CalDav SSL errors

Hi all,
CalDav has been a headache for me for quite a while. I think I’ve caught a pertinent error in the logs recently. There is a public calendar feed I’m trying to read, with no authentication required. I can download the feed specified in my settings manually.

The logs show:

2020-07-22 11:32:15.350 [WARN ] [caldav.internal.job.EventReloaderJob] - Error while loading calendar entries: Host name 'recollect.a.ssl.fastly.net' does not match the certificate subject provided by the peer (CN=default.ssl.fastly.net, O="Fastly, Inc.", L=San Francisco, ST=California, C=US)

javax.net.ssl.SSLPeerUnverifiedException: Host name 'recollect.a.ssl.fastly.net' does not match the certificate subject provided by the peer (CN=default.ssl.fastly.net, O="Fastly, Inc.", L=San Francisco, ST=California, C=US)

	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:71) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:220) ~[httpclient-4.4.1.jar:4.4.1]

	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:164) ~[httpclient-4.4.1.jar:4.4.1]

	at com.github.sardine.impl.SardineImpl.execute(SardineImpl.java:962) ~[sardine-5.6.jar:5.6]

	at com.github.sardine.impl.SardineImpl.list(SardineImpl.java:417) ~[sardine-5.6.jar:5.6]

	at com.github.sardine.impl.SardineImpl.list(SardineImpl.java:409) ~[sardine-5.6.jar:5.6]

	at com.github.sardine.impl.SardineImpl.list(SardineImpl.java:386) ~[sardine-5.6.jar:5.6]

	at org.openhab.io.caldav.internal.job.EventReloaderJob.loadEvents(EventReloaderJob.java:250) ~[bundleFile:?]

	at org.openhab.io.caldav.internal.job.EventReloaderJob.execute(EventReloaderJob.java:141) [bundleFile:?]

	at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [bundleFile:?]

	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [bundleFile:?]

2020-07-22 11:32:15.353 [INFO ] [org.quartz.core.JobRunShell         ] - Job event-reloader.GarbagePickup threw a JobExecutionException: 

org.quartz.JobExecutionException: Error while loading calendar entries

	at org.openhab.io.caldav.internal.job.EventReloaderJob.execute(EventReloaderJob.java:181) ~[?:?]

	at org.quartz.core.JobRunShell.run(JobRunShell.java:202) [bundleFile:?]

	at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573) [bundleFile:?]

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name 'recollect.a.ssl.fastly.net' does not match the certificate subject provided by the peer (CN=default.ssl.fastly.net, O="Fastly, Inc.", L=San Francisco, ST=California, C=US)

	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465) ~[?:?]

	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395) ~[?:?]

	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) ~[?:?]

	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134) ~[?:?]

	at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) ~[?:?]

	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) ~[?:?]

	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[?:?]

	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) ~[?:?]

	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) ~[?:?]

	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[?:?]

	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) ~[?:?]

	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:71) ~[?:?]

	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:220) ~[?:?]

	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:164) ~[?:?]

	at com.github.sardine.impl.SardineImpl.execute(SardineImpl.java:962) ~[?:?]

	at com.github.sardine.impl.SardineImpl.list(SardineImpl.java:417) ~[?:?]

	at com.github.sardine.impl.SardineImpl.list(SardineImpl.java:409) ~[?:?]

	at com.github.sardine.impl.SardineImpl.list(SardineImpl.java:386) ~[?:?]

	at org.openhab.io.caldav.internal.job.EventReloaderJob.loadEvents(EventReloaderJob.java:250) ~[?:?]

	at org.openhab.io.caldav.internal.job.EventReloaderJob.execute(EventReloaderJob.java:141) ~[?:?]

As a wild shot, to see if the default.ssl.fastly.net = recollect.a.ssl.fastly.net, I tried pasting default.ssl.fastly.net/[snip], and the calendar file wouldn’t download. The original address does work.
As I can’t control their certificates, and in this case I don’t really care if they are insecure/hacked, is there any way in CalDav to disable certificate checking? Does this occur at the level of a dependency where I can ignore this? Chrone doesn’t throw any certificate error when I paste the address in and download the file.
I’d appreciate any direction

edit:
from the config file:
caldavio:GarbagePickup:url=https://recollect.a.ssl.fastly.net/api/places/[snip]
with no specified user name or passwords, just reload interval and preload time.

Thanks!

I don’t believe there’s a way to disable certificate checking.

You may want to try the 2.x version. It’s now the icalendar binding.

The server certificate seems to be ok: https://www.ssllabs.com/ssltest/analyze.html?d=recollect.a.ssl.fastly.net
It uses wildcard names in field Alternative Names ( Alternative names default.ssl.fastly.net fastly.com *.a.ssl.fastly.net *.hosts.fastly.net *.global.ssl.fastly.net *.fastly.com a.ssl.fastly.net purge.fastly.net mirrors.fastly.net control.fastly.net tools.fastly.net ).
Thus it looks like the binding does not check for ( this kind of ) Alternative Names.

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.