f 25 cb 0f 05 7c 41 66 b9 b7 B..".k?%...|Af..
0480: c2 af 16 83 1a db 20 ca 7e d2 48 1a 13 46 1b 9e ...... .~.H..F..
0490: 07 d3 cd d8 e0 52 b4 eb 5c 0c f9 70 30 ab 41 00 .....R..\..p0.A.
04a0: e0 df d8 37 b9 1f 7f 4b 33 81 5b 9e f8 7d 50 bd ...7...K3.[..}P.
04b0: 75 31 41 a3 64 30 62 30 0e 06 03 55 1d 0f 01 01 u1A.d0b0...U....
04c0: ff 04 04 03 02 01 06 30 14 06 03 55 1d 20 01 01 .......0...U. ..
04d0: ff 04 0a 30 08 30 06 06 04 55 1d 20 00 30 12 06 ...0.0...U. .0..
04e0: 03 55 1d 13 01 01 ff 04 08 30 06 01 01 ff 02 01 .U.......0......
04f0: 01 30 11 06 03 55 1d 0e 04 0a 04 08 4b 45 f8 24 .0...U......KE.$
0500: df 63 5f 38 30 13 06 03 55 1d 23 04 0c 30 0a 80 .c_80...U.#..0..
0510: 08 4e 04 ef c2 4a b2 aa e7 30 0a 06 08 2a 86 48 .N...J...0...*.H
0520: ce 3d 04 03 02 03 48 00 30 45 02 21 00 9d d3 02 .=....H.0E.!....
0530: fb 00 e7 e4 42 f9 04 43 48 fd 24 74 4a 79 62 9b ....B..CH.$tJyb.
0540: 6c 6b 99 62 42 2b 11 59 ca a8 31 ce 79 02 20 1f lk.bB+.Y..1.y. .
0550: 3e 66 fe 45 14 2e b6 f2 9a 0e 41 c4 b7 33 6e d4 >f.E......A..3n.
0560: 87 dd 04 e0 2d b6 02 84 0d a1 3b c9 ce 7c 8b 00 ....-.....;..|..
0570: 01 98 30 82 01 94 30 82 01 39 a0 03 02 01 02 02 ..0...0..9......
0580: 01 01 30 0a 06 08 2a 86 48 ce 3d 04 03 02 30 2b ..0...*.H.=...0+
0590: 31 0e 30 0c 06 03 55 04 0a 0c 05 49 74 72 6f 6e 1.0...U....Itron
05a0: 31 19 30 17 06 03 55 04 03 0c 10 49 45 45 45 20 1.0...U....IEEE 
05b0: 32 30 33 30 2e 35 20 52 6f 6f 74 30 20 17 0d 32 2030.5 Root0 ..2
05c0: 30 31 30 31 36 32 31 32 34 34 38 5a 18 0f 39 39 01016212448Z..99
05d0: 39 39 31 32 33 31 32 33 35 39 35 39 5a 30 2b 31 991231235959Z0+1
05e0: 0e 30 0c 06 03 55 04 0a 0c 05 49 74 72 6f 6e 31 .0...U....Itron1
05f0: 19 30 17 06 03 55 04 03 0c 10 49 45 45 45 20 32 .0...U....IEEE 2
0600: 30 33 30 2e 35 20 52 6f 6f 74 30 59 30 13 06 07 030.5 Root0Y0...
0610: 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 01 *.H.=....*.H.=..
0620: 07 03 42 00 04 69 80 38 13 42 17 39 ce 80 13 90 ..B..i.8.B.9....
0630: 0b 3d 51 66 d3 f6 e4 5a bb a1 84 6f 54 7f d6 23 .=Qf...Z...oT..#
0640: c6 2e 4f 87 00 03 b2 02 ed d2 90 a1 d3 c1 51 a0 ..O...........Q.
0650: cd 43 e5 ef 73 fd 28 c1 fd 64 3e 27 48 84 39 a3 .C..s.(..d>'H.9.
0660: 6a 89 32 9b ae a3 4c 30 4a 30 0e 06 03 55 1d 0f j.2...L0J0...U..
0670: 01 01 ff 04 04 03 02 01 06 30 14 06 03 55 1d 20 .........0...U. 
0680: 01 01 ff 04 0a 30 08 30 06 06 04 55 1d 20 00 30 .....0.0...U. .0
