This is a problem related to the following issue:
The binding in the latest release version uses a library, the grohe-ondus-api in a version, which pinned the communication to the GROHE Api to the API endpoint using https://idp-apigw.cloud.grohe.com
. Looking at this endpoint, it uses a certificate from Symantec:
$ openssl s_client -connect idp-apigw.cloud.grohe.com:443
CONNECTED(000001BC)
---
Certificate chain
0 s:C = DE, L = D\C3\BCsseldorf, O = Grohe AG, CN = *.cloud.grohe.com
i:C = US, O = "DigiCert, Inc.", OU = www.digicert.com, CN = DigiCert TLS ICA Thawte PCA-G3
1 s:C = US, O = "DigiCert, Inc.", OU = www.digicert.com, CN = DigiCert TLS ICA Thawte PCA-G3
i:C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2008 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA - G3
---
The thawte Primary Root CA - G3
in the certificate root chain is distrusted by many major browsers, as well as by Oracles and OpenJDKs Java implementation since mid last year (see Oracles statement for that). So, the problem seems to be related to a recent Java update you made on your system where openHAB is running. According to this update, Java 8 has this distrust since Update 211, however, the info is made for the JDK, the JRE probably follows the same notes.
As a solution, the next stable release of the GROHE binding will include the recent version of the user library, which uses the the new API gateway version, idp2-apigw.cloud.grohe.com
, which currently uses a new, trusted, certificate chain:
$ openssl s_client -connect idp2-apigw.cloud.grohe.com:443
CONNECTED(000001BC)
---
Certificate chain
0 s:CN = *.cloud.grohe.com
i:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
1 s:C = US, O = Amazon, OU = Server CA 1B, CN = Amazon
i:C = US, O = Amazon, CN = Amazon Root CA 1
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
---
As a solution or workaround until the stable version is released, there should be two ways:
- Install a snapshot version of the binding. It should work in the latest stable release as well, however, I can not guarantee it.
- Manually bypassing the distrust in certificates anchored by
thawte Primary Root CA - G3
, however, I’m not sure, if that is possible, neither would I recommend it. The distrust in the Symantec CA was done for serious reasons, which makes it hard to trust any certificate presented which has an Symantec cert in the chain. Controlling smart home devices with this distrust in mind is probably not the best idea, therefore I would recommend solution 1.