hass-additional-ca
hass-additional-ca copied to clipboard
Athozs
Strategies to avoid double reboot
Hi, this is not an issue as such, I’m using this integration since about two years and very happy with it. This is just a discussion to evaluate alternatives to the only one issue of this integration; The necessity to reboot HA two times every time there is an update (more often than I would)
¿Could an automation do the work? ie, detect the state of several certificates emitted by a local CA and if all them fail and last reboot period time is less than X then reboot HA. But the strategy sounds fragile to me so I wanted to ear for more robust alternatives before trying to implement it (as a programmer, I think I could do a try later if there is interest on this)
Best Ignacio
Hello, thanks for the feedback, I have the same behavior on my HA and was wondering if I was the only one. It's worth the study, I'll have a look in the next weeks.
Hi, Well, here is what happens in Home Assistant:
An SSL Context is loaded from filesystem at Home Assistant bootstrap, including original CA trust store, before Additional CA integration and others are loaded, then integrations are loaded and use that context to perform requests on third party services.
When Additional CA integration adds new custom CA to CA trust store, there is no simple way to reload SSL Context that could be used afterward by other integrations, this is why currently we have to restart HA twice.
I don't know yet if there is a workaround about that behavior.
Hi,
Thank you for your review of the process.
If I understand the documentation correctly, what Additional CA does is to configure the context so, the next time python creates a context the new certificates will be included along with the original certificates from the base. This is the root reason we need to restart twice every time we install an update.
Question: Does the code check before configure the context loading? if that is true, it might be possible to schedule a restart inside the if statement and that should be fired once because the next restart the context is configured and the if clause shall return false
Hello, To be more precise, Additional CA integration doesn’t modify the SSL context of Home Assistant, Additional CA integration updates the CA trust store inside the Docker container, then Home Assistant creates its Python SSL context based on the system CA trust store.
Question: Does the code check before configure the context loading?
Which code ? code of Additional CA or code of Home Assistant core ?
it might be possible to schedule a restart
can you be more specific ?
Hello,
Hello, To be more precise, Additional CA integration doesn’t modify the SSL context of Home Assistant, Additional CA integration updates the CA trust store inside the Docker container, then Home Assistant creates its Python SSL context based on the system CA trust store.
Yes, I understand the process. This is the root reason we need to perform a double reboot. The second context is the one that includes the Additional CAs
Question: Does the code check before configure the context loading? Which code ? code of Additional CA or code of Home Assistant core ?
Additional CA code. I'm referring to the process of "...updating the CA trust store inside the Docker container".
The question is: Is it always updated or only updated when it is not configured to load additional CAs to the context
it might be possible to schedule a restart
can you be more specific ?
Let me write some pseudo code:
if context is NOT including Additional CAs then
- Update the CA trust store inside the Docker container
- Schedule a reboot after loading is finished
end if
Hope it is clear. Regards
The question is: Is it always updated or only updated when it is not configured to load additional CAs to the context
- In case of Home Assistant installed with Docker : the code of hass-additional-ca integration updates the CA trust store inside the Docker container at each startup of Home Assistant, so the "update" command is always run. If custom CA is already present it is ok because
update-ca-certificatescommand line manages it. - In case of Home Assistant installed with HAOS : same as with Docker, plus the code of hass-additional-ca integration updates Certifi CA bundle only if not yet present (Certifi CA bundle is actually a text file).
Your idea would be to check if the Python SSL context of HA already contains custom CA, if not then a restart is required. Tell me if I misunderstand :)
- Schedule a reboot after loading is finished
How it sounds to you: sending a notification to the user to tell that a restart is required instead of directly rebooting HA ? Some users may not like to see their HA rebooting without being notified ?
Hi,
Thank you for the response an the time looking at the code.
Your idea would be to check if the Python SSL context of HA already contains custom CA, if not then a restart is required. Tell me if I misunderstand :)
Your understanding is totally right!
How it sounds to you: sending a notification to the user to tell that a restart is required instead of directly rebooting HA ? Some users may not like to see their HA rebooting without being notified ?
Sending a notification to the user works too and is less disruptive. It is also true that when the HA update modifies the database "migration" HA does not allow the user to reboot HA until the process finishes so, if you want to do it super clean, the user notification shall come after the database migration process is finished.
If you agree, I'm happy to close the issue as I think I've already finished providing my suggestion to you
New release 0.3.0 of Additional CA integration available with notification to restart Home Assistant if custom CA is missing in SSL context.
Hi, came here after upgrading to 0.3.0, now every time I restart HA I get:
Three restarts after dismissing the message and always re-appears. I'm running HAOS and the CA certificate is fine when I checked it again in case it had expired or something.
0.3.1 and I can’t get rid of the notification. Edit: forgot to mention the certificate is loaded properly, everything works
0.3.1 and I can’t get rid of the notification. Edit: forgot to mention the certificate is loaded properly, everything works
Yeah, same for me still
Release 0.3.2 available: Fix check SSL context when Issuer Common Name is not provided Could you open a new issue if something does not work ? thanks :)
Release 0.3.2 available: Fix check SSL context when Issuer Common Name is not provided Could you open a new issue if something does not work ? thanks :)
So far so good for me, thanks
Hi, came here after upgrading to 0.3.2, now every time I restart HA I get:
This error originated from a custom integration.
Logger: custom_components.additional_ca.utils Source: custom_components/additional_ca/utils.py:94 integration: Additional CA (documentation, issues) First occurred: 9:24:50 PM (1 occurrence) Last logged: 9:24:50 PM
CA 'hon_cert.crt' with issuer common name 'RapidSSL TLS RSA CA G1' is missing in SSL Context. Home Assistant needs to be restarted.
Hello,
See https://github.com/Athozs/hass-additional-ca/issues/19#issuecomment-2922610770 :)