Let Home Assistant trust a personal certificate authority

Wow, that looks promising, thanks a lot! I’ll definitely give it a try as soon as I find the time!

Presumably it’s even more helpful to kurisutian, since he can’t simply turn off verify_ssl like I can as it seems :sweat_smile:
And luckily, a MITM attack via my RaspberryMatic in my home network is rather unlikely - at least I hope that it is… :smiley:

Cool!

For the automation piece what I have in mind is:

  • sensor to check if https site loads with curl -skIX
  • sensor to check of https site loads with curl -sIX

Should only the last one fail, we need to inject the certs with a shell_command.

And this ideally fixes sensors as well upon the next check. Exceptions would be integrations that kick when initialized and put on an error path when they fail. Worst case: needs a restart.

Yeah, needs some time but nothing significant I imagine.

1 Like

Hi!, i need help on how to copy the CA file into step 4 ? I’m completely loss on where I’m when seeing the homeassistant /bin/bash. I also can not paste/edit via terminal text editor like nano or vim in there. I’m sorry for my silly question. Thanks anyway.

Edit:
Problem solved, how to resolve:

  1. In the /etc/ssl/certs directory: Get .pem certificate file from web using wget. ($ wget https://ca.example.com/ca.cert.pem)
  2. Get hash, and create symbolic link ($ ln -sf pathtoca.cert.pem pathtosymlinkwithhash)
  3. Create backup of ca-certificates.crt: $ cp ca-certificates.crt ca-certificates.crt.backup
  4. Join the certificate: $ cat ca-certificates.crt.backup ca.cert.pem > ca-certificates.crt

Done

2 Likes

Manual updates for this are tedious if you try to stay up-to-date with HA Core. I have a thread with a feature request here.

Discuss and more importantly, vote!

I’ve got some nastyhack proto code here that automates this process.
With the included binary sensor used, it constantly checks for losing trust, and re-injects as appropriate; this basically “smooths” you through core updates.

The important bit is that you’ll need to run this inside Core (homeassistant docker container).

While I’m sure there must be easier ways around this, I’ve chosen to live with this until a proper solution emerges.
Let me know if this works for you.

mb

1 Like

Here my workaround:

Copy your ca files in your favorite directory. For me it is ~/config/my_ssl. Here I can upload my files through the file editor addon.

Connect to the HA core via SSH Addon, copy the files via “docker cp” and update the system ca files via “docker exec”

for f in $(ls ~/config/my_ssl); do docker cp ~/config/my_ssl/$f homeassistant:/usr/local/share/ca-certificates/; done
docker exec -it homeassistant sh -c "update-ca-certificates"

Yes, you have to do this after every core container update :frowning: .

my_ssl contains the ca certificates:

➜  ~ ll ~/config/my_ssl
total 24K
-rw-r--r--    1 root     root        3.5K Feb  5 14:04 Client.CA.crt
-rw-r--r--    1 root     root        3.5K Feb  5 14:04 DMZ.CA.crt
-rw-r--r--    1 root     root        3.5K Feb  5 14:04 Hausautomation.CA.crt
-rw-r--r--    1 root     root        3.5K Feb  5 14:04 Intra.CA.crt
-rw-r--r--    1 root     root        3.5K Feb  5 14:04 Mgmt.CA.crt
-rw-r--r--    1 root     root        3.5K Feb  5 14:03 Root.CA.crt

This this I can use the checkbox “Check TLS connection” in the homematic integration.

1 Like

Here is a “solution” that allow you to survive home assistant upgrade, and to avoid any ssh as long as you already have hacs installed.

I made this today to test if this would solve issue with the fullykiosk integration using https.
It didn’t …

Create a python script available as a service

Install pyscript

https://hacs-pyscript.readthedocs.io/en/latest/installation.html

Enable allow_all_imports

In config/integrations, click on the configure button on the pyscript integration and check Allow All Imports

Import the script

Using what ever method you use to add or change file on your home assistant instance, add the following script in your config folder under pyscript/add_custom_ca.py

# ==================================================================================================
#  python_scripts/add_custom_ca.py
# ==================================================================================================

