Self-signed SSL certificate on Home Assistant Operating System

Hi guys,

first of all, I tried hard to find some solution myself, but failed to find any relevant one for my case. Sorry if I missed it somewhere.

So my problem is:
SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate

My situation:
Home Assistant running as HA operating system on latest version
There is a local running DNS server in my network
I’ve created a local CA to issue a self-signed certificates for my services in house
I’ve added those certificates to my devices (mobiles, PCs, HomePod, Home Assistant)
I’m using a lot of Google TTS announcements in my HA which stopped working due to python error mentioned above.

From what I think the problem seems to me, that in HA, I’ve added certificates into config/certs and in configuration.yaml I’ve set them in order to let HA be accessible through HTTPS only. This works perfectly including my companion apps on all mobiles (iOS & Android).

However, once I run any announcement through TTS service, it fails with following log:

File "/usr/local/lib/python3.10/site-packages/pyatv/protocols/raop/audio_source.py", line 375, in open raise ProtocolError(source.error_message) from ex pyatv.exceptions.ProtocolError: HTTPSConnectionPool(host='homeassistant.bttr.lan', port=443): Max retries exceeded with url: /api/tts_proxy/4dea4d440b343d26cf16a5b1f90d0b4931fee228_cs_-_google_translate.mp3 (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)')))

I presume, that problem is, that HA itself is having SSL properly, but SSL certificate is not trusted in HA OS level, which, thanks to HA CLI I have no idea how to import it there as well.

Any ideas please?

Would this be the problem with Google devices rejecting self-signed certificate.

Google cast devices

The Google cast devices (Google Home, Chromecast, etc.) present the following problems:

Unfortunately not only Google Cast devices are not working. The same is also for Apple HomePod, which has this certificate imported and trusted. Maybe I’m wrong, but from that log I strongly believe, that problem is actually in python script not seing this self signed certificate in HA OS, as I have no idea how to put it there.

BTW even local mp3 file is unable to be streamed to any of my device. However online radio or DLNA content can be streamed without any issue.

I know fhat Google TTS will not work on self host ssl.

====================
If you are using an SSL (e.g., https://yourhost.example.org/...) then you must use the hostname in the certificate (e.g., external_url: https://yourhost.example.org). You cannot use an IP address since the certificate won’t be valid for the IP address, and the cast device will refuse the connection.

That’s what I did. But as mentioned, unfortunately it’s not a problem only with Google TTS, as even local file stored in HA is a problem to be played now.

Your issue is that a self signed certificate will never be trusted by third-party vendors, like Google, because they will never trust your CA.

That means Google will never be able to connect to your devices using your self signed certificate.

You should use a reverse proxy, like the nginx proxy manager addon. It will generate a signed certificate with let’s encrypt, so you won’t have these self signed issues.

Hi Veratec - can I ask how you were able to add your Root CA certificate to the HA OS trusted certificate store? I was able to add my Root CA certificate, but it does not persist across system reboots. It does persist across HA restarts though, but that is not good enough for my use case. Just curious how you got around that? I have my Root CA certificate installed on all my personal devices for other things in my home (freenas, icinga monitoring, etc), but just can’t get the HA OS to add it persistently.

Any insight you can give would be great.

I forgot to mention, I am running HA Operating System install type on a Raspberry Pi 3B, Alpine Linux.

Thanks - Todd