#After home assistant has automatically updated my home assistant voice's firmware, Possibly broken.

After home assistant decided to update the firmware on my home assistant voice, it lost connection to home assistant. I have tried factory resetting the home assistant voice but it will not properly connect to home assistant anymore, and goes between the twinkling blue light ring and a solid white ring. I have gotten rather used to having this around and use it alot so not having it is quite disheartening, any help would be appreciated!

try plugging the VPE to pc and and doing a manual reinstall of the firmware and wifi config by following these instructions which make use of this tool

I attempted the instructions through this and the device is unable to connect to the serial port, as if it is not even picking up the device is connecting to my PC, I am on fedora 41 and have tried both firefox and brave browser, and still not getting the device to connect.

firefox is not compatable with serial port connection stuff. i dont know about brave.
I have only done it with chrome on windows tbh

Brave works fine. Using it for serial connections for almost a year.

The same thing has happened to me today. Have tried reinstalling an earlier version of the firmware but no luck. Logs show the VPE connecting to the WiFi and then disconnecting a few seconds later and then just endlessly looping the same steps

Okay I have managed to resolve my issue. I had a look through my router logs and noticed it was my router that was constantly disconnecting the Voice Assistant. I resolved this by disabling Roaming Assistant on my router (ASUS RT-AX82U).

Hello,

I can't get my HAVPE working. It initially connected to my HA when I first got it but then HA did an f/w update. Now I can't factory reset, I don't get the white ring, it shows in ESPHome as "online" in HA but nothing works. What does seem to work is when I retrieve the logs from the device through the USB cable. I get back info but that's it.

Anyone have this same issue?

what do you mean by shows as online in esphome? do you mean that you adopted (took control) of it into the builder tool?

if so, then what firmware modifications did you make?

The firmware was 2025.6.3, according to HA.

I just went to the "esphome.github.io/home-assistant-voice-pe" page & was able to install 25.5.2

I was able to get ESPHome to connect & add it again now, but I'm still having issues.

are you talking about the integration or the builder addon?

The 'integration' was able to add it under the 25.5.2..... ESPHome Builder shows it listed as well & is at this point:

INFO ESPHome 2025.6.3
INFO Reading configuration /config/esphome/hav-0a5b17.yaml...
INFO Generating C++ source...
INFO Updating https://github.com/espressif/esp-protocols.git@mdns-v1.8.2
INFO Compiling app...
Processing hav-0a5b17 (board: esp32-s3-devkitc-1; framework: espidf; platform: https://github.com/pioarduino/platform-espressif32/releases/download/53.03.13/platform-espressif32.zip)

Library Manager: Installing esphome/noise-c @ 0.1.6
INFO Installing esphome/noise-c @ 0.1.6
Unpacking [####################################] 100%
Library Manager: noise-c@0.1.6 has been installed!
INFO noise-c@0.1.6 has been installed!
Library Manager: Resolving dependencies...
INFO Resolving dependencies...
Library Manager: Installing esphome/libsodium @ 1.10018.4
INFO Installing esphome/libsodium @ 1.10018.4
Unpacking [####################################] 100%
Library Manager: libsodium@1.10018.4 has been installed!
INFO libsodium@1.10018.4 has been installed!
HARDWARE: ESP32S3 240MHz, 320KB RAM, 8MB Flash

• framework-espidf @ 3.50302.0 (5.3.2)
• tool-cmake @ 3.30.2
• tool-esptoolpy @ 4.8.6
• tool-mklittlefs @ 3.2.0
• tool-ninja @ 1.7.1
• tool-riscv32-esp-elf-gdb @ 14.2.0+20240403
• tool-xtensa-esp-elf-gdb @ 14.2.0+20240403
• toolchain-esp32ulp @ 2.35.0-20220830
• toolchain-riscv32-esp @ 13.2.0+20240530
• toolchain-xtensa-esp-elf @ 13.2.0+20240530
  Reading CMake configuration...

are you trying to customise your firmware to change the code?

I've been trying to get it to work for a few days now, that I'm trying anything at this point.

Originally, it was loaded as a device. I used my phone to configure the WiFi info but couldn't get it to connect to the backend HA server (since they're on 2 different subnets). I've been able to fix that but lost the functionality of the HAVPE, with the exception of the serial connection.

please answer my question

Sorry, I was typing

What I've been trying to do since is get it totally back to square-one & start fresh.

if you are just wantomg to use the device then you should not be in the esphome builder tool at all. do not take control of the device in there. flash it back stock using the tool and stay out of the builder tool.

unless your writing/modifing firmware there is no need for you to even have the builder tool

How else do you edit the YAML file for it?

why do you want to do that?

One thing I read was that in order to get it to connect to the HA server over HTTPS, the YAML needed the 'ca.pem' info in the YAML. I also was going to set the IP info statically within the device.

mDNS also won't work across multiple routed subnets so I have that I'm trying to work around as well. Plus I don't use ".local" addresses (which a lot of the links try to utilize). I mean, I could setup my DNS server to use that, I guess.

in general its recomended to use http locally. but if you have a cert set up correctly then in most cases it shouldn't to be added to the firmware.
also if you want to set a static ip then you are better off doing this on the dhcp server by setting a static assignment.

I've since created a DHCP reservation for it so that part is good. I have my own local CA I use for HTTPS & my HA server does use that. I don't like using HTTP, if I don't have to.

connections need to be able to be extablished back and forth from the device and the server. so you need to ensure your network supports this. using seperate subnets is not "officially supported"

I get that.

I have the blue pulsing lights again now. I just can't get it to respond to voice commands so I guess that's another thing I need to look into.

I've removed the ESPHome Builder add-on.

is it added in the integration? and have you got a voice pipeeline set up?

It's listed in the "ESPHome" integration & I did install Wyoming, Ollama

Wyoming has openWakeWord, Piper, Whisper, & somehow now I have Speech-to-Phrase.

ok so oww you dont need with the vpe. and STP you dont need either but if you have piper/whisper running lets see if you have a pipeline set up to use them and then make sure its assigned to the vpe

in settings-voice assistants you can see your set up assistants

I see "Assist" with one listed, yes.

press on it to open its settings (or you can make a new one also if you prefer)

Inside it I see "Conversation agent" set to "Home Assitant".

thats just the basic default agent not an llm

Under "Streaming wake work engine" it has 'openwakeword' & "ok nabu" listed.

but thats fine for now tbh, if we can get voice responses working then we can add llm adter

you dont need a streaming wake word

but its fine if its there

you have whisper and piper set up in the STT and TTS?

I just changed from STP in the STT to faster-whisper. TTS already has piper.

cool save that out

then go to the device page in the integration

I clicked "update".

yup

I'm in the device.

under "ESPHome"

in the vpe device page you can select the "assistant" which should be the pipeline we just set up

and the wake word selection

I see "Assist" with 1 disabled entity.

can you screenshot what you have?

Standby

This is the main page

ok, lots of stuff is disabled that i wouldnt expect to be disabled

on the esphome integration delete the device and readd it

Delete the device from ESPHome?