# --------------------------------------------------------------------------------------------------
# Add the .pem from the provided path to certifi catalogue
# --------------------------------------------------------------------------------------------------
# from https://community.home-assistant.io/t/let-home-assistant-trust-a-personal-certificate-authority/184917/22?u=vaarlion

import certifi
from os import path as os_path


@service
def add_custom_ca(pem_path):
    """yaml
    name: Add Custom ca
    description: Add the .pem from the provided path to certifi catalogue.
    fields:
      pem_path:
        name: Pem file(s) path
        description: a path or a list of path to .pem file
        exemple: ["/ssl/custome_ca.pem", "/config/www/ssl/extra_ca.pem"]
        selector:
          text:
    """

    inputPath = pem_path
    listPath = []
    if inputPath is None:
        log.warning("===== pem_path is required if you want to add something.")
    else:
        if (
            isinstance(inputPath, str)
            and inputPath
            and task.executor(os_path.isfile, inputPath)
        ):
            listPath.append(inputPath)

        elif isinstance(inputPath, list) and inputPath:
            for path in inputPath:
                if isinstance(path, str) and task.executor(os_path.isfile, path):
                    listPath.append(path)
                else:
                    log.info(
                        "===== ignoring '{}' as it's not a path to an existing file".format(
                            path
                        )
                    )
        else:
            log.warning(
                "===== pem_path is required to be a path or a list of path to existing files"
            )

        cafile = certifi.where()

        for pem in listPath:
            __append_fileA_to_fileB(pem, cafile)


@pyscript_executor
def __append_fileA_to_fileB(fileA, fileB):
    with open(fileA, "rb") as infile:
        customca = infile.read()
    with open(fileB, "r") as outfile:
        cachain = outfile.read()
    if customca.decode("utf-8") not in cachain:
        with open(fileB, "ab") as outfile:
            outfile.write(customca)

Then call the service pyscript.reload

Upload your .pem file

Using the same way you’ve uploaded the script, upload your CA certificate in a .pem format where ever you want. I recommend /ssl/. You can add as many as you want.

Automate it

Testing the service

Try to run the service and make sure there is no error in the log.
in developer-tools/service, run something like

service: pyscript.add_custom_ca
data:
  pem_path: /ssl/mycert.pem

or

service: pyscript.add_custom_ca
data:
  pem_path:
    - /ssl/mycert.pem
    - /config/some_other_cert.pem

With your own file obviously.
Now check to see if this solve your issue. It may not as not every automation use that certificate catalogue, and other have some hard-coded port or protocol.

If it does, then we need to have it survive an upgrade.

Create an automation

Now juste make an automation who run that services as soon as home assistant start :slight_smile:

alias: "Add custom cert on boot"
description: ""
trigger:
  - platform: homeassistant
    event: start
condition: []
action:
  - service: pyscript.add_custom_ca
    data:
      pem_path: /ssl/MainCA.pem
mode: single

No worry, the python script make sure the cert isn’t already present before adding it, so you won’t append it 500 time before the next release.

2 Likes

I don’t know if there is another way to do it, but this one works flawlessly. Thank you!!

My only concern is whether the automation will run before or after it tries to load the integration that needs to verify the certificate.
I will have to wait for the next update to check. In any case, the failure would only occur on the first boot after updating.

1 Like

Hello,
I’ve coded a custom integration to add custom private CA (Certificate Authority) to Home Assistant.
The main purpose is to avoid adding again manually CAs even if Docker container si recreated.
Give it a try : GitHub - Athozs/hass-additional-ca: Add custom CA (Certificate Authority) to Home Assistant.

2 Likes

Howdy @frenck, hope you are well.
This is the 6th solution for something HASS was believed to not need. Any chance we can revisit support for self-signed CA support for HA?

:beers:

4 Likes

I have an fairly easy way of doing this and will survive upgrades/restarts, using Docker. The Home Assistant Docker image already has the ca-certificates package installed so it’s just-a-matter of getting your CA cert into /usr/local/share/ca-certificates/ and running update-ca-certificates. To automate this, I simply mount the following script into /etc/cont-init.d:

#!/bin/sh -e
cp /config/ssl/ca.crt /usr/local/share/ca-certificates/
update-ca-certificates

NOTE: this assumes your CA cert is mounted at /config/ssl/ca.crt. Adjust according to your environment.

My setup looks something like this:
docker-compose.yaml:

services:
  homeassistant:
    # this section redacted
    volumes:
      - /opt/hassio/data/config:/config
      - /opt/hassio/data/ssl:/config/ssl
      - /opt/hassio/data/init:/etc/cont-init.d

My ca.crt (private root CA) is located in /opt/hassio/data/ssl/ca.crt.

