Home assistant Voice PE TLS certificate verification failed

CSP170 · December 23, 2024, 11:53pm

Hello.

I have purchased HA Voice Preview edition and added the device to HASSIO core 2024.12.5. some features work but TTS/ responses do not.

When I select “set up voice assistant” in integrations > ESPHome

After awhile I see the following:

“The voice assistant is unable to connect to Home Assistant
To play audio, the voice assistant device has to connect to Home Assistant to fetch the files. Our test shows that the device is unable to reach the Home Assistant server.”

After some troubleshooting and not getting very far I decided to “Take control” using “ESPHome builder”.

After compiling and installing, I see the following in the logs.

[23:45:15][D][esp-idf:000][ann_read]: E (2819428) esp-x509-crt-bundle: Failed to verify certificate

[23:45:15][D][esp-idf:000][ann_read]: E (2819431) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x3000

[23:45:15][D][esp-idf:000][ann_read]: E (2819432) esp-tls: Failed to open new connection

[23:45:15][D][esp-idf:000][ann_read]: E (2819433) transport_base: Failed to open a new connection

[23:45:15][D][esp-idf:000][ann_read]: E (2819434) HTTP_CLIENT: Connection failed, sock < 0

[23:45:15][E][nabu_media_player.pipeline:171]: Media reader encountered an error: ESP_ERR_HTTP_CONNECT
[23:45:15][E][nabu_media_player:305]: The announcement pipeline's file reader encountered an error.

It seems perhaps the “unable to connect to home assistant to play voice” error may be due to a certificate error?

Is there a way to get round this problem? Perhaps an ignore SSL error configuration entry or ideally add the appropriate root CA to the bundle? If that is the cause?

Commands such as “turn the light on” or off do work, just responses to things like “what time is it?” There’s no audio from TTS.

Your input is very much appreciated.

bgtzuh · December 24, 2024, 8:46pm

I have the same problem

2rememberyou · December 24, 2024, 9:13pm

i suspect this may have something to do with it. My local network field points to an old location (a DNS redirect I had set up at one time. 2rememberyou.me) that is invalid and no longer exist. Problem is that I cant edit it and there is nothing in my config that should be restricting me from doing so as the message suggest. I may be way off the mark here but if you press the ‘Help Me’ button when the error comes up it brings you to this page and the section that is talking about that box. Troubleshooting Assist - Home Assistant please help.

Edit: Found a solution.

Instructions for Resolving the “Voice Assistant Cannot Connect to Home Assistant” Issue

If you’re encountering the error “The voice assistant is unable to connect to Home Assistant” or facing issues where the Local Network URL in Home Assistant settings is incorrect, grayed out, or pointing to an outdated or unreachable URL, follow these steps to resolve the issue.

Symptoms:

The voice assistant understands commands but does not play Text-to-Speech (TTS) responses.
The Local Network URL under Settings > System > Network is incorrect, outdated, or locked from editing.
Errors in the Home Assistant logs, such as the voice assistant being unable to fetch audio files.

Step-by-Step Fix:

1. Access Your Home Assistant Files

You will need SSH or direct access to the Home Assistant file system. If you don’t already have SSH enabled:

Install the SSH & Web Terminal add-on from Home Assistant Add-On Store.
Enable SSH and connect to your Home Assistant instance.

2. Search for the Problematic URL

Run the following command to locate where the incorrect URL is stored:

bash

Copy code

grep -ri "your-problematic-url" /config/.storage

Replace your-problematic-url with the outdated or incorrect URL (e.g., 2rememberyou.me).

The command should return the file path where the URL is stored, typically in:

bash

Copy code

/config/.storage/core.config

3. Edit the Configuration File

Once you’ve identified the file, open it for editing:

bash

Copy code

nano /config/.storage/core.config

In this file, look for a section similar to:

json

Copy code

"internal_url": "https://your-problematic-url",

4. Update or Nullify the URL

Change the internal_url value to null or update it to your correct local IP address.

