Update of device not possible: (self-signed certificate)

tluethi71 · January 4, 2024, 8:32am

Hi,

I have HA OS installed on NUC 11. It works smoothly. I have installed zigbee2mqtt which is working fine. Only one thing does not work for one of my devices (Philips HUE lightstrip). If I want to update the device in OTA I get the folowing error message. I dont know what to do to be able to update the device. Can you help? Thanks.
Bildschirmfoto 2024-01-04 um 09.26.37

kensko · January 4, 2024, 7:20pm

Ran into the this issue too. It’s due to changes in the way Philips Hue manages their certificates. It’s unclear if it’s intentional or not, but a self-signed certificate is part of the certificate chain now. Zigbee2Mqtt is aware of the issue and a fix has been made. But I’m unsure when that will be available to Home Assistant users. If you are running Zigbee2Mqtt as an add-on like most people here, then it’s up to the maintainers of the add-on. If you are running a stand-alone Zigbee2Mqtt instance, I’m guessing you can pull a fixed version pretty soon?

Sources:

github.com/Koenkk/zigbee2mqtt

Error while trying to update device firmware: 'Self signed certificate in certificate chain'

opened 09:38AM - 29 Dec 23 UTC

closed 09:54PM - 30 Dec 23 UTC

Grandma-Betty

problem

### What happened? While trying to update one of my Philips Hue Smart Plugs via… OTA, the following error occurred: `error 2023-12-29 10:28:20Update of 'HueSmartPlugCH07' failed (self signed certificate in certificate chain)` Any hints what the problem could be? Thanks! ### What did you expect to happen? Update process of device firmware as usually. ### How to reproduce it (minimal and precise) _No response_ ### Zigbee2MQTT version 1.34.0-1 ### Adapter firmware version 20221226 ### Adapter SONOFF Zigbee 3.0 USB Dongle Plus ### Debug log [log.txt](https://github.com/Koenkk/zigbee2mqtt/files/13792351/log.txt)

