Description
The problem
I have 2 hosts in my home which has LE created certificate only but because of they limitations I only used one part of the certificate instead of full chain.
This is causing Certificate Expiry integration fail to check them.
I have a script to check certificates and used following code to workaround that:
import ssl
import certifi
def get_certificate_expiry(hostname, ssl_port, timeout, verify=True):
try:
context = ssl.create_default_context()
# Set modern ciphers
context.set_ciphers("AES256-GCM-SHA384")
context.load_verify_locations(certifi.where())
if not verify:
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
with socket.create_connection((hostname, ssl_port), timeout=timeout) as sock:
with context.wrap_socket(sock, server_hostname=hostname) as ssock:
cert = ssock.getpeercert(binary_form=True)
x509 = crypto.load_certificate(crypto.FILETYPE_ASN1, cert)
expiry_date = datetime.strptime(x509.get_notAfter().decode("ascii"), "%Y%m%d%H%M%SZ").replace(tzinfo=timezone.utc)
return expiry_date
except ssl.SSLCertVerificationError as e:
if verify:
print(f"SSL Certificate verification error for {hostname}: {e}")
print("Retrying without certificate verification...")
return get_certificate_expiry(hostname, ssl_port, timeout, verify=False)
else:
raise
except Exception as e:
print(f"Error connecting to {hostname}: {e}")
return None # Return None if the connection fails
I am wondering if it would be possible to enhance Certificate Expiry to use context.load_verify_locations(certifi.where()) as it looks like that certifi has LE root and chain certificates included which solves LE certificate issues.
I am trying to look at the code but not sure that it works similar way.
What version of Home Assistant Core has the issue?
core-2025.2.0
What was the last working version of Home Assistant Core?
No response
What type of installation are you running?
Home Assistant Core
Integration causing the issue
No response
Link to integration documentation on our website
No response
Diagnostics information
No response
Example YAML snippet
Anything in the logs that might be useful for us?
2025-02-06 16:45:17.739 ERROR (MainThread) [homeassistant.components.cert_expiry.coordinator] Certificate validation error: truenas-ilo.vrtareg.me [unable to get local issuer certificate]Additional information
No response