Ssl.CertificateError: hostname doesn't match

Xiras · March 18, 2016, 7:27am

Hi all,

I’ve been trying to set up presence detection using a private mqtt server and home assistant. What I did was install mqtt server (mosquitto), make some certificates using their own provided generate-cert.sh script, and copy the .crt-file to for example my mobile. After that, my mobile is able to connect successfully to the broker.

however, when I try to setup homeassistant, I get a ssl.CertificatError. I run both the broker and homeassistant on the same server, and (probably dangerously) both as root.

ERROR:homeassistant.bootstrap:Error during setup of component mqtt
Traceback (most recent call last):
  File "/usr/local/lib/python3.4/dist-packages/homeassistant/bootstrap.py", line 105, in _setup_component
    if not component.setup(hass, config):
  File "/usr/local/lib/python3.4/dist-packages/homeassistant/components/mqtt/__init__.py", line 125, in setup
    password, certificate, protocol)
  File "/usr/local/lib/python3.4/dist-packages/homeassistant/components/mqtt/__init__.py", line 211, in __init__
    self._mqttc.connect(broker, port, keepalive)
  File "/root/.homeassistant/lib/paho/mqtt/client.py", line 612, in connect
    return self.reconnect()
  File "/root/.homeassistant/lib/paho/mqtt/client.py", line 753, in reconnect
    ssl.match_hostname(self._ssl.getpeercert(), self._host)
  File "/usr/lib/python3.4/ssl.py", line 288, in match_hostname
    % (hostname, dnsnames[0]))
ssl.CertificateError: hostname '192.168.1.95' doesn't match 'localhost'

mqtt:
  broker: 192.168.1.95
  port: 8883
  keepalive: 60
  username: "redacted"
  password: "redacted"
  certificate: /etc/mosquitto/certs/ca.crt

I presume it has to do with a python-enabled check in the code, as I really don’t see where I can match these hostnames in generating the certificates.

Anyone able to help me with this?

fabaff · March 31, 2016, 9:34am

You could give it a try with a new certificate that is issued for ‘localhost’ instead of ‘192.168.1.95’.

viegelinsch · November 15, 2016, 8:14pm

Same problem here.

Is there any chance to switch this check off?
As I use CAcert certificates it is not possible to add “localhost” or 127.0.0.1 to the certificate. Btw. same @ Let’s encrypt.

Best regards,
Hendrik

misterross · November 18, 2016, 8:04pm

I spent a lot of time trying to reissue the certificates correctly, but could never do so. My “solution” was to disable the domain check. Obviously this lowers security.

The check occurs in /usr/lib/python3.4/ssl.py

if len(dnsnames) > 1:
    raise CertificateError("hostname %r "
        "doesn't match either of %s"
        % (hostname, ', '.join(map(repr, dnsnames))))

You can comment out the if statement or just have it do nothing.

if len(dnsnames) > 1:
#        raise CertificateError("hostname %r "
#            "doesn't match either of %s"
#            % (hostname, ', '.join(map(repr, dnsnames))))
        donothing = ""