Hue sync box 8k CERTIFICATE_VERIFY_FAILED

[bishengliu7]

Describe the bug Hi there, I'm setting up the new 8k sync box, I used to own an old version sync box and it can be setup easily with no issue. But this time i just can not add the integration for the new sync box. Not sure if it was some compatibility issue or not. Any help is appreciated!

Logging I turned on debug logging for hue sync box like other issue requests and i found this error, (my sync box ip was 192.168.31.183)

aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host 192.168.31.183:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)')]
2024-09-19 09:37:49.411 DEBUG (MainThread) [custom_components.huesyncbox.config_flow] async_step_link, ConnectionInfo(host='192.168.31.183', unique_id='C4299600EBDA', access_token=None, registration_id=None, port=443, path='/api')
2024-09-19 09:37:49.411 DEBUG (MainThread) [custom_components.huesyncbox.config_flow] async_step_link, asyncio.async_show_progress_done registered=False
2024-09-19 09:37:49.420 DEBUG (MainThread) [custom_components.huesyncbox.config_flow] async_step_abort, None

I tried verified it in terminal on mac

 openssl s_client -connect 192.168.31.183:443 -servername 192.168.31.183 -showcerts
Connecting to 192.168.31.183
CONNECTED(00000003)
depth=0 C=NL, O=Philips Hue, CN=C4299600EBDA, OU=HSB2
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C=NL, O=Philips Hue, CN=C4299600EBDA, OU=HSB2
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 C=NL, O=Philips Hue, CN=C4299600EBDA, OU=HSB2
verify return:1
---
Certificate chain
 0 s:C=NL, O=Philips Hue, CN=C4299600EBDA, OU=HSB2
   i:C=NL, O=Philips Hue, CN=root-hsb
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA256
   v:NotBefore: Oct 29 01:44:39 2022 GMT; NotAfter: Dec 31 23:59:59 9999 GMT
-----BEGIN CERTIFICATE-----
MIICLjCCAdSgAwIBAgIHAMQplgDr2jAKBggqhkjOPQQDAjA2MQswCQYDVQQGEwJO
TDEUMBIGA1UECgwLUGhpbGlwcyBIdWUxETAPBgNVBAMMCHJvb3QtaHNiMCIYDzIw

Environment Provide details about the versions you are using, which helps to reproduce and find the issue quicker.

• Home Assistant Core version: 2024.9.0
• Home Assistant operating environment (OS/Container/Supervised/Core): Core
• Huesyncbox integration version: 2.2.4
• Last working version (if known): nope since im setting up a new sync box

[SebastiaanKlippert]

I know this will not help you very much, but I thought I should mention that I have just installed this successfully with the new 8K Sync Box.

Since it is a relatively new device that might be good to share because not everyone can test it. I experienced zero issues and all sensors and switches seem to be working fine.

If I can help to verify anything then let me know.

[piitaya]

I'm also using it with the new 8K Sync Box. So I'm not sure the issue is related to this new version.

[mvdwetering]

It works fine with my 8K Sync Box and I have had reports from others that it works fine, so it seems to be something specific to this setup. I have no idea what could cause a 4K box to work on the same setup, there is nothing in the code that differentiates 4K from 8K box.

I also thought I already answered this, but it was the same issue in aiohuesyncbox repo. Lets keep the discussion here since more people are likely to find it and provide input.

You mentioned you verified on your Mac, could you verify also from the machine where Home Assistant is installed?

To check, please use the command below with the attached hsb_cacert.pem.txt file. The command is taken straight from the Hue developer documentation so it should work. The expected reponse is {"code": 2, "message": "Invalid Token"} because we did not fill in the token, but it has passed certificate checks at that point.

curl --cacert ~/hsb_cacert.pem.txt -H "Authorization: Bearer <token>" -X GET https://C4299600EBDA/api/v1 --resolve "C4299600EBDA:443:192.168.31.18"

hsb_cacert.pem.txt

[bishengliu7]

Thanks for the reply and sorry for that i missed the message!

I did the following hack to work around and then it can work.

diff --git a/aiohuesyncbox/huesyncbox.py b/aiohuesyncbox/huesyncbox.py
index 4782032..b14cece 100644
--- a/aiohuesyncbox/huesyncbox.py
+++ b/aiohuesyncbox/huesyncbox.py
@@ -177,7 +177,7 @@ class HueSyncBox:
                 headers["Authorization"] = f"Bearer {self._access_token}"

             async with self._clientsession.request(
-                method, url, json=data, headers=headers, server_hostname=self._id
+                method, url, json=data, headers=headers, server_hostname=self._id, ssl=False
             ) as resp:
                 logger.debug("%s, %s" % (resp.status, await resp.text("utf-8")))

(END)

I also tried your command from my HA environment and I did get

(homeassistant) ➜  homeassistant curl --cacert ~/Downloads/hsb_cacert.pem.txt -H "Authorization: Bearer <token>" -X GET https://C4299600EBDA/api/v1 --resolve "C4299600EBDA:443:192.168.31.183"
{"code": 2, "message": "Invalid Token"}%

[mvdwetering]

Yeah, adding ssl=False just disables all the checks, so that will avoid te issue. However that is not something I want to add as a workaround.

Since the curl command works I am not really sure what to try next.

You mentioned you have a core installation. Maybe it is something in the OS environment? I mean a core install by itself should be fine since I develop on a core install on Ubuntu 22.04.

Could you tell a bit more about the OS/environment you are running?

[bishengliu7]

sorry for the late reply, I have tried HA container and HA core on my Mac mini M2, Sonoma 14.6.1, but both setup failed and i had to turn off ssl to hack around