Enable use of self-signed certificates with urllib3

inkblotadmirer · March 11, 2021, 1:55am

As a work-around, I have created an add-on that updates the HA certificate stores with specified self-signed certificates.

It is not generic at this point, the certificates are included as part of the add-on but it should be possible to use a block of text from the configuration tab instead of a file included in the add-on. Note that the docker and bash commands can just be run from within the homeassistant container to achieve this without the add-on. But here is the add-on script:

if ( docker exec homeassistant ls /usr/local/share/ca-certificates | grep self-signed-certs.pem ); then
	echo "Home Assistant already has certificates added, skipping"
else
	echo "Adding self-signed certificates to Home Assistant"
	docker cp homeassistant:/usr/local/lib/python3.8/site-packages/certifi/cacert.pem /var/certs
	cat /app/self-signed-certs.crt >> /var/certs
	docker cp /var/certs homeassistant:/usr/local/lib/python3.8/site-packages/certifi/cacert.pem
	echo "Self-signed certificates added to Home Assistant certifi"

	docker cp /app/self-signed-certs.crt homeassistant:/usr/local/share/ca-certificates/self-signed-certs.pem
	docker exec homeassistant update-ca-certificates
	echo "Self-signed certificates added to Home Assistant ca-certificates"
	
	echo "NOTE: manually restart Home Assistant!"
fi

[ -f /var/certs ] && {
	echo "Cleaning up"
	rm -f /var/certs
}

echo "Done"

The certificates are added to both certifi and the ca-certificates bundles so both python and curl are satisfied. I’ve tested both curl https: connections and zoneminder with verify_ssl: true.

It would be nice if something like this is incorporated into HA, because the use model for the above is:

Update home assistant. Zoneminder won’t work (because I have verify_ssl: true in my config)
Run the add-on (or manually update certificates)
Restart home assistant

Updating the certificate store prior to starting HA for the first time after an update would save the extra restart. If this issue sticks around I’ll likely update the add-on to automatically detect python version (so “python3.8” isn’t hard-coded in the add-on.