I submitted a variation of this in another post but it was probably too narrow in scope to garner any solution responses, so I’m hoping to find an answer with this one.
How does one authenticate REST against an external API that uses the public SSL certificate that I provided the API owner?
I see that there is a verify_SSL option in the REST documentation, but no info on how to incorporate or reference my fullchain.pem file on the HA side of things.
I also ran across a feature request for something similar - is this not possible?
So, do I understand this correctly that the API uses certificates-based authentication for access control, i.e. you provide a client certificate to the API service? If so, then unfortunately this type of authentication is not supported by the rest integration.
The verify_ssl parameter can be used to turn off the verification of the certificate provided by the server and you usually only want to do this if you are in control of that server and used self-signed certificates.
Yes. The API provider (Smart Meter Texas) required me to provide them with a static IP and a public cert that they supposedly applied on their side. I already had the static IP, and so got an inexpensive cert from Comodo.
Looks like they also support a SOAP API, and a “FTPS” folder/retrieve method that I can explore, but I’m not holding out any hope.
The SMT API is handled entirely by an offshore group, and language barriers aside, have been very difficult to work with. And while they have an API document, working through the actual cert process was pretty terrible.
They finally notified me that everything was in place and was ready to test. I got a bunch of screen shots and a poorly written outline for using Postman, but I’m not quite sure if I am to use that to test, or where it fits into the whole scenario. Postman was never mentioned anywhere along the way… The screenshots were of an apparently outdated version, and so many of the menus shown do not match the current software so it’s difficult to even follow along.
It appears that that I’ve wasted my money and time, then… They have an “unofficial” API that someone created an HA integration for, but it routinely breaks, as it did for everyone again in early November - apparently by design to force folks to move to the the IP/SSL method.
So, the application of certs within HA is strictly for securing one’s platform, as when wishing to access it externally, or is the limitation with REST within HA?
I was hoping that with all the interest in monitoring one’s electric consumption that someone, somewhere would have already crossed this bridge with SMT.
Postman is a browser based tool to test or debug an API or other web-based services. You can use that for some initial testing to get the payload or HTTP headers right.
These are two completely different use-cases. To secure your HA instance for external access you use certificates to encrypt data in transit. And the http component also supports defining a client certificate (e.g. provided by your web browser or mobile app) to authenticate against your HA instance.
In your API use-case here, your HA instance needs to authenticate against the external API service, and apparently they support certificate based authentication - as opposed to for example providing username and password. The rest integration does support username/password based authentication, but not certificate based authentication. Not impossible to implement, just hasn’t been done yet.
Understood Re: the different use case, but I was wondering whether HA supported the use of more than one cert at a time, whether to secure and encrypt data as in your scenario, or to secure a particular component (my API aside).
The SMT access also uses name/password in conjunction with the SSL. I have a login to their portal where my use data exists - maybe it’s time to explore web scraping, or seeing if there is some sort of clamp to add to my breaker box that I could more easily integrate with.
If you are referring to the ssl_peer_certificate configuration option (HTTP - Home Assistant) then my understanding is that you can specify 1 certificate and all clients connecting to your HA instance must present the corresponding certificate to authenticate.
This cannot be used with any other integration.