0690: 0f 06 03 55 1d 13 01 01 ff 04 05 30 03 01 01 ff ...U.......0....
06a0: 30 11 06 03 55 1d 0e 04 0a 04 08 4e 04 ef c2 4a 0...U......N...J
06b0: b2 aa e7 30 0a 06 08 2a 86 48 ce 3d 04 03 02 03 ...0...*.H.=....
06c0: 49 00 30 46 02 21 00 b8 42 eb ab c0 bc fc 37 75 I.0F.!..B.....7u
06d0: 69 f2 f4 09 79 3a d7 4d 22 a9 96 0b 56 da 8f 86 i...y:.M"...V...
06e0: 2e 95 33 6f 0b 76 6b 02 21 00 f1 ca 01 91 24 dd ..3o.vk.!.....$.
06f0: de 1c e7 92 ac 6f f0 08 5f 0a c6 c2 ca db b0 3e .....o.._......>
0700: f9 5a 67 ca 5f d0 e3 39 ce b4                   .Zg._..9..
== Info: TLSv1.2 (IN), TLS handshake, Server key exchange (12):
<= Recv SSL data, 147 bytes (0x93)
0000: 0c 00 00 8f 03 00 17 41 04 f3 23 7c 5d be 49 70 .......A..#|].Ip
0010: 4a 7a fe 34 8c 8d 12 6b d4 0f 4e 3c 70 e2 a2 65 Jz.4...k..N<p..e
0020: 66 0e 44 84 6b b5 24 1d 1a b1 39 5e 60 47 af d1 f.D.k.$...9^`G..
0030: 1c 44 48 54 77 e4 20 21 b5 f5 fb d0 f4 3c d0 e8 .DHTw. !.....<..
0040: 96 93 23 5e fb d4 fd f3 af 04 03 00 46 30 44 02 ..#^........F0D.
0050: 20 09 0d 9f b7 c2 bc 72 27 fb 7d 4d 67 c4 42 09  ......r'.}Mg.B.
0060: 47 fc 53 12 7c 97 f3 e5 85 e0 bb b3 6a cd 07 75 G.S.|.......j..u
0070: f8 02 20 06 c3 f3 71 f8 5b b4 48 4f 59 50 19 84 .. ...q.[.HOYP..
0080: c4 2b 73 2d ef 15 38 b0 77 ea 73 a0 c7 3c ce 51 .+s-..8.w.s..<.Q
0090: 3f f7 6b                                        ?.k
== Info: TLSv1.2 (IN), TLS handshake, Request CERT (13):
<= Recv SSL data, 12 bytes (0xc)
0000: 0d 00 00 08 01 40 00 02 04 03 00 00             .....@......
== Info: TLSv1.2 (IN), TLS handshake, Server finished (14):
<= Recv SSL data, 4 bytes (0x4)
0000: 0e 00 00 00                                     ....
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 03 01 cd                                  .....
== Info: TLSv1.2 (OUT), TLS handshake, Certificate (11):
=> Send SSL data, 461 bytes (0x1cd)
0000: 0b 00 01 c9 00 01 c6 00 01 c3 30 82 01 bf 30 82 ..........0...0.
0010: 01 65 a0 03 02 01 02 02 14 5f c3 dc 6c 75 05 a2 .e......._..lu..
0020: 21 81 7b 78 17 70 20 62 dc 4c ea b0 f3 30 0a 06 !.{x.p b.L...0..
0030: 08 2a 86 48 ce 3d 04 03 02 30 1f 31 1d 30 1b 06 .*.H.=...0.1.0..
0040: 03 55 04 03 0c 14 4d 65 74 65 72 52 65 61 64 65 .U....MeterReade
0050: 72 48 61 6e 43 6c 69 65 6e 74 30 1e 17 0d 32 33 rHanClient0...23
0060: 30 32 31 33 31 36 30 35 33 35 5a 17 0d 32 36 30 0213160535Z..260
