Home Assistant Voice PE SSL issues

Hi-
Im trying to setup my Home Assistant Voice PE (NC-VK-9727) running firmware 25.10.0. I am running home assistant version 2025.10.0 on a docker container on linux. I have my HASS install setup with SSL, using a a let’s encrypt cert. My cert is valid, not expired and I see the lock when connecting to the hass frontend.

When I send a command to the VA, it accepts it, the pipeline runs, but when it trys to reply back I see the following in the logs (using the esphome tool):

[22:27:05][D][media_player:090]:   Media URL: https://redacted.redacted.com:8123/api/tts_proxy/tI0798PNR9OL9XYxIs3JiA.flac
[22:27:05][D][media_player:096]:  Announcement: yes
[22:27:05][D][speaker_media_player:406]: State changed to ANNOUNCING
[22:27:05][D][voice_assistant:623]: Event Type: 2
[22:27:05][D][voice_assistant:763]: Assist Pipeline ended
[22:27:06][E][speaker_media_player.pipeline:112]: Media reader encountered an error: ESP_ERR_HTTP_CONNECT
[22:27:06][E][speaker_media_player:326]: The announcement pipeline's file reader encountered an error.
[22:27:06][D][esp-idf:000][ann_read]: E (3838174) esp-x509-crt-bundle: Failed to verify certificate
[22:27:06][D][esp-idf:000][ann_read]: E (3838174) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x3000
[22:27:06][D][esp-idf:000][ann_read]: E (3838175) esp-tls: Failed to open new connection
[22:27:06][D][esp-idf:000][ann_read]: E (3838175) transport_base: Failed to open a new connection
[22:27:06][D][esp-idf:000][ann_read]: E (3838176) HTTP_CLIENT: Connection failed, sock < 0
[22:27:06][E][audio_reader:120][ann_read]: Failed to open URL
[22:27:06][E][speaker_media_player.pipeline:112]: Media reader encountered an error: ESP_ERR_HTTP_CONNECT
[22:27:06][E][speaker_media_player:326]: The announcement pipeline's file reader encountered an error.
[22:27:06][D][esp-idf:000][ann_read]: E (3838486) esp-x509-crt-bundle: Failed to verify certificate
[22:27:06][D][esp-idf:000][ann_read]: E (3838487) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x3000
[22:27:06][D][esp-idf:000][ann_read]: E (3838487) esp-tls: Failed to open new connection
[22:27:06][D][esp-idf:000][ann_read]: E (3838487) transport_base: Failed to open a new connection
[22:27:06][D][esp-idf:000][ann_read]: E (3838488) HTTP_CLIENT: Connection failed, sock < 0
[22:27:06][E][audio_reader:120][ann_read]: Failed to open URL
[22:27:06][E][speaker_media_player.pipeline:112]: Media reader encountered an error: ESP_ERR_HTTP_CONNECT
[22:27:06][E][speaker_media_player:326]: The announcement pipeline's file reader encountered an error.
[22:27:06][D][esp-idf:000][ann_read]: E (3838734) esp-x509-crt-bundle: Failed to verify certificate
[22:27:06][D][esp-idf:000][ann_read]: E (3838734) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x3000
[22:27:06][D][esp-idf:000][ann_read]: E (3838735) esp-tls: Failed to open new connection
[22:27:06][D][esp-idf:000][ann_read]: E (3838735) transport_base: Failed to open a new connection
[22:27:06][D][esp-idf:000][ann_read]: E (3838735) HTTP_CLIENT: Connection failed, sock < 0
[22:27:06][E][audio_reader:120][ann_read]: Failed to open URL
[22:27:06][D][speaker_media_player:406]: State changed to IDLE
[22:27:06][D][voice_assistant:350]: Announcement finished playing
[22:27:06][D][voice_assistant:477]: State changed from STREAMING_RESPONSE to RESPONSE_FINISHED
[22:27:06][D][voice_assistant:484]: Desired state set to RESPONSE_FINISHED
[22:27:06][D][voice_assistant:477]: State changed from RESPONSE_FINISHED to IDLE
[22:27:06][D][voice_assistant:484]: Desired state set to IDLE

http config in configuration.yml:

http:
  cors_allowed_origins:
    - https://google.com
    - https://home-assistant.io
  ssl_certificate: /config/cert/live/redacted.redacted.com/cert.pem
  ssl_key: /config/cert/live/redacted.redacted.com/privkey.pem

After a bunch of googling, I have found a few posts of people having the same issue as me, specifically “mbedtls_ssl_handshake returned -0x3000”. Some of the posts say that the device does not work with recent versions of TLS, but the versions that they mention working are very old with huge security concerns.
Many of the docs also talk about “taking control” or using a “esp builder tool”, but I can’t find any documentation that explains what this is or how to do it. I can’t disable ssl but Im lost at this point.
Any help would be great, thanks in advance!

This is the flaw in your troubleshooting logic. Your computer browser can correctly trace the let’s encrypt certificate all the way to it’s root CA, but that only applies to that computer. It has no relation to the Voice PE and it’s ability to trace the certificate to a root CA.

All devices that perform certificate based encryption have a root CA store that is managed “out of band”, that is to say not through the browsing process. If a root CA is missing, then the process fails. This is a main reason that unsupported operating systems browsers stop working, the root CA store is no longer maintained and the certificates constantly age out and are updated (They do have a long life, however, usually 10 years or more).

It’s likely “esp-x509-crt-bundle: Failed to verify certificate” is an indication a certificate in your path is not found. The only way to fix this is to reflash the device with an updated certificate bundle.

https://docs.espressif.com/projects/esp-idf/en/stable/esp32/api-reference/protocols/esp_crt_bundle.html

You can view the certificate chain in your browser by clicking the lock and looking at the details:

image659×130 4.22 KB

In the case of the let’s encrypt certificate I have, ISRG Root X1 must exist on the ESP.

It’s hard to say what went wrong without opening an issue with ESPHome. In my case, the root was issued in 2015 so it should be in the bundle, but the error seems to indicate yours isn’t.

Makes sense, thanks for the explanation.
Are there any docs available on how to build and flash custom images so I can try to build an image with a more up to date root ca package?

Personally, I wouldn’t assume that’s the problem. I would open an issue with the ESPHome folks. You can recompile your device to ignore SSL errors but that will involve ESPhome builder. You implied earlier that that might be beyond your comfort level.

I´ve got the same problem
Have you found a solution? I’ve easily spent 20 hours on this problem and I’m about ready to go back to Alexa…