Download of calendar failed. - PKIX path building failed

usambara · May 16, 2021, 9:07am

I had to import the certificate to the java trust store (not from linux) and restart OH.

Now I get another error

2021-05-16 10:46:49.681 [WARN ] [g.icalendar.internal.handler.PullJob] - Download of calendar failed.
2021-05-16 10:46:49.682 [DEBUG] [g.icalendar.internal.handler.PullJob] - ExecutionException message is: No subject alternative names matching IP address 192.168.x.y found

This seems to be similar to

github.com/openhab/openhab-core

Make hostname verification configurable in MQTT transport

opened 03:45PM - 05 May 21 UTC

closed 09:19AM - 10 May 21 UTC

mherwege

enhancement PR pending

The hivemq upgrade to 1.2.2 introduced default hostname verification (see [HiveM…Q 1.2.0 release notes](https://www.hivemq.com/blog/hivemq-mqtt-client-1-2-0-released/)) By consequence, validation against an ip address does not work anymore. In the nikohomecontrol binding, the ip address is established during discovery. The hostname in the certificates does not have relevance. Therefore, the mqtt connection to the nikohomecontrol hub does not connect anymore, see log below. I would need the ability to disable hostname verification to resolve this in the binding. This is possible in hivemq. The binding does not use the hivemq library directly, but uses org.openhab.core.io.transport.mqtt. I don't see a way to disable hostname verification in hivemq via a configuration in the transport. ``` 16:52:50.523 [DEBUG] [l.nhc2.NikoHomeControlCommunication2] - Connection state: CONNECTING com.hivemq.client.mqtt.exceptions.ConnectionFailedException: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 192.168.0.187 found Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 192.168.0.187 found at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:352) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:295) ~[?:?] at sun.security.ssl.TransportContext.fatal(TransportContext.java:290) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?] at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1510) ~[bundleFile:4.1.48.Final] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1524) ~[bundleFile:4.1.48.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1408) [bundleFile:4.1.48.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235) [bundleFile:4.1.48.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282) [bundleFile:4.1.48.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498) [bundleFile:4.1.48.Final] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437) [bundleFile:4.1.48.Final] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) [bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [bundleFile:4.1.48.Final] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [bundleFile:4.1.48.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [bundleFile:4.1.48.Final] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) [bundleFile:4.1.48.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) [bundleFile:4.1.48.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) [bundleFile:4.1.48.Final] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) [bundleFile:4.1.48.Final] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [bundleFile:4.1.48.Final] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [bundleFile:4.1.48.Final] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [bundleFile:4.1.48.Final] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [bundleFile:4.1.48.Final] at java.lang.Thread.run(Thread.java:834) [?:?] Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.0.187 found at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165) ~[?:?] at sun.security.util.HostnameChecker.match(HostnameChecker.java:101) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:429) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283) ~[?:?] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473) ~[?:?] at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369) ~[?:?] at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?] at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?] at java.security.AccessController.doPrivileged(Native Method) ~[?:?] at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?] at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1510) ~[bundleFile:4.1.48.Final] at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1524) ~[bundleFile:4.1.48.Final] at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1408) ~[bundleFile:4.1.48.Final] at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1235) ~[bundleFile:4.1.48.Final] at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282) ~[bundleFile:4.1.48.Final] at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:498) ~[?:?] at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:437) ~[?:?] at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[?:?] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) [bundleFile:4.1.48.Final] at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) [bundleFile:4.1.48.Final] at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) [bundleFile:4.1.48.Final] at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[?:?] at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) ~[?:?] at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) ~[?:?] at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) ~[?:?] at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) ~[?:?] at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) ~[?:?] at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[?:?] at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[?:?] at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[?:?] at java.lang.Thread.run(Thread.java:834) ~[?:?] 16:52:50.536 [DEBUG] [l.nhc2.NikoHomeControlCommunication2] - connection lost ``` See also [OH community](https://community.openhab.org/t/niko-home-control-energymeter-returning-undef/120959/10).

Is there a possibility to deactivate this strict check?