Hue Bridge Pro support

Would it be possible to add support for Hue Bridge Pro? Getting error in the bridge thing:

Logger Class
org.openhab.binding.hue.internal.handler.Clip2BridgeHandler
Message
initializeAssets() communication error on '192.168.1.31'
Stack Trace

java.io.IOException: java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.openhab.core.io.net.http.HttpUtil.executeUrlAndGetReponse(HttpUtil.java:266)
at org.openhab.core.io.net.http.HttpUtil.executeUrl(HttpUtil.java:154)
at org.openhab.core.io.net.http.HttpUtil.executeUrl(HttpUtil.java:129)
at org.openhab.binding.hue.internal.connection.Clip2Bridge.isClip2Supported(Clip2Bridge.java:536)
at org.openhab.binding.hue.internal.handler.Clip2BridgeHandler.initializeAssets(Clip2BridgeHandler.java:486)
at org.openhab.binding.hue.internal.handler.Clip2BridgeHandler.initialize(Clip2BridgeHandler.java:467)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Unknown Source)
at java.base/java.lang.reflect.Method.invoke(Unknown Source)
at org.openhab.core.internal.common.AbstractInvocationHandler.invokeDirect(AbstractInvocationHandler.java:149)
at org.openhab.core.internal.common.Invocation.call(Invocation.java:52)
at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.eclipse.jetty.client.util.FutureResponseListener.getResult(FutureResponseListener.java:118)
at org.eclipse.jetty.client.util.FutureResponseListener.get(FutureResponseListener.java:101)
at org.eclipse.jetty.client.HttpRequest.send(HttpRequest.java:732)
at org.openhab.core.io.net.http.HttpUtil.executeUrlAndGetReponse(HttpUtil.java:257)
... 13 more
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)
at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)
at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Unknown Source)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown Source)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:654)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:168)
at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:80)
at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:131)
at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:172)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:555)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:410)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:164)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:409)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at java.base/sun.security.validator.Validator.validate(Unknown Source)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at org.openhab.core.io.net.http.internal.ExtensibleTrustManagerImpl.checkServerTrusted(ExtensibleTrustManagerImpl.java:123)
... 29 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)
... 35 more

From this line:

response = HttpUtil.executeUrl("GET", String.format(FORMAT_URL_CONFIG, hostName), headers, null, null,
                TIMEOUT_SECONDS * 1000);

The URL in FORMAT_URL_CONFIG (eventually http://192.168.1.31/api/0/config) works fine when testing via browser, although it puzzles me why it uses http and not https.

Perhaps just the root cert in Pro bridge is different.

Same Problem here

Got it to work, please note that this may be a workaround until proper fix arrives:

1. Go to https://discovery.meethue.com/, it will list Hue Bridges in your network, copy the idstring and the internalipaddressof your Hue Bridge Pro

2. Edit /etc/hostsin your OpenHAB box and add new row containing both, first IP address, then ID, e.g.
   192.168.1.31 D12345FFFEC4E2D8. This is to work around the SAN requirement, so we need to make bridge URL match with what is defined in the certificate)

3. Download new root certificate from Login - Philips Hue Developer Program (save the second cert to hue-root.crt file)

4. Install new Hue root cert (I use Openhabian, so adjust this to your environment): sudo keytool -import -alias hue-root -keystore /etc/ssl/certs/adoptium/cacerts -file hue-root.crt. This is to make Openhab to trust the Bridge certificate.

5. Restart Openhab

6. Add Hue Bridge Pro using the Hue Bridge Pro ID as the IP Address (the one you got in step 1, e.g., D12345FFFEC4E2D8)

   

   image783×624 17.2 KB

7. DONE!

See the following

https://github.com/openhab/openhab-addons/issues/19337

@jpalo
I use openhabian too, but I get a warning and am asked for a keystore password that I do not know..

openhabian@openhabdeb:~$ sudo keytool -import -alias hue-root -keystore /etc/ssl/certs/adoptium/cacerts -file hue-root.crt
Warning: use -cacerts option to access cacerts keystore
Enter keystore password: 

Default keystore password is “changeit”. That warning is ok.

Not sure why but when I am asked for the password it does not work, but this does:
sudo keytool -import -alias hue-root -keystore /etc/ssl/certs/adoptium/cacerts -storepass changeit -file hue-root.crt

In my case the hostname returned using discovery.meethue.com is small caps, while the hue app shows an all caps hostname. (I used the all caps version) and it works!

Note that I used the migration route in the hue app (the Bridge Pro replaced the Bridge). This means I have not needed to make any other changes to openHAB (all light things, channels etc remained the same)

I am struggling to pair the Hue Bridge Pro with OH.

