Icloud binding - General SSLEngine problem

MickUrsell · August 17, 2018, 1:14pm

I have tried Patrik’s solution with no luck.

I have a windows machine so KeyStore Explorer looked the simplest for me.
I Imported both the Certs, rebooted the computer but still no luck getting this running.
If I reload Keystore Explorer it looks like both have imported ok!

My logs still show

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959) ~[?:?]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:?]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:?]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:?]
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:?]
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:?]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309) ~[?:?]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259) ~[?:?]
	at org.openhab.binding.icloud.internal.Connection.postRequest(Connection.java:95) ~[?:?]
	at org.openhab.binding.icloud.internal.Connection.requestDeviceStatusJSON(Connection.java:55) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$0(ICloudAccountBridgeHandler.java:81) ~[?:?]
	at org.eclipse.smarthome.core.cache.ExpiringCache.refreshValue(ExpiringCache.java:81) ~[?:?]
	at org.eclipse.smarthome.core.cache.ExpiringCache.getValue(ExpiringCache.java:61) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.refreshData(ICloudAccountBridgeHandler.java:132) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$1(ICloudAccountBridgeHandler.java:123) ~[?:?]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:?]
	at java.lang.Thread.run(Thread.java:748) [?:?]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:?]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:?]
	... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:?]
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:?]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496) ~[?:?]
	... 26 more
2018-08-17 13:28:57.703 [INFO ]

Anybody know what I am doing wrong?
Many Thanks
Mick

zuernc · August 21, 2018, 9:05am

I’m running the same setup as you (openHAB 2.3 on Synology), still no working iCloud binding… did you get it to work?

When executing

csplit -f cert /tmp/icloud2.crt '/^-----BEGIN CERTIFICATE-----/' {*}

I get “0” as a reply from console. Is that correct…?

Following through to

bin/keytool -importcert -file /tmp/cert01 -alias icloudfmi1 -trustcacerts -keystore ./jre/lib/security/cacerts -storepass changeit

I get: /tmp/cert01 (No such file or directory)

Any ideas where I’m going wrong? Thanks!

Baumstange · August 21, 2018, 11:01am

No, it is still not Working.

Followed the script of @The-Elk (see above) and the certificates got installed. Your error message indicates that the folder /temp/cert… has not been created by the first command.

I have the certificates installed and working in theSynology Java setup but this does not solve the binding problem.

MickUrsell · August 24, 2018, 9:14am

Wow,

Finally got this sorted and can’t believe my school boy error!
I have got “JRE” and “JDK” on my machine and didn’t realise KeyStore Explorer was only updating “JRE”.
I finally forced KeyStore Explorer to open the other folder and it has worked.

Hopefully this method will work for others with ongoing problems.

Baumstange · August 29, 2018, 1:37pm

Is there any user with a openhanded setup on a Synology who was able to solve this iCloud certificate issue?

The approach outlined here can be followed and executed with a successful installation of the certificates but the iCloud issue still prevails.

Anyone that could help here?

Many thanks

cbg · September 2, 2018, 7:21pm

It is working for me on a Synology. I used the following approach:

sudo -i
echo -n | openssl s_client -servername fmipmobile.icloud.com -host fmipmobile.icloud.com -port 443 -prexit -showcerts 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/icloud2.crt
cd /tmp

csplit -f cert /tmp/icloud2.crt '/^-----BEGIN CERTIFICATE-----/' {*}

// back to java security dir on the Synology - /var/packages/Java8/target/j2sdk-image/jre/lib/security (using Synology's Java8 package)
keytool -importcert -file /tmp/cert01 -alias icloudfmi1 -trustcacerts -keystore cacerts -storepass changeit
keytool -importcert -file /tmp/cert02 -alias icloudfmi2 -trustcacerts -keystore cacerts -storepass changeit

Baumstange · September 3, 2018, 11:26am

strange. If I redo your steps, then it tells me "Certificate not imported, alias already exists. Same with the second one.

So, it is installed. What did you do afterwards? Restart iCloud binding, restart openhab?

P.S.: I did delete Java8 and reinstalled, the script ran as expected to install the certificates but still the same error

15:04:59.906 [WARN ] [ud.handler.ICloudAccountBridgeHandler] - Unable to refresh device data
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Thanks

DigitalDB · September 9, 2018, 9:17am

I had the same issue last week, Openhab crashed and it lost all the things. When I reinstalled them the iCloud thing didn’t work.
I followed the steps above and got the same error “Certificate not imported, alias exists” but the error was my iCloud account details were wrong.
Once I corrected them (in my case the e-mail was wrong) it all worked perfectly.