Delete from here?

yeah hit the 3 dots (upper) and delete device

Gone

then press add device and put its ip address in

Done

does the device page look any different now?

No

Same as before

i dont think i have ever seen "disabled by config entry" have you edited your configuration.yaml by any chance?

could also try restarting home assistant

I've added some stuff to my configuration.yaml file but nothing regarding this.... let me look again.

I have some lines in there for the HTTPS, like the SSL info for the files, plus 'use_x_forwarded_for: true' & 'trusted_proxies'

I do have Nginx installed

its probably not any of that, try restarting HA (maybe a hard reboot of entire system at this point tbh)

Standby

maybe in all of the back and forth something has gone wrong or something

Restarting the service now. Worse case, I can restart the VM.

I have red pulsing lights at the moment. It's been like that since I deleted & re-added.

HA's coming back up

Some services are still starting but it's back

any difference in the device page?

No.

But I am curious... the entities are showing the old device name & not the new one since the re-adding.

I wonder if that has anything to do with it.

it should probabl have the same internal name as its based on mac address usually

can try power cycling the vpe itself

Unplug & plug it back in?

yeah

Done

White ring..

Blue pulse

if you plug it into pc you can use the esphome web tool to connect and view the logs over usb

that might yield some info about what is happening

Checking.......

So far this is all I have:

[23:32:18]I (316) esp_image: segment 1: paddr=0019d6ec vaddr=3fca3d[I][logger:171]: Log initialized
[23:32:18][C][safe_mode:080]: There have been 1 suspected unsuccessful boot attempts
[23:32:18][D][esp32.preferences:142]: Writing 1 items: 0 cached, 1 written, 0 failed
[23:32:18][I][app:048]: Running through setup()
[23:32:18][C][i2c.idf:021]: Running setup
[23:32:18][I][i2c.idf:262]: Performing bus recovery
[23:32:18][D][esp-idf:000]: I (1223) gpio: GPIO[6]| InputEn: 1| OutputEn: 1| OpenDrain: 1| Pullup: 1| Pulldown: 0| Intr:0
[23:32:32][D[I][safe_mode:042]: Boot seems successful; resetting boot loop counter
[23:32:32][D][esp32.preferences:142]: Writing 1 items: 0 cached, 1 written, 0 failed

Well, now I have this showing up in my HA:

1 update

home_assistant_voice_0a5b17 Firmware
ESPHome 2025.6.3

ok its not on the stock firmware

it seems to be reverting

This is what the device shows in HA:

Home Assistant Voice PE
by Nabu Casa
Firmware: 25.6.0 (ESPHome 2025.6.2)

this is right but above it mentions 2025.6.3

The settings show I have 1 update for it to go to 2025.6.3

this is going to sound strange but on the stock firmware flashing tool you should flash the firmware then once its flashed. you should flash it again straight away

So flash it to what the site has & then upgrade it from HA to 2025.6.3?

i think its erroring and reverting to a random custom setup you had at some point during the issues. this will ensure its flashed and flashed a 2nd time to ensure stock firmware is in both slots

you should not see anything about updating it to 2025.6.3

the current stock firmware is based on 2025.6.2 the only way to update to 2025.6.3 would be to take control and recompile the firmware against esphome 2025.6.3

OK, so the site shows 25.6.0 so flash that twice?

yeah

Erasing

Installing

Done

i havent seen this error with the vpe but i have seen seen reports of other devices doing it

Erase User Data, connect to wifi, or just exit & do it again?

just exit and go again

then erease data and reconnect

during this you can delete it from the integration again

done

so once its hopefully set up "fresh" you can readd it

Configure the WiFi now?

yeah

then once its connected readd it in the integration and hopefully it will add with stuff available

re-adding

No change

reopen the device log and see if theres anything there of interest

No difference in the log file output.

I need to call it a night. It's almost midnight & I need to be up in 5hrs for work. I'll try again tomorrow after work.

Thanks for the help. At least it's looking normal right now. 😄

better than bricked 😛

For sure 😛

Thanks again. Have a good night.

gn

Morning,

Well, just an update but I now have some control after doing this:

Directly Edit Configuration Files (Advanced):
Warning: Editing these files directly can be risky. It's recommended to back up your configuration and Home Assistant instance before proceeding.

Locate the .storage directory in your Home Assistant configuration directory.
Find the following files:
core.config_entries
core.device_registry
core.entity_registry

Open these files in a text editor and search for the device or entity you are trying to enable.

Look for the "disabled_by" attribute and change it to null or "" (depending on the context) to re-enable the device or entity.

Save the changes and restart Home Assistant.

I've now gotten it to respond, but no playback after asking it anything. It just flashes blue on both sides of the dial.

That's progress, I think 😄

what does the device log look like now, when you try and use it?

There's quite a bit of info so not sure what you're looking for but there's WiFi info, Logger, i2c, etc.

what happens when you call the wake word and you say its not working?

I can say the wake word now & it looks like it's listening, along with the sound, but when it goes to respond, it just flashes those 2 LEDs & no sound.

So the wake word & the listening "bell" happens, but then after asking it for anything, it just flashes for a bit & no response.

Then it just go back to no lights.

on the voice assistants settings menu on the assistant hit the 3 dots and go to debug. this shows you the trace of a pipeline call

something like this

Checking........

This is what the last one looked like after making some changes.... but it still doesn't say anything:

if you press play audio at the bottom does it play the tts output on your browser?

Error
Error playing audio

ok so it might be having an issue with the url it generates for the audio file to be played

in settings system network then the home assistant url section see if there are any issues. with your fancy setup you can have to manually set a url

is uses that url as the base for when its constructing the url to send to the device to say "play this file"

Both domains are the same

is network set up so that the vpe from its subnet is allowed to establish a connection to it?
the logs during a call may indicate what its actually doing as it steps through the pipeline

The subnets can ping back/forth & my PC is on the same network as the HAVPE & I'm logged into HA from my PC.

ok

use web tool to watch device log live and then make a call to it and then show the log of what it does

I'd have to see if maybe there's a port being blocked by the FW but there shouldn't be between the 2 subnets.

OK... I'll try that in a a bit. I've got to take care of something.......

OK. I see a problem. It appears to be something with the cert.

ok right, now we are at a known state at least. getting certs to work is a bit of a pain as its not really supported.

what were you trying to do when you were looking at customising the firmware before? were you following a guide somewhere or something?

I was trying to get it to use the 'ca.pem' file so that there wouldn't be a certificate issue. I wasn't really following a guide, just going through as many search sites that might have suggestions & cross-referencing them with the use of A.I. searches.

My thing is, I'm trying to make sure all communications are through HTTPS as I don't want any unencrypted traffic, even over my own network. That's why I don't use HTTP, FTP, TFTP & everything that requires terminal access is through a jump server.

Security at work translates to security at home 🙂

I am just reading through this issue here - https://github.com/esphome/home-assistant-voice-pe/issues/315

it seems like it would not be a simple modification to just "add the cert file"

looks like there have been some various workarounds

I'm reading it now.