My S6 init script:
/opt/hassio/data/init/01_install_ca:

#!/bin/sh -e
cp /config/ssl/ca.crt /usr/local/share/ca-certificates/
update-ca-certificates

Now when you startup the container, you should see the following in you log output:

[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_install_ca: executing... 
WARNING: ca-certificates.crt does not contain exactly one certificate or CRL: skipping
[cont-init.d] 01_install_ca: exited 0.
[cont-init.d] done.
1 Like

It’s unfortunate this add-on is necessary, but thanks so much for writing it! I’m attempting to use it with smtp notify, but it doesn’t seem to use my CA certs, even though they are being installed in ca-certificates.crt by the add-on. openssl s_client successfully verifies my signed cert from within the homeassistant docker container. I think it’s not working because homeassistant.util.ssl client_context() depends on REQUESTS_CA_BUNDLE. Where does this environment variable need to be set when running haos?

Hey,
I could not find on the internet a reliable way to set permanently an environment variable in Home Assistant OS (some kind of hack may be possible I guess though).

Yes, I’ve asked on here and in a few different channels on the ha discord and no one seems to know how to set environment variables when using haos. I’m starting to think it might not be possible, and that my only option would be to redeploy and run on docker containers w/o supervisor or haos. This would be more overhead to manage, and kind of a pain to be honest, but I would then be able to pass environment variables via docker compose. Sure wish there was a better way. Thanks again.

Hello,
I just coded a new integration to add environment variables to HAOS: GitHub - Athozs/hass-environment-variable: Add Environment Variable to Home Assistant.
It’s not available in HACS yet, you’ll have to install it as a custom HACS repo, or manually without HACS.
Hope it will help.

Hello, I tried out your new addon but unfortunately I was not able to get it to work. I set REQUESTS_CA_BUNDLE as in your example but it doesn’t seem to be available to the smtp notify component. When this didn’t work, I made another custom component to test environment_variable. It simply iterates through the os.environ dict and prints out all the key/value pairs to the log. After several restarts of home assistant it appears to be random as to whether my custom environment variable will be present in the logs or not. I think this has to do with the order in which the components are loaded. I think if environment_variable is loaded before my evtest module I see my variable, otherwise I don’t. My current theory is that since smtp notify is a built-in component, maybe it’s loaded before all the custom components? If this is true, that might explain why smtp notify still doesn’t work, even after many restarts of ha. If it’s loaded before custom components, then maybe it doesn’t have the chance to learn from the environment_variable addon?

Hey,
Sorry for the late reply,
You’re right, it depends on the startup order of integrations.
You may need to reload your integration after Home Assistant has completely started to take environment variables into account.

@Vaarlion , I just wanted to jump on here and thank you for posting this solution, as it worked wonders for me. In my case, I have homeassistant connecting to my nextcloud instance to import calendars, but since it was backed by my custom CA, HA wouldn’t talk to it. HA most certainly needs an ability to import custom CA’s so this kind of work isn’t necessary, but in the meantime, this’ll do! +1 internet points to you :slight_smile:

1 Like

Hi,

I created yesterday a new version 0.2.0 of integration Additional CA for Home Assistant with full support for HAOS and Docker.

Add a private CA, the easy way :

  • Install HACS
  • Install Additional CA integration via HACS or manually without HACS, full docs in link above
  • Copy private CA to config folder
mkdir -p config/additional_ca
cp my_ca.crt config/additional_ca/
# configuration.yaml
---
default_config:
additional_ca:
  my_ca_1: my_ca.crt
  my_ca_2: ca_foo.pem
# ...
  • Export environment variable for Docker
# compose.yml
version: '3'
services:
  homeassistant:
    # ...
    environment:
      - REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
  • All done !
2 Likes

I followed the instructions to install through HACS (running in HAOS), but it didn’t seem to solve the issues I’m having.

For example, the CalDav and Jellyfin integrations still throw insecure cert warnings, even though I can see that your addon created the cert in /usr/local/share/ca-certificates in the homeassistant container. I can also curl my services from within the homeassistant container without any issue.

For addons such as Advanced SSH, I understand why curl from there doesn’t work, seeing that it’s a container of it’s own, which didn’t get the CA file.

But what doesn’t make sense, is why the core integrations aren’t using the updated CA store from the homeassistant container, which includes my CA.

 Logger: py.warnings
Source: components/jellyfin/client_wrapper.py:67
First occurred: 10:21:51 AM (2 occurrences)
Last logged: 10:21:51 AM
/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host 'jellyfin.[redacted]'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn( 

---

 Logger: py.warnings
Source: components/caldav/api.py:16
First occurred: 10:15:46 AM (6 occurrences)
Last logged: 10:15:46 AM
/usr/local/lib/python3.11/site-packages/urllib3/connectionpool.py:1061: InsecureRequestWarning: Unverified HTTPS request is being made to host 'cal.[redacted]'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings warnings.warn(