0070: 32 31 31 31 36 30 35 33 35 5a 30 1f 31 1d 30 1b 211160535Z0.1.0.
0080: 06 03 55 04 03 0c 14 4d 65 74 65 72 52 65 61 64 ..U....MeterRead
0090: 65 72 48 61 6e 43 6c 69 65 6e 74 30 59 30 13 06 erHanClient0Y0..
00a0: 07 2a 86 48 ce 3d 02 01 06 08 2a 86 48 ce 3d 03 .*.H.=....*.H.=.
00b0: 01 07 03 42 00 04 99 a8 ba 47 45 9a 7c 73 59 73 ...B.....GE.|sYs
00c0: 70 99 1f e7 27 18 c9 69 62 29 f8 39 89 e0 17 c9 p...'..ib).9....
00d0: 45 22 7c 12 b4 b1 70 59 2d 36 37 d2 31 b1 7b ff E"|...pY-67.1.{.
00e0: df be ca 87 cd b6 6e 68 a6 3d 2a 37 a7 34 a2 12 ......nh.=*7.4..
00f0: 9e 27 3f af 1d 60 a3 7f 30 7d 30 1d 06 03 55 1d .'?..`..0}0...U.
0100: 0e 04 16 04 14 5d ad c5 d0 1d 2b 35 46 55 eb 16 .....]....+5FU..
0110: 56 b4 d4 37 9b 8a 6c 2c b9 30 1f 06 03 55 1d 23 V..7..l,.0...U.#
0120: 04 18 30 16 80 14 5d ad c5 d0 1d 2b 35 46 55 eb ..0...]....+5FU.
0130: 16 56 b4 d4 37 9b 8a 6c 2c b9 30 0f 06 03 55 1d .V..7..l,.0...U.
0140: 13 01 01 ff 04 05 30 03 01 01 ff 30 1a 06 03 55 ......0....0...U
0150: 1d 20 01 01 ff 04 10 30 0e 30 0c 06 0a 2b 06 01 . .....0.0...+..
0160: 04 01 82 be 1c 02 02 30 0e 06 03 55 1d 0f 01 01 .......0...U....
0170: ff 04 04 03 02 07 80 30 0a 06 08 2a 86 48 ce 3d .......0...*.H.=
0180: 04 03 02 03 48 00 30 45 02 20 44 2d a3 25 da e1 ....H.0E. D-.%..
0190: 39 3b 6f 8a b3 d9 18 85 f6 c9 51 6e 30 38 c5 9a 9;o.......Qn08..
01a0: 30 eb b4 fb df 47 4d 25 16 b1 02 21 00 90 8c ec 0....GM%...!....
01b0: a2 3d 35 2b f2 f9 b9 a2 cd 16 b1 e9 70 20 a1 09 .=5+........p ..
01c0: 15 c4 0d 2f 62 4b fd 77 1e 90 a9 bc 87          .../bK.w.....
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 03 00 46                                  ....F
== Info: TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
=> Send SSL data, 70 bytes (0x46)
0000: 10 00 00 42 41 04 1e 76 44 7d fa 98 79 c1 95 7c ...BA..vD}..y..|
0010: 5c d1 70 03 ea bb 10 27 a6 56 c5 f4 6d 22 ad 3c \.p....'.V..m".<
0020: f5 b7 a7 24 7a 65 68 18 d5 ab 56 25 84 48 25 99 ...$zeh...V%.H%.
0030: 5b 6a fa 19 2e a2 4b 77 7a 1e b0 30 38 89 24 1f [j....Kwz..08.$.
0040: 25 4d 72 18 c6 d3                               %Mr...
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 03 00 50                                  ....P
== Info: TLSv1.2 (OUT), TLS handshake, CERT verify (15):
=> Send SSL data, 80 bytes (0x50)
0000: 0f 00 00 4c 04 03 00 48 30 46 02 21 00 a7 6f 87 ...L...H0F.!..o.