Have added IP address and ID to /etc/hosts and have added hue-root.crt to cacerts. Using openhabian.

When trying to add the Hue Bridge Pro with ID as IP address I get this

Not authenticated. Press pairing button on the Hue Bridge or set a valid application key in configuration.

16:33:17.787[INFO] [openhab.event.ThingStatusInfoChangedEvent] - Thing 'hue:bridge-api2:68c434b3eb' changed from OFFLINE (CONFIGURATION_ERROR): Certificate loading failed. Please check your configuration settings (network address, type of certificate). to UNINITIALIZED
16:33:17.795[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : ServiceFactory.ungetService()
16:33:17.795[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : invoking deactivate: deactivate: parameters []
16:33:17.795[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : invoked deactivate: deactivate
16:33:17.795[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : DependencyManager: osgi.ds.satisfying.condition close component unbinding from org.apache.felix.scr.impl.manager.ComponentContextImpl@194aea7c at tracking count 1 refpairs: [[RefPair: ref: [{org.osgi.service.condition.Condition}={service.id=6, service.bundleid=0, service.scope=singleton, service.pid=0.org.osgi.service.condition.ConditionImpl, osgi.condition.id=true}] service: [null]]]
16:33:17.796[INFO] [openhab.event.ThingStatusInfoChangedEvent] - Thing 'hue:bridge-api2:68c434b3eb' changed from UNINITIALIZED to UNINITIALIZED (DISABLED)
16:33:19.145[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : ServiceFactory.getService()
16:33:19.145[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : This thread collected dependencies
16:33:19.145[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : getService (ServiceFactory) dependencies collected.
16:33:19.145[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : Querying state active
16:33:19.145[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : For dependency osgi.ds.satisfying.condition, optional: false; to bind: [[RefPair: ref: [{org.osgi.service.condition.Condition}={service.id=6, service.bundleid=0, service.scope=singleton, service.pid=0.org.osgi.service.condition.ConditionImpl, osgi.condition.id=true}] service: [null]]]
16:33:19.146[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : invoking activate: activate: parameters [org.apache.felix.scr.impl.helper.ReadOnlyDictionary]
16:33:19.146[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : invoked activate: activate
16:33:19.146[DEBUG] [org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService] - bundle org.openhab.binding.hue:5.1.0.202509220343 (284)[org.openhab.binding.hue.internal.discovery.Clip2ThingDiscoveryService(368)] : Changed state from active to active
16:33:19.148[INFO] [openhab.event.ThingStatusInfoChangedEvent] - Thing 'hue:bridge-api2:68c434b3eb' changed from UNINITIALIZED (DISABLED) to INITIALIZING
16:33:19.151[DEBUG] [org.openhab.binding.hue.internal.handler.Clip2BridgeHandler] - initializeAssets() org.openhab.binding.hue.internal.handler.Clip2BridgeHandler@70846fd0
16:33:19.151[INFO] [openhab.event.ThingStatusInfoChangedEvent] - Thing 'hue:bridge-api2:68c434b3eb' changed from INITIALIZING to UNKNOWN
16:33:19.160[TRACE] [org.openhab.binding.hue.internal.connection.HueTlsTrustManagerProvider] - Use Signify private CA Certificate for Hue Bridges from resources.
16:33:19.161[DEBUG] [org.openhab.binding.hue.internal.connection.HueTlsTrustManagerProvider] - An unexpected exception occurred: Certificate resource 'huebridge_cacert.pem' not found or not accessible.
16:33:19.162[INFO] [openhab.event.ThingStatusInfoChangedEvent] - Thing 'hue:bridge-api2:68c434b3eb' changed from UNKNOWN to OFFLINE (CONFIGURATION_ERROR): Certificate loading failed. Please check your configuration settings (network address, type of certificate).

The Hue Bridge Pro starts blinking when I try to add it. The button on the bridge seems unresponsive in relation to pairing.

Any suggestions on what is going wrong here would be highly appreciated.

You cannot use IP address, use the name you added to /etc/hosts file.

Thanks Jussi, yes I saw that and I am already using the ID obtained from discovery.meethue.com so I believe that is not the issue. Any other ideas?

Sorry, misread that you used IP. Did you restart openhab service?

I registered new api key and used that, perhaps you need to do that manually first. I’m not at computer now so cannot give more detailed info how to do it.

Thanks Jussi, highly appreciated - this solved it for me.

For others that may run in to the same issue; obtain the Application Key as described in Get Started - Philips Hue Developer Program before steps 1 to 6 in the guidance above and then add it manually in step 6.

This topic was automatically closed 41 days after the last reply. New replies are no longer allowed.