So apparently I'm not the only one trying it this way 🙂

so it looks like disabling tls 1.3 and having it revert to 1.2 is the sort of running theme

Well, TLSv1.2 is better than nothing.

yeah theres always people trying to get stuff working in non supported setups. you wont be alone

So how do I set this to use v1.2?

the example in the 2nd part of this comment - https://github.com/esphome/home-assistant-voice-pe/issues/315#issuecomment-2722101531
looks to be something to try. david is confident anyway

right so you will need the esphome builder tool

Great... and me not being a coder must learn how to do it LMAO

i can help you out or at least try anyway

Well, last time I tried it broke communication with the device where it wouldn't respond to voice commands. At least that's working, from what the logs show.

you at least now know how to return to this known working state

or semi working at least

OK, so I have ESPHome Builder installed... so now I'm trying to add the device.

from what i rememberr the issuee was when taking control the builder tool was unable to connect to flash the device

ok take control and follow the instructions and it will try and build and flash

lets see where and how it fails and fix 1 issue at a time

So, I should use the name of the device as the name for the new device in ESPHome Builder, right?

just take the defaults

When I click "New Device" in ESPHome Builder, it's asking for a name.

Then it asks whether I want to skip the installation setup or connect.

ok hit connect. and it will flash the new "basic custom" or at least try

Preparing Installation is spinning & there's a device listed, while this is still spinning.

can you screenshot?

easier for me to know exactly where you are at with pictures 😛

Still "preparing"

ok lets give it a minute

what hardware are you running on?

HA?

yeah

firmware compiling can take a while depending on hardware

Dell PowerEdge 1950iii in a VM within Proxmox.

Hardware will probably be changing soon though.

ok, it shouldnt be too bad

i am grabbing my spare vpe and gunna match the steps

BTW, still spinning

Interesting thing is, if I open the same window in another tab, the device is listed & shows as "offline" while it's still spinning on the other tab.

it should be popping up with something like this

which then builds firmware

It acts like the WebUI is just stuck. while the device on the other tab is accessible.

I don't think I have popups disabled but let me double-check that.

its not a popup, its just an element

its probably just stuck, refresh the page

you say its showing as offline in the esphome builder?

If I open ESPHome Builder in another tab, it just shows the device, like that one

ok close the tab thats broken

in the new tab, use the 3 dots and "clean build files"

Done

now try install on the 3 dot menu

Do I close that window first?

which window?

yeah

then in same menu you cleared build files try running install

if it asks how choose "wirelessly"

hopefully it will build the firmware. it will probably fail to install but the logs around the failure will help us

Processing.

the firmware building will take a few minutes

will proceed into this kind of thing

you might see some warnings. these shouldnt be an issue

I recall seeing that before. Not sure why this is slow for me, unless it's something to do with the WiFi being 2.4GHz. I didn't add it to the 5GHz radio. I wasn't sure it could connect.

the first build will take a while, but further builds wont have to recompile every file so should be quicker. unless we have to clean for some reason

is it "doing stuff"?

It's compiling 'core.cpp.o'

Now gpio.cpp.o

So yeah.

This was the YAML I tried using last time I tried this:

https://github.com/esphome/home-assistant-voice-pe/blob/dev/home-assistant-voice.yaml

LoL

cool it will churn away

vpe has alot of components, it took nearly 10 minutes to build on my n150 system

right so that's the core config. we wont need to change anything in there so will just load it as an external module

I have an old Gigabyte AORUS Master x299x that I plan on migrating my Proxmox over to. It'll have 264GB of RAM. It'll have to wait until I can build my new system 🙂

It's building "components" now... safe_mode.cpp.o

i have a 256gb ram big boy server too for other stuff but ha/frigate is running on a n150 mini pc

I'll have to look at that.

It's building the wifi components now.

question: in your proxmox config is your vm set to use "host" cpu mode?

if not then you will see performence boost but switching to host. as it gets to use the host cpu's instruction set directly instead of through an emulation layer

Well, I thought it was but I guess not 😦

I need to make a change after this.

It's in the 'bootloader_support' now.

'console' now.

the fact you can see each one is concerning. it should be zooming through stuff

also you need to give the poor vm some cores.

2 is the recommended absolutle min

i would recomend 4

This is the server stats right now as this is building:

i think you are better off stopping the build. changing the vm settings to host cpu and to 4 cores

Let me try that

then booting back in and building

with your vm config it could take hours/days

brb... while that reboots.

given you interupted it you might want to clean the build files before starting again. it shouldnt matter but better to be safe

OK.

hopefully it will start "zooming" a bit more this time 🙂

I'm learning how to adjust VMs to maximize their abilities.

does your network have a specific domain that it uses?
you mentioned above that stuff doesn't resolve on your network with .local i think but is there something you do use?

OK, clean first then build again.

Yeah, I don't use .local on my network, although I could easily set it up in my DNS server.

adding .local to resolve on dns is a possible solution but maybe we can make it work correctly with your network

It's started again.

cool, hopefully will get rolling. i am just trying to get some info for the next step

'Updating'

is there a domain that you do use?

I have a personal domain that I utilize within my home, currently. I've been playing around with migrating my domain into my home network.

so should: devicename.your-domain.tld resolve?

If I do a dig or nslookup on my domain, it resolves to my public IP, currently.

stuff is set to connect to devicename.local by default which we know doesnt work. i am just trying to figure out what does resolve

This build looks different.... it's not reading CMake configs.

can you screenshot?

I can rapidly create a ".local" domain in my DNS server.

Now it's compiling

yeah was just grabbing the components after the clean

i get that but its possible that 1 line can make it work with your network which might be easier

i am just trying to understand how your network works a little bit. otherwise i cannot guide you

i dont need to know the domain itself. just how things work

If I do a homeassistant.mydomain.net, it resolves to my internal subnet for my VMs.

gotcha. so VPE-devicename.mydomain.net also resolves?

That's because of the Nginx reverse proxy & my FW DNS settings for internal DNS queries.

I didn't create a DNS record for the device name in the nameserver, but it should resolve.

I'll have to try it.

Do I need to create a host record for the device?

i dont know

Oh 🙂

i dont know your entire network config

i am just trying to work out what domain you need to type in for a connection

can try and ping it

Well, currently I can't after doing this. I was able to before doing this.

But only by IP

maybe if we specify static ip it will just use that. i am not 100% sure how esphome tools resolve

in any case lets see how things go with once its compiled

how quickly is it moving?

A little faster but I can still read what's going on.

It's at 'src/main.cpp.o'

i have no idea on the order of stuff tbh

its just gotta churn through it

It is moving a little faster.

some files will compile quicker than others just due to size etc...

It's still going but at a decent clip.

so my plan for the steps are:
see if it succeeds to flash after building.
if its not able to flash then look at the error and make minimal changes to get it so it can flash.
then we can add the modifications for the tls changes

then build it with the changes and flash it and hopefully it will work

Well, so far no warnings so that's good.

some components have some warnings i think but should be anything to be concerned about if you see some stuff

This is a pretty big build

its got a lot of components and the first build has to build all of esphome core too

Ahhh, that explains it

with a newer system it would build a bit quicker too but theres still a lot to build

It just created the esp32s3 image.