For example:

To clear the value:

json

Copy code

"internal_url": null,

Or, to set your correct local URL:

json

Copy code

"internal_url": "http://192.168.1.227:8123",

5. Save the Changes

Press CTRL + O to save the file.
Press Enter to confirm the file name.
Press CTRL + X to exit.

6. Restart Home Assistant

Restart Home Assistant to apply the changes:

bash

Copy code

ha core restart

7. Verify and Fix Local Network URL

Go to Settings > System > Network.
Check the Local Network URL field. It should now display the correct local URL (e.g., http://192.168.1.227:8123) and be editable.

If it still shows the old URL, enter the correct URL and save the changes.

Notes:

The internal_url setting in /config/.storage/core.config overrides the Local Network URL in the UI. Deleting or nullifying it allows Home Assistant to recalculate the correct URL automatically.
This fix applies to Home Assistant setups where an incorrect or outdated internal URL is blocking TTS or other network-dependent functionalities.

This was the solution for me. Hopefully it works for you as well.

Edit 2: Man this device is SO nice. Local Piper and Wisper v3 Turbo running on a rack mount 4090.

CSP170 · December 24, 2024, 10:50pm

@2rememberyou thank you for your input

I opened a new issue on GitHub after I “Took control” in ESPHome builder and saw an issue with TLS certificate verification.

See here:

github.com/esphome/home-assistant-voice-pe

Home assistant Voice PE TLS certificate verification failed

opened 01:12AM - 24 Dec 24 UTC

limitless-code

Hello. I have purchased HA Voice Preview edition and added the device to HAS…SIO core 2024.12.5. some features work but TTS responses do not. When I select "set up voice assistant" in integrations > ESPHome After awhile I see the following: "The voice assistant is unable to connect to Home Assistant To play audio, the voice assistant device has to connect to Home Assistant to fetch the files. Our test shows that the device is unable to reach the Home Assistant server." After some troubleshooting and not getting very far I decided to "Take control" using "ESPHome builder". After compiling and installing, I see the following in the logs. ``` [23:45:15][D][esp-idf:000][ann_read]: E (2819428) esp-x509-crt-bundle: Failed to verify certificate [23:45:15][D][esp-idf:000][ann_read]: E (2819431) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x3000 [23:45:15][D][esp-idf:000][ann_read]: E (2819432) esp-tls: Failed to open new connection [23:45:15][D][esp-idf:000][ann_read]: E (2819433) transport_base: Failed to open a new connection [23:45:15][D][esp-idf:000][ann_read]: E (2819434) HTTP_CLIENT: Connection failed, sock < 0 [23:45:15][E][nabu_media_player.pipeline:171]: Media reader encountered an error: ESP_ERR_HTTP_CONNECT [23:45:15][E][nabu_media_player:305]: The announcement pipeline's file reader encountered an error. ``` It seems perhaps the "unable to connect to home assistant to play voice" error may be due to a certificate error? Is there a way to get round this problem? Perhaps an ignore SSL error configuration entry or ideally add the appropriate root CA to the bundle? If that is the cause? I believe it is a self-signed certificate. Commands such as "turn the light on" or off do work, just responses to things like "what time is it?" Or the audio response to successfully turning the light off are not audible. There's no audio from TTS but I can see the text response in the logs using ESPHome builder and connecting via WiFi to see the log output. Your input is very much appreciated.

I have used a work around to set “verify_ssl: false” in the configuration file in ESPHome Builder.

Not ideal but with my set up it’s the quickest way to get a fully working HA Voice PE device. “Setup voice assistant” wizard now works from the integration. Now I need to get better hardware for local LLM. Hope this helps anyone that can’t get TTS responses. working.

bgtzuh · December 25, 2024, 10:18am

Thanks.
my problem was that in the internal ULR https: and not http:.After change it worked.

dmio · March 13, 2025, 2:01am

It would be great if someone from Home Assistant could take a look at this thread. I did find a workaround to use HA Cloud, but it requires recompiling the firmware with specific options to set the mbedtls module to TLS 1.2 only.