martinvw · September 12, 2018, 9:40pm

I just created a (potential) fix, feel free to test it out, you can download it through https://github.com/openhab/openhab2-addons/issues/3762#issuecomment-420803031

kevinshane · September 28, 2018, 7:42pm

Thanks, running Build #1374, so far so good…
however when test removing the things(many iphones, ipads, watches), it seems can not completely remove all things from the paper ui page, what should I do to clean this up? Thanks

TomDidi · October 12, 2018, 8:32pm

I tried to work with snapshot from @martinvw:

232 │ Active   │  80 │ 2.4.0.201809191933     │ iCloud Binding

But unfortunately I did not get any data from iCloud, so I have 2 questions:

first I am not sure about from where do I get the deviceID, which I need to define the iCloud.things, as described in the docu ? (is it the UUID which I find in iTunes, when connecting the iPhone to my iMac?)
second log problem with: “Problem while calling the API” (see below, sorry for long log)

What I am doing wrong?

2018-10-12 22:26:18.597 [INFO ] [ttp.internal.SecureHttpClientFactory] - creating httpClient for endpoint https://fmipmobile.icloud.com
2018-10-12 22:26:18.603 [INFO ] [ttp.internal.SecureHttpClientFactory] - using custom trustmanagers (certificate pinning) for httpClient for endpoint https://fmipmobile.icloud.com
2018-10-12 22:26:19.365 [WARN ] [d.handler.ICloudAccountBridgeHandler] - Unable to refresh device data
java.io.IOException: Problem while calling the API
	at org.openhab.binding.icloud.internal.ICloudConnection.callApi(ICloudConnection.java:115) ~[?:?]
	at org.openhab.binding.icloud.internal.ICloudConnection.requestDeviceStatusJSON(ICloudConnection.java:91) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$0(ICloudAccountBridgeHandler.java:87) ~[?:?]
	at org.eclipse.smarthome.core.cache.ExpiringCache.refreshValue(ExpiringCache.java:81) ~[?:?]
	at org.eclipse.smarthome.core.cache.ExpiringCache.getValue(ExpiringCache.java:61) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.refreshData(ICloudAccountBridgeHandler.java:141) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$1(ICloudAccountBridgeHandler.java:132) ~[?:?]
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]
	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [?:?]
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [?:?]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:?]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:?]
	at java.lang.Thread.run(Thread.java:748) [?:?]
Caused by: org.eclipse.jetty.client.HttpResponseException: HTTP protocol violation: Authentication challenge without WWW-Authenticate header
	at org.eclipse.jetty.client.AuthenticationProtocolHandler$AuthenticationListener.onComplete(AuthenticationProtocolHandler.java:114) ~[?:?]
	at org.eclipse.jetty.client.ResponseNotifier.notifyComplete(ResponseNotifier.java:193) ~[?:?]
	at org.eclipse.jetty.client.ResponseNotifier.notifyComplete(ResponseNotifier.java:185) ~[?:?]
	at org.eclipse.jetty.client.HttpReceiver.terminateResponse(HttpReceiver.java:458) ~[?:?]
	at org.eclipse.jetty.client.HttpReceiver.responseSuccess(HttpReceiver.java:405) ~[?:?]
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.messageComplete(HttpReceiverOverHTTP.java:277) ~[?:?]
	at org.eclipse.jetty.http.HttpParser.handleContentMessage(HttpParser.java:599) ~[?:?]
	at org.eclipse.jetty.http.HttpParser.parseContent(HttpParser.java:1526) ~[?:?]
	at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:1350) ~[?:?]
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.parse(HttpReceiverOverHTTP.java:159) ~[?:?]
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.process(HttpReceiverOverHTTP.java:120) ~[?:?]
	at org.eclipse.jetty.client.http.HttpReceiverOverHTTP.receive(HttpReceiverOverHTTP.java:70) ~[?:?]
	at org.eclipse.jetty.client.http.HttpChannelOverHTTP.receive(HttpChannelOverHTTP.java:90) ~[?:?]
	at org.eclipse.jetty.client.http.HttpConnectionOverHTTP.onFillable(HttpConnectionOverHTTP.java:115) ~[?:?]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[?:?]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[?:?]
	at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:251) ~[?:?]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283) ~[?:?]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108) ~[?:?]
	at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) ~[?:?]
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) ~[?:?]
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) ~[?:?]
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) ~[?:?]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) ~[?:?]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) ~[?:?]
	... 1 more

Thank you very much for support in advance.

MaxHeadroom · October 28, 2018, 4:12pm

Had the same problem “Certificate not imported, alias already exists”, in that case on a Synology machine.

Having a look at post #53 procedure I realized my mistake.