github.com/Koenkk/zigbee-OTA

`https://otau.meethue.com` started using a self-signed certificate

opened 10:58AM - 29 Dec 23 UTC

kaechele

Signify seems to have started using self-signed certificates for `https://otau.m…eethue.com`. Unsure if this is a bug on their end or a new configuration they have adopted going forward. Either way, currently OTA updates using images hosted on that URL will fail: ``` debug 2023-12-29 05:55:33: Received MQTT message on 'zigbee2mqtt/bridge/request/device/ota_update/update' with data '{"id":"Bedroom Lamp","transaction":"r82z7-1"}' info 2023-12-29 05:55:33: Updating 'Bedroom Lamp' to latest firmware debug 2023-12-29 05:55:33: Received Zigbee message from 'Bedroom Lamp', type 'readResponse', cluster 'genBasic', data '{"dateCode":"20230606","swBuildId":"1.108.5"}' from endpoint 11 with groupID 0 info 2023-12-29 05:55:33: MQTT publish: topic 'zigbee2mqtt/Bedroom Lamp', payload '{"brightness":254,"color":{"h":32,"hue":32,"s":81,"saturation":81,"x":0.4574,"y":0.41},"color_mode":"color_temp","color_temp":366,"color_temp_startup":65535,"last_seen":"2023-12-29T10:55:33.511Z","linkquality":144,"power_on_behavior":"previous","state":"OFF","update":{"installed_version":16786946,"latest_version":16786948,"state":"available"},"update_available":null}' debug 2023-12-29 05:55:33: Updating to latest '0x0017880103adfb62' (LCT016) debug 2023-12-29 05:55:33: Using endpoint '11' debug 2023-12-29 05:55:33: Received Zigbee message from 'Bedroom Lamp', type 'commandQueryNextImageRequest', cluster 'genOta', data '{"fieldControl":0,"fileVersion":16786946,"imageType":268,"manufacturerCode":4107}' from endpoint 11 with groupID 0 info 2023-12-29 05:55:33: MQTT publish: topic 'zigbee2mqtt/Bedroom Lamp', payload '{"brightness":254,"color":{"h":32,"hue":32,"s":81,"saturation":81,"x":0.4574,"y":0.41},"color_mode":"color_temp","color_temp":366,"color_temp_startup":65535,"last_seen":"2023-12-29T10:55:33.739Z","linkquality":144,"power_on_behavior":"previous","state":"OFF","update":{"installed_version":16786946,"latest_version":16786948,"state":"available"},"update_available":null}' debug 2023-12-29 05:55:33: Got OTA request '{"fieldControl":0,"manufacturerCode":4107,"imageType":268,"fileVersion":16786946}' debug 2023-12-29 05:55:33: ZigbeeOTA: downloaded main index debug 2023-12-29 05:55:33: getNewImage for '0x0017880103adfb62', meta {"fileVersion":16786948,"fileSize":267324,"url":"https://otau.meethue.com/storage/ZGB_100B_010C/3a5dab1a-faf6-47a8-9c9a-34f34eec029f/100B-010C-01002604-ConfLight-Lamps_0012.zigbee","sha512":"e9371e1599b193730f5358cdc64671e93042de1ddf669a970c4e9ce76363bea0b7198838fa4584271b3f1586e4d92565a2cc28a90143889576bab6576ef0e2ce"} debug 2023-12-29 05:55:33: ZigbeeOTA: downloading firmware image from https://otau.meethue.com/storage/ZGB_100B_010C/3a5dab1a-faf6-47a8-9c9a-34f34eec029f/100B-010C-01002604-ConfLight-Lamps_0012.zigbee debug 2023-12-29 05:55:34: Update of 'Bedroom Lamp' failed (Error: self signed certificate in certificate chain) info 2023-12-29 05:55:34: MQTT publish: topic 'zigbee2mqtt/Bedroom Lamp', payload '{"brightness":254,"color":{"h":32,"hue":32,"s":81,"saturation":81,"x":0.4574,"y":0.41},"color_mode":"color_temp","color_temp":366,"color_temp_startup":65535,"last_seen":"2023-12-29T10:55:33.739Z","linkquality":144,"power_on_behavior":"previous","state":"OFF","update":{"installed_version":16786946,"latest_version":16786948,"state":"available"},"update_available":null}' info 2023-12-29 05:55:34: MQTT publish: topic 'zigbee2mqtt/bridge/response/device/ota_update/update', payload '{"data":{"id":"Bedroom Lamp"},"error":"Update of 'Bedroom Lamp' failed (self signed certificate in certificate chain)","status":"error","transaction":"r82z7-1"}' error 2023-12-29 05:55:34: Update of 'Bedroom Lamp' failed (self signed certificate in certificate chain) debug 2023-12-29 05:55:34: Error: self signed certificate in certificate chain at Function.AxiosError.from (/app/node_modules/axios/lib/core/AxiosError.js:89:14) at RedirectableRequest.handleRequestError (/app/node_modules/axios/lib/adapters/http.js:606:25) at RedirectableRequest.emit (node:events:513:28) at ClientRequest.eventHandlers.