0010: 01 6f 66 33 fd 11 79 94 9a 34 eb 6c 8a 93 35 a1 .of3..y..4.l..5.
0020: ae 23 5c ef d4 04 2d 17 9a fd 7a 5f ca 02 21 00 .#\...-...z_..!.
0030: a0 82 6d 5e 01 fc b1 c9 12 70 2c 14 83 5c a4 d2 ..m^.....p,..\..
0040: 0d dc af e7 a1 ba 6f f1 56 ca b5 5f 8e f8 f6 1c ......o.V.._....
=> Send SSL data, 5 bytes (0x5)
0000: 14 03 03 00 01                                  .....
== Info: TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
=> Send SSL data, 1 bytes (0x1)
0000: 01                                              .
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 03 00 20                                  .... 
== Info: TLSv1.2 (OUT), TLS handshake, Finished (20):
=> Send SSL data, 16 bytes (0x10)
0000: 14 00 00 0c 01 f3 19 bc 20 65 4e 32 2b 22 e1 96 ........ eN2+"..
<= Recv SSL data, 5 bytes (0x5)
0000: 14 03 03 00 01                                  .....
<= Recv SSL data, 5 bytes (0x5)
0000: 16 03 03 00 20                                  .... 
== Info: TLSv1.2 (IN), TLS handshake, Finished (20):
<= Recv SSL data, 16 bytes (0x10)
0000: 14 00 00 0c 35 ff 1b 9b 6c 9a 99 b3 a0 10 ad 38 ....5...l......8
== Info: SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-CCM8 / prime256v1 / id-ecPublicKey
== Info: ALPN: server did not agree on a protocol. Uses default.
== Info: Server certificate:
== Info:  subject: [NONE]
== Info:  start date: Feb  8 18:46:17 2022 GMT
== Info:  expire date: Dec 31 23:59:00 9999 GMT
== Info:  issuer: C=US; O=Itron; CN=IEEE 2030.5 MICA; serialNumber=7
== Info:  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.
== Info:   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
== Info:   Certificate level 1: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
== Info:   Certificate level 2: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
== Info:   Certificate level 3: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA256
== Info: using HTTP/1.x
=> Send SSL data, 5 bytes (0x5)
0000: 17 03 03 00 6a                                  ....j
=> Send header, 90 bytes (0x5a)
0000: 47 45 54 20 2f 75 70 74 2f 31 2f 6d 72 2f 31 2f GET /upt/1/mr/1/
0010: 72 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74 r HTTP/1.1..Host
0020: 3a 20 31 30 2e 30 2e 30 2e 32 32 36 3a 38 30 38 : 10.0.0.226:808
0030: 31 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 63 1..User-Agent: c