RAM: [= ] 10.7% (used 35036 bytes from 327680 bytes)
Flash: [===== ] 49.3% (used 904324 bytes from 1835008 bytes)
Building .pioenvs/first-floor-iot-hav-0a5b17/firmware.bin
Creating esp32s3 image...
Successfully created esp32s3 image.
esp32_create_combined_bin([".pioenvs/first-floor-iot-hav-0a5b17/firmware.bin"], [".pioenvs/first-floor-iot-hav-0a5b17/firmware.elf"])
SHA digest in image updated
Wrote 0xecdf0 bytes to file /data/build/first-floor-iot-hav-0a5b17/.pioenvs/first-floor-iot-hav-0a5b17/firmware.factory.bin, ready to flash to offset 0x0
esp32_copy_ota_bin([".pioenvs/first-floor-iot-hav-0a5b17/firmware.bin"], [".pioenvs/first-floor-iot-hav-0a5b17/firmware.elf"])
======================== [SUCCESS] Took 3797.00 seconds ========================

INFO Successfully compiled program.
INFO Resolving IP address of first-floor-iot-hav-0a5b17.local in mDNS
INFO Resolving IP address of first-floor-iot-hav-0a5b17.local
ERROR Error resolving IP address of first-floor-iot-hav-0a5b17.local. Is it connected to WiFi?
ERROR (If this error persists, please set a static IP address: https://esphome.io/components/wifi.html#manual-ips)
ERROR Error resolving IP address: Error resolving address with mDNS: Did not respond. Maybe the device is offline., [Errno -5] No address associated with hostname

ok bingo, so it built but didnt flash. we kinda expected this

close the build box and press edit next to the device

this will open the yaml

Yep

show me what you have

esphome:
  name: first-floor-iot-hav-0a5b17
  friendly_name: first-floor-iot-hav-0a5b17

esp32:
  board: esp32-s3-devkitc-1
  framework:
    type: esp-idf

# Enable logging
logger:

# Enable Home Assistant API
api:
  encryption:
    key: "<KEY>"

ota:
  - platform: esphome
    password: "<PASSWD>"

wifi:
  ssid: !secret wifi_ssid
  password: !secret wifi_password

  # Enable fallback hotspot (captive portal) in case wifi connection fails
  ap:
    ssid: "First-Floor-Iot-Hav-0A5B17"
    password: "<pw>"

captive_portal:

put tripple back ticks around code

so it looks like this

3x ` at front and back

ok so we are gunna add a static ip to it

I put that in now.

  ssid: !secret wifi_ssid
  password: !secret wifi_password
  manual_ip:
    static_ip: x.x.x.x
    gateway: x.x.x.x
    subnet: 255.255.255.0
    dns1: x.x.x.x```

I've done that part before 😄 LoL

so wifi section should look like this

but with correct info obviously 😛

Yep, saved it with that info.

ok now after pressing save, press install

it may have to recompile a few network files but should take too long

Plug into this computer

no

wirelessly

note: this will need to be the ip it currently has in order for it to connect to it

I already reserved that IP in the DHCP server so it should have assigned it.

perrfect

was just checking to avoid any mishaps 🙂

INFO Successfully compiled program.
INFO Connecting to 192.168.50.243 port 3232...
ERROR Connecting to 192.168.50.243 port 3232 failed: [Errno 113] No route to host
ERROR Connection failed.

I should probably power-cycle the device.

I think I pushed it using the USB last time I tried this.

yeah power cycle the vpe then try installing again

retrying

flashing by usb has its uses but in this case we want to ensure networking works anyway otherwise it will be a pain in the future

========================= [SUCCESS] Took 40.82 seconds =========================
INFO Successfully compiled program.
INFO Connecting to 192.168.50.243 port 3232...
INFO Connected to 192.168.50.243
INFO Uploading /data/build/first-floor-iot-hav-0a5b17/.pioenvs/first-floor-iot-hav-0a5b17/firmware.bin (905008 bytes)
Uploading: [============================================================] 100% Done...

INFO Upload took 2.87 seconds, waiting for result...
INFO OTA successful
INFO Successfully uploaded program.
INFO Starting log output from 192.168.50.243 using esphome API
INFO Successfully resolved first-floor-iot-hav-0a5b17 @ 192.168.50.243 in 0.000s
WARNING Can't connect to ESPHome API for first-floor-iot-hav-0a5b17 @ 192.168.50.243: Error connecting to [AddrInfo(family=<AddressFamily.AF_INET: 2>, type=<SocketKind.SOCK_STREAM: 1>, proto=6, sockaddr=IPv4Sockaddr(address='192.168.50.243', port=6053))]: [Errno 111] Connect call failed ('192.168.50.243', 6053) (SocketAPIError)
INFO Trying to connect to first-floor-iot-hav-0a5b17 @ 192.168.50.243 in the background
INFO Successfully resolved first-floor-iot-hav-0a5b17 @ 192.168.50.243 in 0.000s
INFO Successfully connected to first-floor-iot-hav-0a5b17 @ 192.168.50.243 in 0.119s
INFO Successful handshake with first-floor-iot-hav-0a5b17 @ 192.168.50.243 in 0.118s
[22:39:31][I][app:137]: ESPHome version 2025.6.3 compiled on Jul  8 2025, 22:34:33

bingo, so you can now build and flash

[22:39:31][C][mdns:122]:   Hostname: first-floor-iot-hav-0a5b17
[22:40:24][I][safe_mode:042]: Boot seems successful; resetting boot loop counter
[22:40:24][D][esp32.preferences:142]: Writing 1 items: 0 cached, 1 written, 0 failed
[22:40:29][D][api:133]: Accepted 192.168.5.17
[22:40:29][W][api.connection:107]: : Socket operation failed: BAD_INDICATOR errno=11

it connected after that though i think

It just repeated the last 2 lines.

And "Stop" hasn't changed to "Close" on the window. If it's supposed to.

yeah its supposed to because it finished

So the api connection socket failure repeats.

you may need to remove and and readd thee device in the ha integration now

it may ask for the key from the yaml

So, "Stop", delete the device, & re-add?

this is on the home assistant integration

not in the builder

this sort of thing

the integration may be causes issues by trying to connect to it without the encryption key which it now has after the build

Click "Stop"?

where are you seeing stop?

i am not sure what you mean

screenshot it

yes

that just stops the log viewer which the build window turns into

OK, I got a message "Authentication expired for Home Assistant Voice 0a5b17".

press it and it will ask you for the key which is from the device yaml

Re-auth successful

bingo

right now we can make the mod

so back to the yaml

In ESPHome Device Builder or ESPHome Builder?

same place you made the static ip code change

we want to add a new section

esp32:
  board: esp32-s3-devkitc-1
  variant: esp32s3
  flash_size: 16MB
  framework:
    type: esp-idf
    version: recommended
    sdkconfig_options:
      CONFIG_ESP32S3_DEFAULT_CPU_FREQ_240: "y"
      CONFIG_ESP32S3_DATA_CACHE_64KB: "y"
      CONFIG_ESP32S3_DATA_CACHE_LINE_64B: "y"
      CONFIG_ESP32S3_INSTRUCTION_CACHE_32KB: "y"

