Hi, I have a Supervised-based install on Ubuntu 20.04 LTS. The box sits on a LAN with an Untangle firewall that is doing SSL-based inspection of github.com (among other domains). Because of this, I cannot update my Homeassistant/HACs install and see errors in the logs like:
2020-07-04 09:51:54 INFO (MainThread) [backoff] Backing off call_api(...) for 5.4s (aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host api.github.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')])
2020-07-04 09:52:00 ERROR (MainThread) [backoff] Giving up call_api(...) after 5 tries (aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host api.github.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')])
2020-07-04 09:52:00 CRITICAL (MainThread) [hacs] [Cannot connect to host api.github.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1076)')]] - Could not load HACS!
I am able to fix this at the host level (for everything but Python) via adding the firewall’s certificate to /usr/local/share/ca-certificates/, and I can even fix this at the host-level for Python with an environment variable (see ssl - Python Requests - How to use system ca-certificates (debian/ubuntu)? - Stack Overflow), however, is there any way to supply this certificate to home assistant, or force off SSL verification for these updates? I tried passing -e REQUESTS_CA_BUNDLE=/data/ssl/my-cert-package.crt to the docker run command in /usr/sbin/hassio-supervisor, and throwing the certs into /usr/share/hassio/ssl/my-cert-package.crt, but still no go.
The obvious fix here is to turn off SSL inspection for this host, at least for github.com, but I was just curious if it was possible to add a custom cert to allow for an SSL-inspecting/MITM firewall.
Robby