0040: 75 72 6c 2f 38 2e 35 2e 30 0d 0a 41 63 63 65 70 url/8.5.0..Accep
0050: 74 3a 20 2a 2f 2a 0d 0a 0d 0a                   t: */*....
<= Recv SSL data, 5 bytes (0x5)
0000: 17 03 03 01 7e                                  ....~
<= Recv header, 17 bytes (0x11)
0000: 48 54 54 50 2f 31 2e 31 20 32 30 30 20 4f 4b 0d HTTP/1.1 200 OK.
0010: 0a                                              .
<= Recv header, 37 bytes (0x25)
0000: 44 61 74 65 3a 20 54 68 75 2c 20 31 31 20 4a 75 Date: Thu, 11 Ju
0010: 6c 20 32 30 32 34 20 31 38 3a 33 37 3a 31 31 20 l 2024 18:37:11 
0020: 47 4d 54 0d 0a                                  GMT..
<= Recv header, 21 bytes (0x15)
0000: 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 Content-Length: 
0010: 32 35 34 0d 0a                                  254..
<= Recv header, 35 bytes (0x23)
0000: 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 Content-Type: ap
0010: 70 6c 69 63 61 74 69 6f 6e 2f 73 65 70 2b 78 6d plication/sep+xm
0020: 6c 0d 0a                                        l..
<= Recv header, 2 bytes (0x2)
0000: 0d 0a                                           ..
<= Recv data, 254 bytes (0xfe)
0000: 3c 52 65 61 64 69 6e 67 0d 0a 20 20 20 20 20 78 <Reading..     x
0010: 6d 6c 6e 73 3d 22 75 72 6e 3a 69 65 65 65 3a 73 mlns="urn:ieee:s
0020: 74 64 3a 32 30 33 30 2e 35 3a 6e 73 22 0d 0a 20 td:2030.5:ns".. 
0030: 20 20 20 20 68 72 65 66 3d 22 2f 75 70 74 2f 31     href="/upt/1
0040: 2f 6d 72 2f 31 2f 72 22 3e 0d 0a 20 20 20 20 3c /mr/1/r">..    <
0050: 71 75 61 6c 69 74 79 46 6c 61 67 73 3e 30 31 3c qualityFlags>01<
0060: 2f 71 75 61 6c 69 74 79 46 6c 61 67 73 3e 0d 0a /qualityFlags>..
0070: 20 20 20 20 3c 74 69 6d 65 50 65 72 69 6f 64 3e     <timePeriod>
0080: 0d 0a 20 20 20 20 20 20 20 20 3c 64 75 72 61 74 ..        <durat
0090: 69 6f 6e 3e 31 3c 2f 64 75 72 61 74 69 6f 6e 3e ion>1</duration>
00a0: 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 61 72 74 ..        <start
00b0: 3e 31 37 32 30 37 32 33 30 33 30 3c 2f 73 74 61 >1720723030</sta
00c0: 72 74 3e 0d 0a 20 20 20 20 3c 2f 74 69 6d 65 50 rt>..    </timeP
00d0: 65 72 69 6f 64 3e 0d 0a 20 20 20 20 3c 76 61 6c eriod>..    <val
00e0: 75 65 3e 2d 36 30 33 38 3c 2f 76 61 6c 75 65 3e ue>-6038</value>
00f0: 0d 0a 3c 2f 52 65 61 64 69 6e 67 3e 0d 0a       ..</Reading>..
== Info: Connection #0 to host 10.0.0.226 left intact

