SSL certificate failure

Woke up to yet another failed integration – this time Emporia Vue.



Logger: urllib3.connection
Source: /usr/local/lib/python3.11/site-packages/urllib3/connection.py:547
First occurred: February 6, 2024 at 7:27:54 PM (1063 occurrences)
Last logged: 5:15:59 AM

* Certificate did not match expected hostname: cognito-idp.us-east-1.amazonaws.com. Certificate: {'subject': ((('commonName', 'optimusprime.elbo.ai'),),), 'issuer': ((('countryName', 'US'),), (('organizationName', 'Amazon'),), (('commonName', 'Amazon RSA 2048 M01'),)), 'version': 3, 'serialNumber': '082FA5E4F3E49323A21D435EC0C3C12E', 'notBefore': 'Sep 27 00:00:00 2023 GMT', 'notAfter': 'Oct 26 23:59:59 2024 GMT', 'subjectAltName': (('DNS', 'optimusprime.elbo.ai'),), 'OCSP': ('http://ocsp.r2m01.amazontrust.com',), 'caIssuers': ('http://crt.r2m01.amazontrust.com/r2m01.cer',), 'crlDistributionPoints': ('http://crl.r2m01.amazontrust.com/r2m01.crl',)}
* Certificate did not match expected hostname: cognito-idp.us-east-1.amazonaws.com. Certificate: {'subject': ((('commonName', '*.us-east-1.es.amazonaws.com'),),), 'issuer': ((('countryName', 'US'),), (('organizationName', 'Amazon'),), (('commonName', 'Amazon RSA 2048 M01'),)), 'version': 3, 'serialNumber': '05706CA5BFEA90C24BAE6732A0863CEE', 'notBefore': 'Apr 6 00:00:00 2023 GMT', 'notAfter': 'Apr 21 23:59:59 2024 GMT', 'subjectAltName': (('DNS', '*.us-east-1.es.amazonaws.com'),), 'OCSP': ('http://ocsp.r2m01.amazontrust.com',), 'caIssuers': ('http://crt.r2m01.amazontrust.com/r2m01.cer',), 'crlDistributionPoints': ('http://crl.r2m01.amazontrust.com/r2m01.crl',)}
* Certificate did not match expected hostname: cognito-idp.us-east-1.amazonaws.com. Certificate: {'subject': ((('commonName', '*.duclo.ai'),),), 'issuer': ((('countryName', 'GB'),), (('stateOrProvinceName', 'Greater Manchester'),), (('localityName', 'Salford'),), (('organizationName', 'Sectigo Limited'),), (('commonName', 'Sectigo RSA Domain Validation Secure Server CA'),)), 'version': 3, 'serialNumber': '68CE5E9A79C137D2D8805F55BE100B0C', 'notBefore': 'Feb 24 00:00:00 2023 GMT', 'notAfter': 'Mar 26 23:59:59 2024 GMT', 'subjectAltName': (('DNS', '*.duclo.ai'), ('DNS', 'duclo.ai')), 'OCSP': ('http://ocsp.sectigo.com',), 'caIssuers': ('http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt',)}


It seems several times per week something fails in HA.

I’m running Proxmox 8.1.3 with HA 2023.12.3 (had to downgrade because the 2024.x versions failed other integrations).

Trying to go down any troubleshooting path that could make sense, I checked the system time. HA is set to the correct time zone and the VM is using Chrony to get the correct time.

Anyone have any suggestions on what I can try?

Thank you.

The unsupported Emporia Vue integration installed via HACS, here?

Keep in mind all of the integrations, and especially the ones installed via HACS, are written by people in their free time, and community maintained. If you are having multiple things fail per week I would highly recommend reducing the complexity of your setup. The alternative is to learn to write software and contribute to the integrations by adding robust error handling with clear, easy to understand error messages, and improving automated test coverage so issues are caught earlier.

In this case I’m not seeing how this would be easily tested or “fixed” since it’s a failure of the python standard library to validate an SSL certificate for a service in AWS. The “solution” would be to check to see where there was an issue with AWS Cognito (an identity/auth service) at that time. That would be my guess, it happens (and has nothing to do with HA, the integration, or Emporia). It likely fixed itself all on its own.

You could possible add a parameter to the integration to disable the validation of SSL certs, but that is likely overkill for something that might happen once every few years and will resolve on its own in an hour, and not particularly desired anyway.