#Self-signed certificate error when fetching from homelab service

I have my own CA created through Vault that provides ACME certificates to a bunch of services running in a homelab. This works well, and I've distributed the root CA certificate to the homelab machines where Nomad is running Home Assistant (among other things). Containers have the host's /etc/ssl/certs bind mounted into the container so they should be seeing the root cert. Using curl from the commandline and trying to access, e.g. https://prometheus.service.home works just fine from within the home assistant container. I can also write a few lines of Python to do an aiohttp fetch of the same URL from the container, and this is fine. However, when I try to do this from within an integration (https://github.com/mweinelt/ha-prometheus-sensor), home assistant complains of a self-signed certificate in the chain. Is there something in the aiohttp session gifted to the integration that breaks this? Something about where homeassistant reads its server certs from?

There's an integration to add an additional CA to HA: https://github.com/Athozs/hass-additional-ca

Of course the answer is more integrations...

That'd be the extension point for HA 🙂

I'm surprised though. The system's /etc/ssl/certs/ca-certificates.crt was rebuilt to include the new .home CA. This isn't enough?

If you did that and ran update-ca-certificates, I'd think it should be enough.

Wouldn't survive updates though

The .crt file is in /usr/local/share/ca-certificates and I've run update-ca-certificates on the host. I do expect that this survives updates.

https://github.com/Athozs/hass-additional-ca?tab=readme-ov-file#51-docker suggests that home assistant might be rebuilding...

I'm wondering how this will work if this integration wants to rewrite ca-certificates on an RO filesystem...

https://github.com/Athozs/hass-additional-ca?tab=readme-ov-file#622-haos---home-assistant-operating-system also suggests that using curl should be sufficient validation...

Yeah, this doesn't make any sense. https://github.com/Athozs/hass-additional-ca/issues/13 is at odds with what i'm seeing for python's behavior, and if the integration only serves to rebuild ca-certificates.crt at startup, then I've effectively already done that.

Ok, I misread the that GH issue... Home Assistant still uses certifi, which is why there's a difference between what I see on the commandline and what HA sees. Fair enough.

Sigh. So, hass-additional-ca works. Solved, I guess, but it's annoying that I can't solve this in the same way as every other container I run.

@earnest nova thanks for the help

Ah, no. This is terrible. After deploying the container I have to immediately restart home assistant.

I tested this "hass-additional-ca" hoping it would allow me to use "proxmox-ve" integration in https without warning flooding the logs regarding HTTPS.... but no.
To have it working i still have to use verify_ssl: false 🙁

welp, last try is the simplest thing and it also seems to work: the hass-additional-ca repo makes mention of the REQUESTS_CA_BUNDLE environment variable. if i set that to /etc/ssl/certs/ca-certificate.crt, i can just bind mount in /etc/ssl/certs from the host.

And following up, this works because of this line in HA core: https://github.com/home-assistant/core/blob/dev/homeassistant/util/ssl.py#L92. No additional integrations needed. I guess this is a solution for anyone running HA in a container, but HAOS folks are out of luck.