This is what I got from the --trace in configuration.yaml command_line

OpenSSL/3.3.1: error:0A000410:SSL routines::ssl/tls alert handshake failure

But I’ve googled this error for days and cant find a solution.

I can’t find the openssl error catalogue.

It’s the same error I get when I ssh into the system with putty and also from the web ssh terminal from Advanced SSH & Web Terminal

Maybe it’s a ssh problem. ???

[core-ssh config]$ cd /
[core-ssh /]$ find . -name troubleshoot -print
./homeassistant/troubleshoot
[core-ssh /]$ cat /homeassistant/troubleshoot
== Info:   Trying 10.0.0.226:8081...
== Info: Connected to 10.0.0.226 (10.0.0.226) port 8081
== Info: ALPN: curl offers h2,http/1.1
== Info: Cipher selection: ECDHE-ECDSA-AES128-CCM8
=> Send SSL data, 5 bytes (0x5)
0000: 16 03 01 02 00                                  .....
== Info: TLSv1.3 (OUT), TLS handshake, Client hello (1):
=> Send SSL data, 512 bytes (0x200)
0000: 01 00 01 fc 03 03 22 16 df 7a 66 20 68 80 77 38 ......"..zf h.w8
0010: b4 2e 21 3e 6f 82 c2 9e ee d0 89 74 d9 de e3 a9 ..!>o......t....
0020: 4f 1b 2f fd d7 f1 20 61 0e 4c 3e 63 d3 b2 18 54 O./... a.L>c...T
0030: d2 1c 4b 90 dd d1 dd 25 7c c0 37 ab b4 18 89 7e ..K....%|.7....~
0040: 36 fa be 80 32 d5 77 00 08 13 02 13 03 13 01 00 6...2.w.........
0050: ff 01 00 01 ab 00 0b 00 04 03 00 01 02 00 0a 00 ................
0060: 16 00 14 00 1d 00 17 00 1e 00 19 00 18 01 00 01 ................
0070: 01 01 02 01 03 01 04 00 10 00 0e 00 0c 02 68 32 ..............h2
0080: 08 68 74 74 70 2f 31 2e 31 00 16 00 00 00 17 00 .http/1.1.......
0090: 00 00 31 00 00 00 0d 00 30 00 2e 04 03 05 03 06 ..1.....0.......
00a0: 03 08 07 08 08 08 1a 08 1b 08 1c 08 09 08 0a 08 ................
00b0: 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 03 03 ................
00c0: 01 03 02 04 02 05 02 06 02 00 2b 00 05 04 03 04 ..........+.....
00d0: 03 03 00 2d 00 02 01 01 00 33 00 26 00 24 00 1d ...-.....3.&.$..
00e0: 00 20 fe 4b ee 8e dd b6 ee 27 f0 9f cc 8f a3 a6 . .K.....'......
00f0: b9 cb 5e 51 28 6b 7a 3f b7 9a 5a b2 66 f9 e1 03 ..^Q(kz?..Z.f...
0100: 08 43 00 15 00 fa 00 00 00 00 00 00 00 00 00 00 .C..............
0110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
<= Recv SSL data, 5 bytes (0x5)
0000: 15 03 03 00 02                                  .....
== Info: TLSv1.3 (IN), TLS alert, handshake failure (552):
<= Recv SSL data, 2 bytes (0x2)
0000: 02 28                                           .(
== Info: OpenSSL/3.3.1: error:0A000410:SSL routines::ssl/tls alert handshake failure
== Info: Closing connection

Everyone is on the right track here. The new openSSL version that was recently bumped seems to have removed a lot of ciphers from availability. The one required in this setup is “ECDHE-ECDSA-AES128-CCM8”. You can ask openssl to list those that are available like in my image. You’ll want to notice that this is a TLS 1.2 cipher. If you force curl to only use 1.2 (vs negotiation down after the first server call which normally tries the highest first…tls 1.3), and specify the cipher “ECDHE-ECDSA-AES128-CCM8” it will point blank tell you “nope…it ain’t there”.

Thanks for the info! My quick follow-on question would be why does entering this same command in the terminal still work?

I’ll have to do some digging on why I was originally using that cypher, but it might have come from the documentation for the energy meter.

Thanks again for the info!

It’s a separate container.

1 Like

Thanks Nic,

I specified a --tlsv1.2 in the curl and that didn’t help, probably because as you say, it was removed in the version of openSSL

Is there a way to find a cipher that works?

I also tried changing the cipher to TLS_AES_128_GCM_SHA256, and that didn’t work.

I checked to see if the cipher was created in the certificate. It isn’t.

I don’t know much about openssl

This is how the certificate was created:

openssl req -x509 -nodes -newkey ec -pkeyopt ec_paramgen_curve:prime256v1 -keyout key.pem -out cert.pem -sha256 -days 1094 -subj '/CN=MeterReaderHanClient' -addext "certificatePolicies = critical,1.3.6.1.4.1.40732.2.2" -addext "keyUsage = critical,digitalSignature"