I checked where my java is located and by doing a “which java”. I found it in

/volume1/@appstore/Java8/j2sdk-image/bin/java

So i used this to change the directory to.
WRONG! There is another java folder, the one which is relevant here:

/volume1/@appstore/Java8/j2sdk-image/jre/bin/java

So java exists two times

Correct procedure on my Synology is:

echo -n | openssl s_client -servername fmipmobile.icloud.com -host fmipmobile.icloud.com -port 443 -prexit -showcerts 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/icloud2.crt
cd /tmp
csplit -f cert /tmp/icloud2.crt '/^-----BEGIN CERTIFICATE-----/' {*}
cd /var/packages/Java8/target/j2sdk-image
bin/keytool -importcert -file /tmp/cert01 -alias icloudfmi1 -trustcacerts -keystore ./jre/lib/security/cacerts -storepass changeit
bin/keytool -importcert -file /tmp/cert02 -alias icloudfmi2 -trustcacerts -keystore ./jre/lib/security/cacerts -storepass changeit

Several files are splitted, but the keytool should really run only twice.

I hint for checking imported certificates is to check the date+time of the certificates file

/var/packages/Java8/target/j2sdk-image/jre/lib/security/cacerts

TomDidi · November 6, 2018, 9:56pm

iCloud Binding including .things and .items is running since today after update to latest snapshot
openHAB 2.4.0~20181106171044-1 (Build #1414).

Now I can start with Presence detection by iCloud. Thanks for again good job to @martinvw.

martinvw · November 10, 2018, 7:50pm

Please note that all workarounds above should not be needed anymore when using the snapshot version, because some changes in the framework and the binding were merged which resolve this.

My local environment is completely happy (without any workarounds)

summerguy · November 17, 2018, 2:51am

get this Status: OFFLINE - COMMUNICATION_ERROR java.util.concurrent.ExecutionException: org.eclipse.jetty.client.HttpResponseException: HTTP protocol violation: Authentication challenge

With snapshot 1428

j.koopmann · November 18, 2018, 5:16pm

#1425 is also not working:

2018-11-18 18:07:52.829 [WARN ] [l.handler.ICloudAccountBridgeHandler] - Unable to refresh device data
java.io.IOException: java.util.concurrent.ExecutionException: org.eclipse.jetty.client.HttpResponseException: HTTP protocol violation: Authentication challenge without WWW-Authenticate header

TomDidi · November 19, 2018, 10:26pm

openHAB 2.4.0~M5-1 (Milestone Build) also not working

iCloud binding worked fine with Build #1414, but after switch to #1425 it stopped working. Then Milestone build #M5 fresh installed, I got the following failure text for iCloud bridge in Paper UI:
OFFLINE - COMMUNICATION_ERROR java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem.

Log from Frontail:

2018-11-19 23:18:16.808 [WARN ] [d.handler.ICloudAccountBridgeHandler] - Unable to refresh device data
	at org.openhab.binding.icloud.internal.ICloudConnection.requestDeviceStatusJSON(ICloudConnection.java:68) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$0(ICloudAccountBridgeHandler.java:81) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.refreshData(ICloudAccountBridgeHandler.java:132) ~[?:?]
	at org.openhab.binding.icloud.handler.ICloudAccountBridgeHandler.lambda$1(ICloudAccountBridgeHandler.java:123) ~[?:?]
2018-11-19 23:21:36.128 [hingStatusInfoChangedEvent] - 'icloud:account:f4bc670e' changed from OFFLINE (COMMUNICATION_ERROR): java.util.concurrent.ExecutionException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem to UNINITIALIZED
2018-11-19 23:21:36.143 [hingStatusInfoChangedEvent] - 'icloud:account:f4bc670e' changed from UNINITIALIZED to UNINITIALIZED (HANDLER_MISSING_ERROR)

zuernc · November 22, 2018, 12:37pm

I’m running openHAB on a Synology DS415+ (DSM DSM 6.2.1-23824 Update 1). The iCloud binding startet working again with your snapshot version, thanks! But after a few hours openHAB’s responsiveness slowed down considerably until it stopped working altogether and the Basic UI page wouldn’t open anymore. Once I uninstalled the iCloud snapshot everything was back to normal.
Usually openHAB uses below 1% of CPU, with the binding running it was up to around 20%.

martinvw · November 22, 2018, 8:10pm

I can reproduce this by putting a wrong email/password, please check carefully.

It is not part of M5 and I’m surprised that was solved for you in build 1414 because the openHAB changes were only merged on the 8th of november, so after you posted that was solved for you, but I did not want disturb that party

Given all confusion above, what version are you running, the one I posted somewhere or a pure one from the snapshot repository.

I’m running version:

275 │ Active   │  80 │ 2.4.0.201811202338     │ iCloud Binding

j.koopmann · November 22, 2018, 11:25pm

I rechecked. PW is correct. HOWEVER I am using Apple 2FA. I created an application password and use this. But it gives the error.

206 │ Active │ 80 │ 2.4.0.201811221535 │ iCloud Binding