<computed> (/app/node_modules/follow-redirects/index.js:14:24) at ClientRequest.emit (node:events:513:28) at TLSSocket.socketErrorListener (node:_http_client:494:9) at TLSSocket.emit (node:events:513:28) at emitErrorNT (node:internal/streams/destroy:157:8) at emitErrorCloseNT (node:internal/streams/destroy:122:3) at processTicksAndRejections (node:internal/process/task_queues:83:21) ``` <details> <summary>Certificate Chain</summary> ``` ❯ openssl s_client -showcerts -connect otau.meethue.com:443 CONNECTED(00000003) depth=2 C = NL, O = Philips Hue, CN = root verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=2 C = NL, O = Philips Hue, CN = root verify return:1 depth=1 C = NL, O = Philips Hue, CN = intermediate verify return:1 depth=0 C = NL, O = Philips Hue, CN = otau.meethue.com verify return:1 --- Certificate chain 0 s:C = NL, O = Philips Hue, CN = otau.meethue.com i:C = NL, O = Philips Hue, CN = intermediate a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Dec 28 08:19:26 2023 GMT; NotAfter: Dec 27 08:19:26 2024 GMT -----BEGIN CERTIFICATE----- MIICOzCCAeGgAwIBAgICEIYwCgYIKoZIzj0EAwIwOjELMAkGA1UEBhMCTkwxFDAS BgNVBAoMC1BoaWxpcHMgSHVlMRUwEwYDVQQDDAxpbnRlcm1lZGlhdGUwHhcNMjMx MjI4MDgxOTI2WhcNMjQxMjI3MDgxOTI2WjA+MQswCQYDVQQGEwJOTDEUMBIGA1UE ChMLUGhpbGlwcyBIdWUxGTAXBgNVBAMTEG90YXUubWVldGh1ZS5jb20wWTATBgcq hkjOPQIBBggqhkjOPQMBBwNCAASsjJWztRR+y0Fh1moAEFInY7Hm0Bs2sNVlWwbh G1ND0xM5q88rRDPU/0uhseC1Q8zrIG5odks/qKFeyWPuluvmo4HSMIHPMAwGA1Ud EwEB/wQCMAAwHQYDVR0OBBYEFODTXkF2YAGuNZdIYa9CXgVRHYg5MFsGA1UdIwRU MFKAFE5wTAXeCEvl+iOFRD6V/DHv8j+MoTakNDAyMQswCQYDVQQGEwJOTDEUMBIG A1UECgwLUGhpbGlwcyBIdWUxDTALBgNVBAMMBHJvb3SCAhAEMA4GA1UdDwEB/wQE AwIFoDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDATAbBgNVHREEFDASghBvdGF1Lm1l ZXRodWUuY29tMAoGCCqGSM49BAMCA0gAMEUCICbyQzlJ3qB+hXQpK1Div1LPrCA3 4cBeGDph2y2gvJhYAiEA7R2WE6/qVsxlkL5h4Puh+yxp/ofs0laGMzy9FzQczYM= -----END CERTIFICATE----- 1 s:C = NL, O = Philips Hue, CN = intermediate i:C = NL, O = Philips Hue, CN = root a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Sep 21 09:35:35 2021 GMT; NotAfter: Nov 10 09:35:35 2026 GMT -----BEGIN CERTIFICATE----- MIIBwTCCAWigAwIBAgICEAQwCgYIKoZIzj0EAwIwMjELMAkGA1UEBhMCTkwxFDAS BgNVBAoMC1BoaWxpcHMgSHVlMQ0wCwYDVQQDDARyb290MB4XDTIxMDkyMTA5MzUz NVoXDTI2MTExMDA5MzUzNVowOjELMAkGA1UEBhMCTkwxFDASBgNVBAoMC1BoaWxp cHMgSHVlMRUwEwYDVQQDDAxpbnRlcm1lZGlhdGUwWTATBgcqhkjOPQIBBggqhkjO PQMBBwNCAATApYP6FMJcZkAMz98aJIJ08gpXW3FT47ikdQ4KlmztyYeTyKPWf/sP wiTeAu5nr2y8Gj0jYhk/6FNenuRdV+w0o2YwZDAdBgNVHQ4EFgQUTnBMBd4IS+X6 I4VEPpX8Me/yP4wwHwYDVR0jBBgwFoAUCWQVgAJXOKupOv75xaJrwAof984wEgYD VR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwCgYIKoZIzj0EAwIDRwAw RAIgMSvQr5cUypLgd752OzS8WF0r6duHV9el8R1YDHl2qJUCIHsvs0CiH6Xg/+9P k1lIs2YkrWB4faKk7/rEGnv4RAx1 -----END CERTIFICATE----- 2 s:C = NL, O = Philips Hue, CN = root i:C = NL, O = Philips Hue, CN = root a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256 v:NotBefore: Aug 25 07:59:43 2016 GMT; NotAfter: Jan 5 07:59:43 2068 GMT -----BEGIN CERTIFICATE----- MIIBwDCCAWagAwIBAgIJAJtrMkoTxs+WMAoGCCqGSM49BAMCMDIxCzAJBgNVBAYT Ak5MMRQwEgYDVQQKDAtQaGlsaXBzIEh1ZTENMAsGA1UEAwwEcm9vdDAgFw0xNjA4 MjUwNzU5NDNaGA8yMDY4MDEwNTA3NTk0M1owMjELMAkGA1UEBhMCTkwxFDASBgNV BAoMC1BoaWxpcHMgSHVlMQ0wCwYDVQQDDARyb290MFkwEwYHKoZIzj0CAQYIKoZI zj0DAQcDQgAEENC1JOl6BxJrwCb+YK655zlM57VKFSi5OHDsmlCaF/EfTGGgU08/ JUtkCyMlHUUoYBZyzCBKXqRKkrT512evEKNjMGEwHQYDVR0OBBYEFAlkFYACVzir qTr++cWia8AKH/fOMB8GA1UdIwQYMBaAFAlkFYACVzirqTr++cWia8AKH/fOMA8G A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMCA0gAMEUC IQDcGfyXaUl5hjr5YE8m2piXhMcDzHTNbO1RvGgz4r9IswIgFTTw/R85KyfIiW+E clwJRVSsq8EApeFREenCkRM0EIk= -----END CERTIFICATE----- --- Server certificate subject=C = NL, O = Philips Hue, CN = otau.meethue.com issuer=C = NL, O = Philips Hue, CN = intermediate --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: ECDSA Server Temp Key: X25519, 253 bits --- SSL handshake has read 1795 bytes and written 400 bytes Verification error: self-signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384 Server public key is 256 bit This TLS version forbids renegotiation. Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self-signed certificate in certificate chain) --- ``` </details> Related: https://github.com/Koenkk/zigbee2mqtt/issues/20429

tluethi71 · January 5, 2024, 8:01am

thanks a lot for your answer. Good to know that there are some smart guys working on it