TLS Errors when Konnected firmware calls Home Assistant

So I have the device-discovery etc. part working, and ESPlorer shows Konnected trying to send updates when my sensors change - but the updates aren't "received" by HomeAssistant. My HA setup is TLS-enabled (using the DuckDNS addon) Doing a packet capture in the docker-container running HA, and filtering for the IP of the first Konnected device - I can see the TCP connection establish, and the SSL connection proceeds as expected:

=> Client Hello 
<= Server Hello 
<= Certificate, Server 
Key Exchange, Server 
Hello 
Done 

And then, Konnected/NodeMCU's TLS implementation returns the following 'Decrypt Error' on the wire 

Secure Sockets Layer TLSv1.2 
Record Layer: Alert (Level: Fatal, Description: Decrypt Error) 
Content Type: Alert (21) 
Version: TLS 1.2 (0x0303) 
Length: 2 
Alert Message Level: Fatal (2) 
Description: Decrypt Error (51) 

I can obviously connect to HA using TLS from multiple browsers, and from the Linux 'openssl' command-line client. The relevant logs from the NodeMCU device are: 

HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33472 HTTP Call: -1 state 1 pin 2 
E:M 528 
HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33288 HTTP Call: -1 state 0 pin 2 E:M 528 
HTTP client: Disconnected with error: 46 
HTTP client: Connection timeout 
Heap:33288HTTP Call:-1state1pin2

Any hints as to where to go next - I do know some lua, but I couldn't see if the Konnected scripts had any way to interrupt the boot process.

  • @MDinh could you post a screenshot of your device status page? I'd like to see what API endpoint the device has stored. It's just http://<your-device-ip>:<device-port> which can be found in the logs when Hass boots up.

  • Are you referring to the overview? 

  • @NateClark If it makes it easier I could message you my duckdns and password so you can look at what ever you need to. Nothing is hooked into my alarm system yet. 

  • No, the Konnected device itself serves up a little status page if you visit its IP address in your browser. The only tricky part is that you have to find out the port number (it's randomized ... for security by obscurity) via discovery. Hass will discover it when it boots up and the address should show in the discovery logs. Looks like this:

    What I would like to see to debug your problem is the API Endpoint that Konnected has stored. This should be pointing to your Hass local IP if configured correctly.

  • Still looking for my discovery log in my HASSIO setup. I did find this error in my home-assistant.log


    ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:777)

    2018-06-25 20:42:35 ERROR (MainThread) [homeassistant.core] Error doing job: <uvloop.loop.SSLProtocol object at 0x738d1530>: SSL error errno:1 reason: HTTP_REQUEST

    Traceback (most recent call last):

      File "uvloop/sslproto.pyx", line 496, in uvloop.loop.SSLProtocol.data_received

      File "uvloop/sslproto.pyx", line 204, in uvloop.loop._SSLPipe.feed_ssldata

      File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata

      File "/usr/lib/python3.6/ssl.py", line 689, in do_handshake


    but I don't know if that has anything to do with it. 

  • Another easy way to find the port is by running netdisco:

  • Let me see if I can add netdisco because I got this when i tried to type that command

    netdisco.png
    (5.08 KB)
  • pip3 install netdisco came back with this error


    Command "/usr/bin/python3.6 -u -c "import setuptools, tokenize;__file__='/tmp/pi p-build-nbueczhz/netifaces/setup.py';f=getattr(tokenize, 'open', open)(__file__) ;code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, __file__, 'exe c'))" install --record /tmp/pip-7ln6xd4v-record/install-record.txt --single-vers ion-externally-managed --compile" failed with error code 1 in /tmp/pip-build-nbu eczhz/netifaces/


  • Today I got Caddy added on and been following this guide I found which has got me pretty far with the reverse proxy but I'm stuck with my Caddyfile part the example he gives doesn't work I've edited it with all my info I believe but still get an error trying to start up Caddy. However when I emptied it does start up but of course not attached to things. 


    https://dew-itwebservices.com.au/setting-home-assistant-up-for-secure-access-over-the-internet/


    I guess what I am asking is if anyone has an example of their redacted caddyfile I could use?

  •  Hi... It's my caddy file you are having a problem with. It works fine for me. It does not go in /config/ it needs to go in /share/caddy/ and the file name is Caddyfile - I think it's all case sensitive...

  •  I am glad to read this article.

Login or Signup to post a comment