      CONFIG_BT_ALLOCATION_FROM_SPIRAM_FIRST: "y"
      CONFIG_BT_BLE_DYNAMIC_ENV_MEMORY: "y"

      CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC: "y"

      # Overrides from default start here
      #
      # Disable TLS 1.3 completely
      CONFIG_MBEDTLS_SSL_PROTO_TLS1_3: "n"

      # Enable TLS 1.2 (required for WPA Supplicant and ESP-TLS)
      CONFIG_MBEDTLS_SSL_PROTO_TLS1_2: "y"

      # Set both minimum and maximum TLS versions to 1.2 (forces only TLS 1.2)
      CONFIG_MBEDTLS_SSL_MIN_MINOR_VERSION: "3"
      CONFIG_MBEDTLS_SSL_MAX_MINOR_VERSION: "3"

      # Disable TLS 1.3-specific extensions that may still be present in ClientHello
      CONFIG_MBEDTLS_SSL_TLS1_3_KEY_SHARE: "n"              # Prevents sending key_share extension (TLS 1.3 key exchange)
      CONFIG_MBEDTLS_SSL_TLS1_3_PSK_EXCHANGE: "n"           # Disables PSK key exchange modes for TLS 1.3

      # Remove TLS 1.3 compatibility and mixed-mode features
      CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE: "n"     # Ensures no fallback to TLS 1.3 behavior
      CONFIG_MBEDTLS_SSL_TLS1_3_MIXED_MODE: "n"             # Prevents using TLS 1.3 alongside older versions

      # Fully disable additional TLS 1.3 features
      CONFIG_MBEDTLS_SSL_TLS1_3_EARLY_DATA: "n"             # Disables 0-RTT early data (TLS 1.3 optimization)
      CONFIG_MBEDTLS_SSL_TLS1_3_MIDDLEBOX_COMPAT: "n"       # Prevents middlebox compatibility mode (avoids sending unnecessary extensions)

The whole thing?

yeah add that entire section

saved

ok hit install - wirelessly

this will rebuild quite a few files because its changing stuff in core

it wont be everything though. so not as long as first build but will take a few mins

So this downgrades it from v1.3 to v1.2?

yes i think so

but hopefully 1.2 will work to authenticate the certificate

Yeah, I tried this the other day:

esp32:
  board: esp32-s3-devkitc-1
  cpu_frequency: 240MHz
  variant: esp32s3
  flash_size: 16MB
  framework:
    type: esp-idf
#    type: arduino
    version: recommended
    sdkconfig_options:
      CONFIG_ESP32S3_DATA_CACHE_64KB: "y"
      CONFIG_ESP32S3_DATA_CACHE_LINE_64B: "y"
      CONFIG_ESP32S3_INSTRUCTION_CACHE_32KB: "y"

      # Moves instructions and read only data from flash into PSRAM on boot.
      # Both enabled allows instructions to execute while a flash operation is in progress without needing to be placed in IRAM.
      # Considerably speeds up mWW at the cost of using more PSRAM.
      CONFIG_SPIRAM_RODATA: "y"
      CONFIG_SPIRAM_FETCH_INSTRUCTIONS: "y"

      CONFIG_BT_ALLOCATION_FROM_SPIRAM_FIRST: "y"
      CONFIG_BT_BLE_DYNAMIC_ENV_MEMORY: "y"

      CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC: "y"
      CONFIG_MBEDTLS_SSL_PROTO_TLS1_3: "y"  # TLS1.3 support isn't enabled by default in IDF 5.1.5

yeah looks like the same sort of idea

One of the other things I'd like to try to do is get this to use a custom wake word, without having to say "hey" or "ok". Just a single word, like "Nabu" or whatever else I want. Just like Amazon did with Alexa.

But that's for another time 🙂

custom wake words with microwakeword are not friendly to make currently

Is it easier with openWakeWord or just as difficult?

it is easier but converting the voice pe to support OWW is NOT easy or recomended. you end up loosing functionality

Ah

there are some examples but they are out of date now and not really been updated

Such is the world of OpenSource 🙂

with OWW the device has to constantly stream audio back to home assistant to process it. whereas microwakeword runs on the device itself

Wow! Now that's cool.

microwakeword is awesome and works super well but customising it is not really there yet

I'm still debating on whether to keep Ollama or not.

i use ollama to run my llm's

It seemed highly recommended so I installed it.

yeah, its pretty well supported

ai stuff is in heavy development currently within HA so keeping to something thats well supported is a good idea 🙂

Makes sense.

After I get this working right, my next thing is to fix my automation. I think my logic is off. It's a simple "lighting" automation (which seems to be where everyone starts out 😄 )

yup, light automations are a big thing

I say "simple" but it's based on sun elevation, weather, etc.

i do like walking around the house at night and lights come on/off following me around

I'm new to YAML (and to HA) so it's a learning curve, but I need the practice.

Trying to find the right bulbs & motion sensors has been rough. I want devices that remain local & aren't cloud based, but right now I have a mixture of both.

look at stuff that runs esphome 🙂 that way if you want you can customise it with your new found skills 🙂

And getting mDNS to traverse between subnets has been challenging.

Good point.

for motion I have stuff from everything smart home. the EP1 and EPL are great devices. apollo automation make some good stuff too but i have personally not used it.

hows the build going btw?

still churning away?

Still building.... it's at the HTTP server portion.

But moving pretty good.

Since you're experienced with this... is it possible to get this to communicate with a Mumble server?

the vpe? no

I'll have to see if there's a way to get the TTS or STT to work through a Mumble connection. I just wish I knew programming 😄

what exactly do you mean?

you want the output to also be tts'ed to mumble?

I have my own Mumble server setup. I thought it would be cool to be able to have this working sort of like a "bot", where if a person was speaking, or typing to it, it would trigger within the Mumble chat either by audio or text.

i havent seen anyone make a mumble integration for HA as of yet

This setup is a family setup so some of the family members who don't live in the house, could utilize it for when we're all in chat together.

Yeah, I didn't think so.

i dont know anything about the mumble api. i used a mumble server briefly for something like 16 years ago. and have had no experience with it since

Most don't anymore. Most use Discord 😛

yeah discord has really taken over the space

But for a local chat program, it's nice.

Easily setup & all local.

i remember it being a complete pain to set up. the way certs worked for it back then was a mess.

i guess its probably easier now

IDK. I have mine using my RADIUS & MySQL.

if someone were inclined you could probably use OWW to add an assistant you could call

not sure on the practical uses

Interesting........ it would be a nuance thing, just for "home" use.