 ➜  homeassistant OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl curl \
--tlsv1.2 --ciphers ECDHE-ECDSA-AES128-CCM8 --trace troubleshoot --insecure \
--url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem
curl: (6) Could not resolve host: curl
curl: (35) OpenSSL/3.3.0: error:0A000410:SSL routines::ssl/tls alert handshake failure
➜  homeassistant OPENSSL_CONF=/config/xcelcerts/myown/openssl.cnf /usr/bin/curl curl \
--tlsv1.2 --ciphers TLS_AES_128_GCM_SHA256 --trace troubleshoot --insecure \
--url https://10.0.0.226:8081/upt/1/mr/1/r --cert /config/xcelcerts/myown/cert.pem --key /config/xcelcerts/myown/key.pem
curl: (6) Could not resolve host: curl
curl: (59) failed setting cipher list: TLS_AES_128_GCM_SHA256

OK! I fixed it. (FYI to @wptracy) We can update the bug report saying any actions are unnecessary now. Basically, I figured out the new OpenSSL at 3.3.0 changed a few things. The cipher required for Xcel meters got put in a lower security class. Want to find out? Plug this into your SSH session on HA.

bash -c 'DEFAULT_SECLEVEL="$(openssl ciphers -s -v ALL | wc -l)"
    for ((i=0;i<=5;i++)); do 
        EVAL_SECLEVEL="$(openssl ciphers -s -v ALL:@SECLEVEL=${i} | wc -l)"
        echo -n "Security Level ${i} : Available Ciphers = ${EVAL_SECLEVEL}"
        [[ ${SEMA} != "TRUE" ]] && [[ ${EVAL_SECLEVEL} -eq ${DEFAULT_SECLEVEL} ]] \
            && echo " (DEFAULT_LEVEL) " \
            && SEMA="TRUE" \
            || echo
        openssl ciphers -s -v ALL:@SECLEVEL=${i} | grep -q "ECDHE-ECDSA-AES256-CCM8" \
            && echo "  >> REQUIRED CIPHER FOUND IN LEVEL ${i}"
    done
'

To make the change required, do the following in your openssl.cnf that is referenced during the curl command. No other changes are required to the curl command or sensor.

openssl_conf = openssl_init

[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
Options = UnsafeLegacyServerConnect
CipherString = DEFAULT@SECLEVEL=0

image

So, in my case the cnf file was being referenced like this… (/config/HelperScripts/Xcel-openssl.cnf)

OPENSSL_CONF=/config/HelperScripts/Xcel-openssl.cnf /usr/bin/curl --ciphers ECDHE-ECDSA-AES128-CCM8 --insecure -v --url https://XXX.XXX.XXX.XXX:8081/upt/1/mr/3/r --cert /config/HelperScripts/Xcel-Cert.pem --key /config/HelperScripts/Xcel-Key.pem
4 Likes

^ This… The container that runs the script is different. It has a different (higher) version of OpenSSL/cURL installed.

1 Like

@Nic3Quick

You are a genius, Thanks!!!

It worked.

1 Like

Nic, thanks for your help. That one line in the openssl.cnf file did the trick for me. I will past your post along to anyone else I find!

1 Like

If anyone stumbles upon this, I’ll drop a useful bit I created a while back for diagnosing things in HA (containerized). I wrote a little shell script that you can source and get a few new functions. The one that is useful here is “FX_LoginContainer”. Makes it easy to get into the shell of a container. :slight_smile:

image

4 Likes

Thanks @Nic3Quick

1 Like

Thank you for digging in and solving this! Fixed my Xcel problem too, and I’m back online with 2024.7.2.

2 Likes

@Nic3Quick

How do you execute this script?

Downloads # ./HAHelper.sh
Downloads # sh HAHelper.sh
HAHelper.sh: line 132: syntax error: unexpected “(” (expecting “}”)
Downloads # ./HAHelper.sh FX_GetSelection
Downloads # bash HAHelper.sh
Downloads # ls -l
total 12
-rwxr-xr-x 1 root root 10616 Jul 12 05:12 HAHelper.sh
Downloads #

It’s a bash sourced environment script. I’ll put up a README for it, but here is a bootstrapper for you @wptracy. Just paste this into the command line of the login shell. It will ensure BASH is actually present and used (per /etc/passwd) so the sourcing of the env can be done (this was the error you saw). It will source the env each time you login thereafter. Type “FX” at the prompt with a few tabs to see what functions are made available.

