Endless InsecureRequestWarning errors with UniFi


#1

I’m wondering if anyone here has encountered anything like this as I’m running out of ideas to resolve the issue below.
My logfiles are being spammed roughly every 12 seconds with the message:

Nov 06 18:24:43 hass hass[19909]: /srv/homeassistant/lib/python3.6/site-packages/urllib3/connectionpool.py:858: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings Nov 06 18:24:43 hass hass[19909]: InsecureRequestWarning)

I have the tried setting the logger default to warning, error, fatal, and critical. With logger set to critical the only messages I’m seeing are these errors. I’ve attempted to nail down just these errors with the following configuration.yaml settings:

  default: error
  logs:
    requests.packages.urllib3.connectionpool: critical
    py.warnings: critical
    homeassistant.components.device_tracker: critical

That doesn’t work either.

The error text leads to a link which suggests pip install certifi as a solution, which I’ve confirmed is available in my deployed venv.

For the unifi component I’ve set verify_ssl: false. My UniFi installation is utilizing self-signed certs from a local CA, so I’ve added my CA’s .crt to usr/share/ca-certificates/extra and ran sudo dpkg-reconfigure ca-certificates to import the CA. Testing access to the URL from the cli via wget https://unifi.domain.net:8443 returns a successful certificate check.

The only solution I’ve found to stop it is to completely disable the UniFi component. There appears to be a bug report for this issue from 6 months ago that suggests the issue is now fixed, but I’ve only seen this starting in the last few weeks (had to delete old logs as I ran out of disk because of this issue, so I don’t have an exact start date).

My system is running Ubuntu 17.04, hass 0.57.2, python 3.6.1, and UniFi 5.6.20 Stable


#2

I can’t really help with your specific problem, but I may be able to help in another way.

Are you just trying to track wireless devices and if so just devices connected to one Unifi AP?


#4

I’m using UniFi to track 3 cell phones. I have 3 APs deployed to cover my footprint.


#5

https://github.com/home-assistant/home-assistant/pull/10097 adds support for directly connecting to Unifi APs I only have one and I am not sure if it can support multiple APs but might be able to update it to allow this.


#6

I’d be willing to give it a shot if it works with multiple APs. Any idea how I might configure it to do so?


#7

So I don’t know how Home Assistant handles multiple instances of the same platform. The config is as follows.

device_tracker:
  - platform: unifi_direct
    host: 192.168.5.2
    username: USERNAME
    password: PASSWORD

It might be possible to do the following

device_tracker:
  - platform: unifi_direct
    host: 192.168.5.2
    username: USERNAME
    password: PASSWORD
  - platform: unifi_direct
    host: 192.168.5.3
    username: USERNAME
    password: PASSWORD
  - platform: unifi_direct
    host: 192.168.5.4
    username: USERNAME
    password: PASSWORD

You test this you need to create the following folder
PATH_TO_YOUR_HA_CONFIG/custom_components/device_tracker/

And then dump this file https://github.com/w1ll1am23/home-assistant/blob/df34139f5aca1d26455723d4c52147f13538f665/homeassistant/components/device_tracker/unifi_direct.py into that folder and restart.

If that doesn’t work I will need to make some updates to support multiple APs so you could do something like

device_tracker:
  - platform: unifi_direct
    hosts:
      - host: 192.168.5.2
        username: USERNAME
        password: PASSWORD
      - host: 192.168.5.3
        username: USERNAME
        password: PASSWORD
      - hosts: 192.168.5.3
        username: USERNAME
        password: PASSWORD

#8

Unifi component checks for valid https cert. If none exist you get this error if ssl set to false

EDIT
By valid I mean not Self Signed and from CA like letsencrypt


#9

I’m not sure I understand, can you explain a bit? I have verify_ssl: false set in the UniFi configuration. This system is not exposed to the internet making LetsEncrypt a problem. I have a local CA which I use to issue certificates, which I’ve deployed to this system and which can be successfully verified (chained from UniFi to my CA) with openssl s_client -connect unifi.<mydomain>.net:9443

With some further research it appears that Python virtualenvs might not be pulling the list of CAs from the system.


#10

I somewhat misspoke.

Yes. It does not check cert because you set ssl_verify =false.

When you choose ssl_verify =false it gives error to say, “hey, you are doing something less secure than recommended and we want you to know this. You may ignore this message but do so at your own risk”.

If ssl_verify=true and using ssl cert signed by CA, this error will disappear. I did not test or verify but this is expected function and error cause as I understand it.

EDIT
You are logging into what is likely critical network security piece. You are providing credentials to unverified (could be spoofed but not likely) server. Verify_ssl=false is kind of a leap of faith.


#11

Sorry I misread part where you say you have own CA local.

In this case ssl_verify=true should be set I would believe. If not error will always appear


#12

That actually worked! I’m not sure why disabling verification would cause this degree of log spew, but enabling verification does now seem to be able to pick up my UniFi system’s cert and chain it to my CA (or if not, it’s stopped complaining about it). Either way my logs are back to their normal state, so thanks!

edit: ugh spoke too soon - that got rid of the errors by just not working at all, presumably as it’s failing the SSL check on account of not having and CAs defined.


#13

For reference, here is a live view of the log as this happens (until I reboot Hass or I run out of disk space again).


#14

After searching for what seems like forever, a definitive answer can be had.

Setting a ENV var
PYTHONWARNINGS="ignore:Unverified HTTPS request"
either at a system level, or at the execution level of hass, or injected into the docker run will quite these down


#15

I’m getting these errors too (running the unifi controller integration). Any idea how you inject that into a docker run?


#16

I eventually resolved the issue by utilizing LetsEncrypt certs on the unifi host. Now it has auto-renewing certs which are trusted by all (most?) clients and the result has been an end to the months of log spew it was previously creating.


#17

@davericher

I’m running Home Assistant and Unifi Controller in docker containers on a Synology DSM-918+.
Your answer was the only solution after reaching the end of the internet … :slight_smile:
Now the log is not spammed with Unifi messages, I don’t know if we just covered up the rust with fresh paint, but it sure did stop those messages from spamming the logs every 10 seconds.

Now I only have to deal with random but frequent “Timer got out of sync. Resetting” messages.

BIG Thank You.


#18

Tried that but still get them :frowning:

al/lib/python3.6/site-packages/urllib3/connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings


#19

Trying it with docker-compose and setting PYTHONWARNINGS=“ignore:Unverified HTTPS request” isn’t working for me. I entered the container and can see it set looking at export and set, but I still get that warning :frowning:


#20

[email protected]:~/.homeassistant/deps/lib/python3.6/site-packages/pyunifi# nano controller.py

add these lines just below last import

import urllib3
urllib3.disable_warnings()

and delete this lines

if ssl_verify is False:
warnings.simplefilter(“default”, category=requests.packages.
urllib3.exceptions.InsecureRequestWarning)

[email protected]:~/.homeassistant/deps/lib/python3.6/site-packages/pyunifi# rm -R pycache

this is from my notes …I do this and it gets rid of those errors


#21

Then restart