So many are more interested in 'cloud-based' anymore.

or you could build on top of the voip integration style. could summon it with a chat command. be able to back and forth then use another command to "hang up"

This thing is moving pretty good but sheesh it's a lot 😄

yeah building esphome stuff is a big part of why i moved my install from the home assistant yellow runniing a cm4 over to a vm on a n150 cpu

VPE is particually brutal as its huge

I will say, regarding the VPE, it's nice to see it has a physical switch to mute the mic.

yes its a physical cut off. that was a big part of the requirements for privacy reasons

Yeah, you can't trust that a push-button will actually shut off the mic.

its not a software controlled shut off. it physically disconnects the mic connection

yup

I loved it when people thought their phones weren't listening.... yet were in wonder when their phones showed them ads about things they were talking about with other people.

I keep waiting for Google to say, "God bless you" every time I sneeze. 😄

tbh this is mostly a misnomer. people and their friends have looked at things close to what they were talking about anyway

i am sure it has been done or at least expirimenteed with but there are more efficient ways of knowing what to advertise to someone than listening to them

IDK, I'd be talking with someone about a topic and be like, "You know, let me look that up" & immediately the search would have that exact thing I was curious about.

Maybe it's just that intuitive.

Seems fishy

"any sufficiently advanced technology is indistinguishable from magic"

This is currently building 'mbedtls'

It looks like it's generating the bootloader files now.

once it finishes you can just leave the log open in the browser and try asking it the time and see what it does 😛

If it's smart, it'll tell me to go to bed 😄

lol

Just finished building the esp32s3 image. It wasn't long after that last time.

nice

Out of curiosity, why does it rebuild the code every time you make a change to the YAML?

the yaml is basically compiler instructions

Looks like it might be done.

it changes the way the esphome software is built which then runs on the esp32

cool

No errors & it had no issue uploading due to the IP addition.

But should it respond when I say, "Ok, Nabu"?

should do

you might have to check the assistant is set in the integration

Wake word is greyed out in the Configuration.

So reboot?

might have to remove from integration and readd it again

its showing as unavailable

So now what?

remove it from the esphome integration again

then restart home assistant and the VPE then re-add it to the integration by ip

When I unplug & plug in the VPE, nothing happens. No LEDs, nothing.

Let me try again.

Nothing.

well thats not good

Waiting for HA

Added the device back

ESPHome Builder says "Online"

on the builder tool you can click "logs" and open its live log from there if its able to connect

INFO ESPHome 2025.6.3
INFO Reading configuration /config/esphome/first-floor-iot-hav-0a5b17.yaml...
INFO Starting log output from 192.168.50.243 using esphome API
INFO Successfully resolved first-floor-iot-hav-0a5b17 @ 192.168.50.243 in 0.000s
INFO Successfully connected to first-floor-iot-hav-0a5b17 @ 192.168.50.243 in 0.066s
INFO Successful handshake with first-floor-iot-hav-0a5b17 @ 192.168.50.243 in 0.070s
[00:10:17][C][wifi:613]: WiFi:
[00:10:17][C][wifi:434]:   Local MAC: 20:F8:3B:0A:5B:17
[00:10:17][C][wifi:439]:   SSID: [redacted]
[00:10:17][C][wifi:442]:   IP Address: 192.168.50.243
[00:10:17][C][wifi:446]:   BSSID: [redacted]
[00:10:17][C][wifi:446]:   Hostname: 'first-floor-iot-hav-0a5b17'
[00:10:17][C][wifi:455]:   Subnet: 255.255.255.0
[00:10:17][C][wifi:455]:   Gateway: 192.168.50.1
[00:10:17][C][wifi:455]:   DNS1: 192.168.5.11
[00:10:17][C][wifi:455]:   DNS2: 192.168.100.1
[00:10:17][C][logger:211]: Logger:
[00:10:17][C][logger:211]:   Max Level: DEBUG
[00:10:17][C][logger:211]:   Initial Level: DEBUG
[00:10:17][C][logger:217]:   Log Baud Rate: 115200
[00:10:17][C][logger:217]:   Hardware UART: USB_SERIAL_JTAG
[00:10:17][C][logger:224]:   Task Log Buffer Size: 768
[00:10:17][C][captive_portal:089]: Captive Portal:
[00:10:17][C][esphome.ota:073]: Over-The-Air updates:
[00:10:17][C][esphome.ota:073]:   Address: 192.168.50.243:3232
[00:10:17][C][esphome.ota:073]:   Version: 2
[00:10:17][C][esphome.ota:080]:   Password configured
[00:10:17][C][safe_mode:018]: Safe Mode:
[00:10:17][C][safe_mode:019]:   Boot considered successful after 60 seconds
[00:10:17][C][safe_mode:019]:   Invoke after 10 boot attempts
[00:10:17][C][safe_mode:019]:   Remain for 300 seconds
[00:10:17][C][api:182]: API Server:
[00:10:17][C][api:182]:   Address: 192.168.50.243:6053
[00:10:17][C][api:187]:   Using noise encryption: YES
[00:10:17][C][mdns:122]: mDNS:
[00:10:17][C][mdns:122]:   Hostname: first-floor-iot-hav-0a5b17

I need to call it a night..... it's after midnight.

fair enough

Thanks for the help. Not sure what to do next but that's for tomorrow 🙂

Have a good night.

Morning,

Just a FYI but this is all the device shows after last night:

can you post the full yaml that you flashed?

esphome:
  name: first-floor-iot-hav-0a5b17
  friendly_name: first-floor-iot-hav-0a5b17

esp32:
  board: esp32-s3-devkitc-1
  variant: esp32s3
  flash_size: 16MB
  framework:
    type: esp-idf
    version: recommended
    sdkconfig_options:
      CONFIG_ESP32S3_DEFAULT_CPU_FREQ_240: "y"
      CONFIG_ESP32S3_DATA_CACHE_64KB: "y"
      CONFIG_ESP32S3_DATA_CACHE_LINE_64B: "y"
      CONFIG_ESP32S3_INSTRUCTION_CACHE_32KB: "y"

      CONFIG_BT_ALLOCATION_FROM_SPIRAM_FIRST: "y"
      CONFIG_BT_BLE_DYNAMIC_ENV_MEMORY: "y"

      CONFIG_MBEDTLS_EXTERNAL_MEM_ALLOC: "y"
      CONFIG_MBEDTLS_SSL_PROTO_TLS1_3: "n"

      CONFIG_MBEDTLS_SSL_PROTO_TLS1_2: "y"

      CONFIG_MBEDTLS_SSL_MIN_MINOR_VERSION: "3"
      CONFIG_MBEDTLS_SSL_MAX_MINOR_VERSION: "3"

      CONFIG_MBEDTLS_SSL_TLS1_3_KEY_SHARE: "n"
      CONFIG_MBEDTLS_SSL_TLS1_3_PSK_EXCHANGE: "n"

      CONFIG_MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE: "n"
      CONFIG_MBEDTLS_SSL_TLS1_3_MIXED_MODE: "n"

      CONFIG_MBEDTLS_SSL_TLS1_3_EARLY_DATA: "n"
      CONFIG_MBEDTLS_SSL_TLS1_3_MIDDLEBOX_COMPAT: "n"

# Enable logging
logger:

# Enable Home Assistant API
api:
  encryption:
    key: "<KEY>"

ota:
  - platform: esphome
    password: "<PASSWD>"

wifi:
  ssid: !secret wifi_ssid
  password: !secret wifi_password
  manual_ip: 
    static_ip: 192.168.50.243
    gateway: 192.168.50.1
    subnet: 255.255.255.0
    dns1: 192.168.5.11
    dns2: 192.168.100.1

  # Enable fallback hotspot (captive portal) in case wifi connection fails
  ap:
    ssid: "First-Floor-Iot-Hav-0A5B17"
    password: "<PW>"

captive_portal:

okay, its missing the package to import the code from the vpe repo

did you remove it?

