TLS Errors when Konnected firmware calls Home Assistant

So I have the device-discovery etc. part working, and ESPlorer shows Konnected trying to send updates when my sensors change - but the updates aren't "received" by HomeAssistant. My HA setup is TLS-enabled (using the DuckDNS addon) Doing a packet capture in the docker-container running HA, and filtering for the IP of the first Konnected device - I can see the TCP connection establish, and the SSL connection proceeds as expected:

=> Client Hello 
<= Server Hello 
<= Certificate, Server 
Key Exchange, Server 
Hello 
Done 

And then, Konnected/NodeMCU's TLS implementation returns the following 'Decrypt Error' on the wire 

Secure Sockets Layer TLSv1.2 
Record Layer: Alert (Level: Fatal, Description: Decrypt Error) 
Content Type: Alert (21) 
Version: TLS 1.2 (0x0303) 
Length: 2 
Alert Message Level: Fatal (2) 
Description: Decrypt Error (51) 

I can obviously connect to HA using TLS from multiple browsers, and from the Linux 'openssl' command-line client. The relevant logs from the NodeMCU device are: 

HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33472 HTTP Call: -1 state 1 pin 2 
E:M 528 
HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33288 HTTP Call: -1 state 0 pin 2 E:M 528 
HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33288HTTP Call:-1state1pin2

Any hints as to where to go next - I do know some lua, but I couldn't see if the Konnected scripts had any way to interrupt the boot process.

  • @HassCr - you posted the wrong thread link. I think you meant this one

  • I'm looking into this now. It's probably something related to the ciphers used by Let's Encrypt. If that's the case, then it should be solvable with a firmware update.

  • Thanks Nate, I have posted the https information from Google Chrome in the home assistant forum thread. Let me know if you want me to test anything.
  • Does anyone want to share their DuckDNS/LetsEncrypt hostname with me so I can test against a real-world setup?

  • Hey Nate, I have set up a test server and sent you a pm on the home assistant forums with the server info.
  • Good news, folks. I think I've got this working. Please help me test by re-flashing your device firmware and filesystem from the 2.2.1 release candidate binaries on this branch: https://github.com/konnected-io/konnected-security/tree/homeassistant-fixes/firmware

    It turned out just needing some tweaks to the SSL_BUFFER_SIZE. Details in this pull request if you're interested:
    https://github.com/konnected-io/konnected-security/pull/63

  • I've flashed my two devices... and got some minor improvements, buts its patchy and not really useful. For example, sometimes it correctly detects, but doesn't then register when the state changes back again. Other times it does. Sometimes it starts up with the correct state, sometimes it doesn't.

    I can see all the zones on HA.... but they just aren't accurate.

    My setup:

    hass.io on a RaspPiB3, using duckdns and letsencrypt.

  • Thanks everyone for your feedback on this and continued help debugging. 

    I've update the firmware again, this one is labeled 2.2.1.beta1 and has a few more improvements that may help with this issue:

    https://github.com/konnected-io/konnected-security/tree/beta/firmware

    Also, Hass 0.72 beta should now be available. Please update, and add the api_host option to point to the local network IP and port of Hass on your Raspberry Pi (include https). Example:

    konnected:
     access_token: REPLACE_ME_WITH_A_RANDOM_STRING
     api_host: https://192.168.86.201:8123
     devices:
       - id: 8bcd53
         binary_sensors:
         - zone: 1
           type: door

    Please let me know how this works out for you. I don't think it's perfect yet, but should be an improvement. I'm still working on a few other things for a 2.2.2 release.

     

  • Just checking back in to see if anyone has tried this and has any feedback. I'm about to release the 2.2.1 firmware/software update today.

    I also just published a new article regarding Hass.io and SSL/TLS setups: https://help.konnected.io/support/solutions/articles/32000023964-using-konnected-with-hass-io-and-ssl-tls

  • I flashed my NodeMCU board with the 2.2.1 firmware and filesystem. Do we still need to put the api_host under the Konnected? If so I'm running into an issue validating my configuration file


      "Invalid config for [konnected]: [api_host] is an invalid option for [konnected]. Check: konnected->konnected->api_host. (See /config/configuration.yaml, line 98). Please check the docs at https://home-assistant.io/components/konnected/"


    Also off topic but will i hurt my Konnected board if I flash the Nodemcu while still connected to the Konnected board?

  • I get this error when I tried to add the api_host


    Invalid config for [konnected]: [api_host] is an invalid option for [konnected]. Check: konnected->konnected->api_host. (See /config/configuration.yaml, line 98). Please check the docs at https://home-assistant.io/components/konnected/

  • I switched mine to using a reverse proxy soon after starting this thread and spending that evening debugging  - it seems like the best approach for the ESP8266 hardware. It has been working awesomely since - and I don't fancy switching back.

    On your article -  typo "publicly facking" :)

  • I saw "publicly facking" as well and thought it was a new term I had to google later. 

  • @MDinh The api_host option will be available in Hass 0.72. You can get it from the dev channel now, but I think it's scheduled to release tomorrow. Also it should be ok to flash the board while connected, but honestly I don't know if I tried it.

    @Malcom what are you using for your reverse proxy? one of the add-ons mentioned or something else? any tips I should add to the article?

    Thanks for pointing out the typo.

Login or Signup to post a comment