"Verify TLS" in Homematic (IP) Local fails

Tobster77 · April 21, 2024, 6:09pm

Dear all,

I am new to Homematic and just bought the HmIP-RFUSB stick. The RasperryMatic installation went well. I chose the Express option for security settings and accordingly, authentification is required. I enabled the

Homematic XML-RPC API
Remote Homematic-Script API
and opened ports 42010 and 443 in the RaspberryMatic firewall.

So I installed Homematic (IP) Local. During setup, I enabled TLS and also chose “Verify TLS” (I think this is the verify_tls parameter). Now setup fails when I ask for the verification, but succeeds, when I do not tick the verification option (still enabling TLS).

Is this normal? Do I have to change other settings in RaspberryMatic? I tried to play around with the HTTPS option, but it makes no difference.

And - most important - am I right so far, not opening unnecessary ports or APIs?

Tobster77 · April 21, 2024, 6:23pm

This is the log:

024-04-21 20:13:07.557 ERROR (MainThread) [hahomematic.client.xml_rpc] SSLError on temporary_instance-HmIP-RF: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)')
2024-04-21 20:13:07.557 WARNING (MainThread) [hahomematic.central] SSLError on temporary_instance-HmIP-RF: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)')
2024-04-21 20:14:39.222 ERROR (MainThread) [hahomematic.client.json_rpc] GET_ALL_SYSTEM_VARIABLES failed: ClientConnectorError [(ConnectionKey(host='de838cd8-raspberrymatic', port=443, is_ssl=True, ssl=<ssl.SSLContext object at 0x7f80be8aa650>, proxy=None, proxy_auth=None, proxy_headers_hash=xxxx), ConnectionRefusedError(111, "Connect call failed ('172.30.33.2', 443)"))] 
2024-04-21 20:14:39.229 ERROR (MainThread) [hahomematic.client.json_rpc] GET_ALL_PROGRAMS failed: ClientConnectorError [(ConnectionKey(host='de838cd8-raspberrymatic', port=443, is_ssl=True, ssl=<ssl.SSLContext object at 0x7f80be8aa650>, proxy=None, proxy_auth=None, proxy_headers_hash=xxxx), ConnectionRefusedError(111, "Connect call failed ('172.30.33.2', 443)"))] 
2024-04-21 20:14:39.671 ERROR (MainThread) [hahomematic.client.xml_rpc] OSError on RaspberryMatic (lokal)-HmIP-RF: (111, 'Connection refused')
2024-04-21 20:14:39.671 WARNING (MainThread) [hahomematic.client] PROXY_DE_INIT failed: NoConnection [OSError on RaspberryMatic (lokal)-HmIP-RF: (111, 'Connection refused')] Unable to de-initialize proxy for RaspberryMatic (lokal)-HmIP-RF
2024-04-21 20:14:39.677 ERROR (MainThread) [hahomematic.client.json_rpc] GET_ALL_DEVICE_DATA for HmIP-RF failed: ClientConnectorError [(ConnectionKey(host='de838cd8-raspberrymatic', port=443, is_ssl=True, ssl=<ssl.SSLContext object at 0x7f80be8aa650>, proxy=None, proxy_auth=None, proxy_headers_hash=xxx), ConnectionRefusedError(111, "Connect call failed ('172.30.33.2', 443)"))] 
2024-04-21 20:15:05.492 ERROR (MainThread) [hahomematic.client.json_rpc] GET_ALL_SYSTEM_VARIABLES failed: ClientException [POST method 'Session.login' failed: service not available] 
2024-04-21 20:15:05.827 ERROR (MainThread) [hahomematic.client.json_rpc] GET_ALL_PROGRAMS failed: ClientException [POST method 'Session.login' failed: service not available] 
2024-04-21 20:16:02.338 WARNING (MainThread) [homeassistant.components.waze_travel_time.sensor] Error on retrieving data: <html>
<head><title>503 Service Temporarily Unavailable</title></head>
<body>
<center><h1>503 Service Temporarily Unavailable</h1></center>
<hr><center>nginx</center>
</body>
</html>

2024-04-21 20:16:03.002 ERROR (MainThread) [hahomematic.client.xml_rpc] SSLError on temporary_instance-HmIP-RF: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)')
2024-04-21 20:16:03.002 WARNING (MainThread) [hahomematic.central] SSLError on temporary_instance-HmIP-RF: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)')
2024-04-21 20:16:27.272 ERROR (MainThread) [hahomematic.client.xml_rpc] SSLError on temporary_instance-HmIP-RF: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)')
2024-04-21 20:16:27.272 WARNING (MainThread) [hahomematic.central] SSLError on temporary_instance-HmIP-RF: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1000)')
2024-04-21 20:17:41.895 WARNING (MainThread) [hahomematic.client] PROXY_DE_INIT failed: NoConnection [SSLError on RaspberryMatic (lokal)-HmIP-RF: (8, 'EOF occurred in violation of protocol (_ssl.c:2406)')] Unable to de-initialize proxy for RaspberryMatic (lokal)-HmIP-RF

Is says something about certificates - do I have to create something?

SukramJ · April 21, 2024, 6:47pm

This is normal. The default self signed certificate from your CCU cannot be verified by HA. Just disable verify tls and you are done.

Tobster77 · April 21, 2024, 7:10pm

@SukramJ Thank you! Does this mean TLS itself should be deactivated, or is just the check not working?

SukramJ · April 21, 2024, 7:55pm

The check is working as expected.
TLS can be used, if you like it.