1 moment ill rewrite some stuff

replace XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX with the key from yours that you redacted

No. I didn't. What's there is what was there before adding in what you gave me.

ok, thats strange. in any case replace your yaml with the version i just posted except bring across your api encryption key

for some reason it must have defaulted to a basic esphome config instead of the voicepe factory starting point.

probably my fault that i missed it when you posted before

whatever the case we have found the issue

hopefully anyway

It's all good. Trying that now.

Not sure why it's complaining about this:

NVM... I see it

I had duplicate lines 🙂

other than the encryption key you should be replacing everything you had with what i sent

This thing is still grinding.

dam, need to consider changing out that hardware sooner rather than later

I'll be building my new system soon & this one will become the Proxmox server.

I'm getting a lot of these type warnings:

components/esp-tflite-micro/tensorflow/lite/micro/kernels/sub.cc:91:53:   required from here
components/esp-tflite-micro/tensorflow/lite/kernels/internal/reference/sub.h:308:62: warning: declaration of 'const tflite::ArithmeticParams& params' shadows a parameter [-Wshadow]
  308 |       [](T input1_val, T input2_val, const ArithmeticParams& params) {
      |                                      ~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~

yeah warnings are fine

Well, it finally reached the "Creating esp32s3 image", so hopefully it'll be done soon 😄

Well, it's done.

now we hope it works

Well, it recognized the wake word.... & understood what I asked.... but I got this:

Why would I see a bunch of "Enabling power supply." outputs, like these:

[22:01:12][D][power_supply:035]: Enabling power supply.
[22:01:12][D][power_supply:035]: Enabling power supply.
[22:01:12][D][power_supply:035]: Enabling power supply.
[22:01:13][D][power_supply:035]: Enabling power supply.
[22:01:13][D][voice_assistant:598]: Event Type: 4
[22:01:13][D][voice_assistant:636]: Speech recognised as: "what time is it"
[22:01:13][D][voice_assistant:598]: Event Type: 5
[22:01:13][D][voice_assistant:641]: Intent started
[22:01:13][D][power_supply:035]: Enabling power supply.
[22:01:13][D][power_supply:035]: Enabling power supply.
[22:01:14][D][power_supply:035]: Enabling power supply.
[22:01:14][D][power_supply:035]: Enabling power supply.
[22:01:14][D][power_supply:035]: Enabling power supply.

Is that because the lights are flashing or spinning?

power supply stuff is just verbose logging. i wouldnt worry about it

so looks like its still not able to verify the cert

At least everything is back:

yup thats because its now including the package with all the device specific config

I have the 'ca.pem' file directly in the /config/esphome folder, if that has any bearing on anything.

nope, i dont think there is any way to actually include the cert file where it will be used by this call

there are ways of adding it to a http request component but the media player does its own request and not through a seperate component

Is it this or could it have something to do with the pipeline config? I'm not sure where the "media player" is located, on the VPE or in HA itself.

media player is the esphome componenent that plays stuff

so this comment on the issue previously mentioned - https://github.com/esphome/home-assistant-voice-pe/issues/315#issuecomment-2973240267

seems to hint that they had to build the cert file in a particular way

something about chain order? most clients apprantly dont care but some do

you might have to adjust the cert file that you have on the HA server, does that make any sense to you?

I'm not sure. I guess I'd have to see what they mean.

I did see this in ChatGPT:

.

🔧 Option 2: Trust Custom Root CA (Advanced)
If you must use HTTPS (e.g., external or you require encryption):

Export your root CA cert (used to sign the HA server cert).

Embed it in the ESPHome config using:

yaml
Copy
Edit
ssl_ca_cert: |
  -----BEGIN CERTIFICATE-----
  ...
  -----END CERTIFICATE-----
Or, if you compile ESPHome outside HA, inject the root CA into the build.

🔧 Option 3: Update ESPHome / ESP-IDF
If you're on an older ESPHome or ESP-IDF version, upgrade it to ensure it includes the latest CA root bundle.

You can do this by updating ESPHome via the Home Assistant Add-on Store.

🔧 Option 4: Correct ESP Clock (if applicable)
If your device doesn’t have accurate time (especially on boot), TLS cert verification may fail.

Ensure an sntp time source is available (ESPHome does this by default with time:).

yaml
Copy
Edit
time:
  - platform: homeassistant
    id: home_time

Is "Option 2" even a thing? I mean, I can cat the 'ca.pem' file & insert the info as it's suggesting, if that's a thing.

I think its a hallucination

the only thing that i have seen that makes any sense is that comment i linked. and that the cert file you are using in HA is formatted in such a way that its accepted by most but not all clients (in this case the vpe)

I asked this 😄

Is "Option 2" an actual Home Assitant Voice PE syntax or is that just a guess?


ChatGPT said:
Great question — you're right to double-check that, because ESPHome syntax (used by HA Voice PE devices) doesn't directly support ssl_ca_cert or embedded CA certificates in YAML config like that out of the box.

So to clarify:

🔴 “Option 2” is not valid syntax in ESPHome YAML directly.
That part was a general concept from the ESP-IDF level, not something ESPHome currently exposes via YAML.

ESPHome does not provide a built-in way to specify a custom CA bundle via YAML (as of mid-2025).

The ESPHome voice_assistant and media_player components currently rely on the built-in CA store compiled into the firmware at build time.

This means ESPHome only trusts certificates in its bundled root CA list (typically derived from the ESP x509 bundle).

And this was a suggestion LOL:

✅ Valid Ways to Handle It in ESPHome / Voice PE
Here’s what’s actually supported and recommended:

✅ Use http:// Instead of https://
If you host HA locally, set your voice_assistant: component to use HTTP. This avoids TLS verification entirely.