Having to change the Internet endpoint to leverage HA Cloud TTS is a poor workaround and I wanted to get to the bottom of this.

This is currently broken in the shipping firmware of the Voice PE IMO. People also shouldn’t have to disable SSL/TLS to get Voice PE to work as the hardware can fully support it.

If someone could test my fix on their end that’s having the same problem I think we can better drive this to resolution. Thanks!

Edit - the final verified workaround is here:

github.com/esphome/home-assistant-voice-pe

PE device has no TTS responses (server SSL)

opened 05:30PM - 01 Feb 25 UTC

abliss

Firmware: 25.1.0 (ESPHome 2024.12.2) My symptoms seem very similar to #238 but I… noticed that was diagnosed as a lack of TLS1.3 support on the device and closed. I also don't get TTS responses on my Voice Preview Edition. I believe I followed the instructions at https://community.home-assistant.io/t/how-to-configure-lets-encrypt-ssl-certificates-for-home-assistant-completely-100-free-updated-for-2022-2023/508329 to use letsencrypt through the DuckDNS addon . I noticed that at https://www.home-assistant.io/integrations/http/#ssl_profile it claims that the default profile is "modern", where the linked Mozilla page says Modern: Modern clients that support TLS 1.3, with no need for backwards compatibility Intermediate: Recommended configuration for a general-purpose server So maybe "Intermediate" should be the default? However, I tried setting it to "intermediate" and saw no difference. Whether on "intermediate" or the default "modern", I also note that from a command line I can do "curl --tls-max 1.2" and the negotiation works fine. So perhaps the root cause is not in fact an inability of Home Voice Preview Edition to negotiate a TLS version? Maybe the issue is with the server's cipher suite (or something about the LetsEncrypt cert), rather than the TLS version itself? When I curl with -vvv --tls-max 1.2 I see SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384 With 1.3 I see SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384. I can use the device to set a timer, and after the timer goes off an alert chimes, so I know the microphone/speaker/network are working. But any response required text-to-speech doesn't seem to come through. Also in the HA android app, the onboarding wizard fails at the "We're going to personalize your voice assistant" stage, saying "To play audio, the voice assistant device has to connect to Home Assistant to fetch the files. Our test shows that the device is unable to reach the Home Assistant server." Also I have two other esphome smart speakers (one an atom m5) which do TTS fine. I can't figure out how to pull logs from the device. Is there a way?

morikaweb · April 11, 2025, 12:52am

So if I understand correctly this issue is due to the fact that HAVPE is refusing to connect locally to my server and does not support TLS? What kind of product does not support TLS in 2025?

dmio · April 16, 2025, 11:31pm

It’s not the fact that it’s refusing. It’s the fact that the way the VPE works with the firmware that’s shipped by HA is that it cannot connect to TLS 1.3 reliably (and in most cases at all). Nobody from Nabu Casa really seems to care about this issue. If you look at the tickets there’s a massive thread on the workaround as well as another on the incorrect operation of the VPE (it goes to the Internet incorrectly when a user has HA Cloud).

At this point in time if you’re a buyer, open a ticket. Complain about it. It’s broken out of the box. If you do have it working, it’s likely not obeying local connectivity first and instead routing all of your HA voice commands through HA Cloud as a proxy (if you’re a user of their service). It’s absolutely bonkers to me that people have spent the time showcasing how broken this is, tested workarounds and yet Nabu Casa is just flat out ignoring this.

Don’t buy a VPE until this is fixed! Ask to return yours, maybe? People are using these in very insecure ways out of the box and folks who do have it working are routing local voice commands off of their network unknowingly in a lot of cases.

Continue to reference these two issues:

wmaker · June 14, 2025, 9:22pm

For those getting the error:

mbedtls_ssl_handshake returned -0x3000

Here is a write-up I did, along with a resolution that worked for me.