    ! grep -q "HAHelper_Bootstrapper" "${MOTD:=/etc/profile.d/show_motd.sh}" 2>/dev/null \
        && apk add bash \
        && sed -i 's|^\(root:.*:/bin/\)sh$|\1bash|' /etc/passwd \
        && echo -e '\nsource <([ ! -f '"${HAHELPER:=/etc/profile.d/HAHelper.sh}"' ] \
            && curl -s https://raw.githubusercontent.com/NicFragale/HA-NetFoundry/main/HAHelper.sh -o '"${HAHELPER}"' \
            && cat '"${HAHELPER}"' \
            || cat '"${HAHELPER}"') # HAHelper_Bootstrapper
        ' >> "${MOTD}" \
        && echo ">SUCCESS - LOGOUT AND LOGIN AGAIN<" \
        || echo ">ERROR<"
1 Like

Thanks Nic

-bash: docker: command not found

root@core-ssh ~/config/Downloads> FX_
FX_ColorText               FX_GetResponse
FX_ContainerMod            FX_GetSelection
FX_GetContainerNetworking  FX_GetYorN
FX_GetContainers           FX_LoginContainer
root@core-ssh ~/config/Downloads> FX_GetContainers
-bash: docker: command not found
root@core-ssh ~/config/Downloads> docker
-bash: docker: command not found
(127) root@core-ssh ~/config/Downloads> ha docker

The docker command provides command-line tools to control the host docker that
Home Assistant is running on. It allows you to do things like use private OCI registries.

Usage:
  ha docker [command]

Aliases:
  docker, do

Examples:

  ha docker info
  ha docker registries

Available Commands:
  info        Shows information about the host docker backend
  registries  Manage private OCI docker registry

Flags:
  -h, --help   help for docker

Global Flags:
      --api-token string   Home Assistant Supervisor API token
      --config string      Optional config file (default is $HOME/.homeassistant.yaml)
      --endpoint string    Endpoint for Home Assistant Supervisor (default is 'supervisor')
      --log-level string   Log level (defaults to Warn)
      --no-progress        Disable the progress spinner
      --raw-json           Output raw JSON from the API

Use "ha docker [command] --help" for more information about a command.
root@core-ssh ~/config/Downloads


root@core-ssh ~/config/Downloads> FX_Get
FX_GetContainerNetworking  FX_GetSelection
FX_GetContainers           FX_GetYorN
FX_GetResponse
root@core-ssh ~/config/Downloads> FX_GetContainerNetworking
-bash: docker: command not found
[INFO      ] Which container?
1) QUIT
2) ALL
#? > 2
root@core-ssh ~/config/Downloads> env
SHELL=/bin/bash
CHARSET=UTF-8
PWD=/root/config/Downloads
LOGNAME=root
TZ=America/Denver
HOME=/root
LANG=C.UTF-8
SSH_CONNECTION=10.0.0.55 56762 172.30.33.1 22
TERM=xterm
USER=root
SUPERVISOR_TOKEN=61346d9e64a50a38c6d8c4f9c8c086b323414b0dc9071d116993b708ae1705a43b52dbff585d4e53a062b41e94c2a4ce114b450c937fd376
SHLVL=1
PAGER=less
PS1=$(RC=$?; if [[ ${RC} == 0 ]]; then echo "\[\e[1;92;40m\]\u@\h \w>"; else echo "(${RC}) \[\e[1;91;40m\]\u@\h \w>"; fi)\[\e[0;0m\]
SSH_CLIENT=10.0.0.55 56762 22
LC_COLLATE=C
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
MAIL=/var/mail/root
SSH_TTY=/dev/pts/0

1 Like