While trying to get the Zoneminder component to work, I’ve now spent some time setting up a proper CA for my network. That didn’t work out so well, so I switched to a self-signed certificate, which is now used by the Zoneminder-apache (different machine). I have added it to the trusted ones on my raspbian, and openssl s_client -connext zmmachine.my.net:443 works as expected.
However, HASS, running in the virtualenv created by the all in one installer, still fails to verify the certificate. From googeling around I found out, that if requests (the module used for communication in this case) is used within a virtualenv, it doesn’t use the systems database of trusted certs. Instead there seems to be a bundled trust-chain that comes with requests. See this question at Stack Overflow for details: http://stackoverflow.com/questions/34931378/certificate-verification-when-using-virtual-enviroments
It’s obvious what the problem is. But what is a solution? I suppose others could run into such problems as well. At least the users running in virtualenvs using their own CA or self-signed certificates.
The most generic option I would see is to provide an option within configuration.yaml to set a path to trusted certs, which every component using requests would then use. But that’s just a quick thought from the top of my head.
So, yeah, how are others handling this?