Example:

yaml
Copy
Edit
voice_assistant:
  microphone: mic
  speaker: speaker
  media_player: speaker
  use_wake_word: true
  noise_suppression_level: 2
  auto_gain: 31
  tts:
    platform: home_assistant
    url: "http://homeassistant.local:8123"
This is real, valid syntax, and using http:// works reliably for local networks.

yeah i wouldnt trust chatgpt

its just wrong

I wonder if I need to be using the server's IP & not the loopback address in the ''configuration.yaml",

http:
  ssl_certificate: /ssl/ha_server.crt
  ssl_key: /ssl/ha_server.key
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
    - 172.30.33.0/24

That's the reverse proxy settings, if I follow the doc

ok so in the documentation it says pem files should be used in the HA config

  ssl_certificate: /etc/letsencrypt/live/hass.example.com/fullchain.pem
  ssl_key: /etc/letsencrypt/live/hass.example.com/privkey.pem

this is an example using lets encrypt but the point stands

Which is what I have.

here you are showing you using .crt and .key files?

i dont know enough about certs to tell if there is a difference

The "http:" portion I shared is what I'm using already.

yes and i am suggesting why this could be an issue

these files are
.crt
and
.key
files

the documentation implies that they should be .pem files one of which is the fullchain.pem and the other is the privkey.pem

also the full chain apprantly can be built in different orders which has been known to cause the same error you are seeing

Yeah... I'm looking at that now. I have all 3 files on HA so I can create the "fullchain.pem" file from the 'ca.pem'.

I'm going to look at that now.

I created the 'fullchain.pem' file & I'm rebooting HA Now.

Yeah, no change:

[22:59:07][D][esp-idf:000][ann_read]: E (3574089) esp-x509-crt-bundle: Failed to verify certificate
[22:59:07][D][esp-idf:000][ann_read]: E (3574090) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x3000
[22:59:07][D][esp-idf:000][ann_read]: I (3574091) esp-tls-mbedtls: Failed to verify peer certificate!
[22:59:07][D][esp-idf:000][ann_read]: E (3574091) esp-tls: Failed to open new connection
[22:59:07][D][esp-idf:000][ann_read]: E (3574091) transport_base: Failed to open a new connection
[22:59:07][D][esp-idf:000][ann_read]: E (3574092) HTTP_CLIENT: Connection failed, sock < 0
[22:59:07][E][audio_reader:120][ann_read]: Failed to open URL
[22:59:07][E][speaker_media_player.pipeline:112]: Media reader encountered an error: ESP_ERR_HTTP_CONNECT
[22:59:07][E][speaker_media_player:326]: The announcement pipeline's file reader encountered an error.

hows does your HA configuration http section look now?

The 'configuration.yaml' http section:

# Enable HTTPS
http:
  ssl_certificate: /ssl/ha_fullchain.pem
  ssl_key: /ssl/ha_server.key
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
    - 172.30.33.0/24

I'm running a 'openssl' check on the file.

I create the 'ha_fullchain.pem' file & it had both the CA & CRT info in it but there was a "fullchain.pem" file that just has the CRT info.

Now my HA is in recovery mode.

I'm restarting it again.

i am trying to work how a full chain works. and its not just a matter of the right stuff being there but it being there in the correct order

so its the "full chain" starting with the server then moving up

Mine is self-signed so I don't think there's any "intermediates".

It's just the server & my CA

I've got my HA working normal again.

what did you do? revert to what you had orginally?

I had a 'fullchain.pem' file (the original) & my 'ha_fullchain.pem' file (which has both the ca.pem & ha_server.crt combined). When I tried to use the original file, it went into recovery mode, so I put the 'ha_fullchain.pem' file back into that "http:" section.

So HA is normal again.

in the ha_fullchain.pem file that has both. what order are they in within the file?

the pem file needs not only both. but them to be in the correct order

so it should look like this

-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
SERVER CERT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CA CERT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----

This is what I get from a check:

➜  /ssl openssl crl2pkcs7 -nocrl -certfile ha_fullchain.pem | openssl pkcs7 -print_certs -noout
subject=C=US, ST=State, L=City, O=SoHo, OU=Home, CN=homeassistant.domain.net 
issuer=C=US, ST=State, L=City, O=SoHo, OU=Home, CN=InternalCA 


subject=C=US, ST=State, L=City, O=SoHo, OU=Home, CN=InternalCA 
issuer=C=US, ST=State, L=City, O=SoHo, OU=Home, CN=InternalCA

look at the file yourself

you have the seperate cert files so you know what each one looks like

I did, & the contents are just like you posted.

ok

and the vpe logs are still showing the
mbedtls_ssl_handshake returned -0x3000
error?

[23:01:40][D][esp-idf:000][ann_read]: E (3727851) esp-x509-crt-bundle: Failed to verify certificate
[23:01:40][D][esp-idf:000][ann_read]: E (3727851) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x3000
[23:01:40][D][esp-idf:000][ann_read]: I (3727851) esp-tls-mbedtls: Failed to verify peer certificate!
[23:01:40][D][esp-idf:000][ann_read]: E (3727851) esp-tls: Failed to open new connection
[23:01:40][D][esp-idf:000][ann_read]: E (3727851) transport_base: Failed to open a new connection
[23:01:40][D][esp-idf:000][ann_read]: E (3727852) HTTP_CLIENT: Connection failed, sock < 0
[23:01:40][E][audio_reader:120][ann_read]: Failed to open URL
[23:01:40][E][speaker_media_player.pipeline:112]: Media reader encountered an error: ESP_ERR_HTTP_CONNECT
[23:01:40][E][speaker_media_player:326]: The announcement pipeline's file reader encountered an error.

I think once I can get it to verify the cert, it'll work.

I need to call it a night again, but I'll try again tomorrow 🙂

Thanks again. I'm sure this is annoying for you but the help is appreciated 🙂

Have a good night.

gotcha, when you come back i have something you can try

in the http section of home assistant config next to the certs add
ssl_profile: intermediate

it defaults to "modern" which has less backward compatibility. given we are trying to force 1.2 then this might be an issue

although we are reaching the end of the line a little bit here tbh... this is something that was never designed to work and it may just not work. others have gotten some stuff working but that was not with the added complication of the self signed cert

Greetings:

[19:48:58][D][esp-idf:000][ann_read]: E (46737471) esp-x509-crt-bundle: Failed to verify certificate
[19:48:58][D][esp-idf:000][ann_read]: E (46737472) esp-tls-mbedtls: mbedtls_ssl_handshake returned -0x3000
[19:48:58][D][esp-idf:000][ann_read]: I (46737472) esp-tls-mbedtls: Failed to verify peer certificate!
[19:48:58][D][esp-idf:000][ann_read]: E (46737472) esp-tls: Failed to open new connection
[19:48:58][D][esp-idf:000][ann_read]: E (46737472) transport_base: Failed to open a new connection
[19:48:58][D][esp-idf:000][ann_read]: E (46737473) HTTP_CLIENT: Connection failed, sock < 0
[19:48:58][E][audio_reader:120][ann_read]: Failed to open URL
[19:48:58][E][speaker_media_player.pipeline:112]: Media reader encountered an error: ESP_ERR_HTTP_CONNECT
[19:48:58][E][speaker_media_player:326]: The announcement pipeline's file reader encountered an error.

So, unfortunately that didn't work either.

dam, I am pretty much out of ideas at this point though. there may just not be a why of making it work correctly (at least at the moment).

It's looking like I'd be forced to revert to HTTP and abandon the HTTPS idea. 😦

I get that this is all behind my FW but there's still the WiFi that could potentially be sniffed.

Although I'm not surrounded by people who know how to do that sort of thing in this complex LMAO

yup, we gave it a good go but some things are just not an option