Icloud binding - General SSLEngine problem

Hi,

similar issue here.
release build of 2.3 with icloud binding 2.3.
Issue started at 2018-07-24 16:59:34 after restarting OH2, before this restart everything was just fine.
Using the binding without issues (expect for one on GUI glitch in paperUI https://community.openhab.org/t/paperui-and-icloud-binding-multiple-devices-in-same-location-in-paperui-not-correctly-show-in-paperui/47621?u=chri46) since weeks.

2018-07-24 16:59:34.283 [WARN ] [d.handler.ICloudAccountBridgeHandler] - Unable to refresh device data
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964) ~[?:?]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328) ~[?:?]
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614) ~[?:?]
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:?]
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052) ~[?:?]
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:987) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397) ~[?:?]
	at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) ~[?:?]
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334) ~[?:?]
	at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309) ~[?:?]
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259) ~[?:?]
	at org.openhab.binding.icloud.internal.Connection.postRequest(Connection.java:95) ~[?:?]
	at org.openhab.binding.icloud.internal.Connection.requestDeviceStatusJSON(Connection.java:55) ~[?:?]
--
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[?:?]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ~[?:?]
	... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:?]
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:?]
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
	at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596) ~[?:?]
	... 26 more

and similar error message when “SSLpoking” fmipmobile.icloud.com:

i@openhab:~ $ java SSLPoke fmipmobile.icloud.com 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
	at sun.security.validator.Validator.validate(Validator.java:262)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
	at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
	... 15 more
pi@openhab:~ $ 

SSLPoke of icloud.com is just fine:

pi@openhab:~ $ java SSLPoke icloud.com 443
Successfully connected

This issue is breaking half of my automation, since I changed to presence detection with icloud binding.

Same here

Same issue here!
But mine started around 10, when he won’t update my location! When I got home from work I opened openHAB and I in the log are a lot of faults, then when I opened things there was a fault that he could not connect with Icloud…
I restarted openHAB no solution, then I deleted the binding buth no solution.
I have openHAB release building 2.3.0.
I will post my warnings tonight.

Same here…

and here!

Looks like we have 3 thread to the same issue.
-> Sysinfo-Binding in OH2

When you browse to fmipmobile.icloud.com you will find: “Http/1.1 Service Unavailable”. So maybe it is not an Openhab issue but an Apple issue?

And here Openhab 2.3 STABLE since 30 Jan 2018. iCloud Binding failed 16 July 2018.

I think the easiest and quickest fix would be to disable certificate checking in the binding or add apple’s root certificate to the certificate store of your java environment.

If someone could elaborate on that it would be great If really no one can I will try to give it a go tonight.

Thanks @martinvw

added apple cert to java cert store already.
as stated further before:

SSLPoke of icloud.com is just fine:

pi@openhab:~ $ java SSLPoke icloud.com 443
Successfully connected

If something is wrong with the certificates in java environment that SSLPoke to icloud.com should fail in the same way as for:

“SSLpoking” fmipmobile.icloud.com:

pi@openhab:~ $ java SSLPoke fmipmobile.icloud.com 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
	at sun.security.validator.Validator.validate(Validator.java:262)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
	at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:757)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
	at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
	at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
	... 15 more
pi@openhab:~ $

I added the cert to my keystore too in the moment I checked the url with a browser and thought it might be a fault on apple´s side.

IF the keystore for openhabian is right at “var/lib/openhab2/etc/keystore” it should be imported.

But the exception stays.

echo -n | openssl s_client -connect fmipmobile.icloud.com:443 -prexit 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/icloud2.crt


sudo keytool -importcert -file /tmp/icloud2.crt -alias icloudfmi -keystore /var/lib/openhab2/etc/keystore -storepass openhab

for the ones who want to try and fail aswell but could be a start for @martinvw

tcpdump:

tcpdump.png1670×790 187 KB

rename the file to *.pcap
cert_failure.pdf (6.4 KB)

Same issue here, no change at my end just started around two days ago.

should inserted in java cacert store, but still does not do the trick:

sudo $JAVA_HOME/bin/keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias icloud2-Root-CA -file /tmp/icloud2.crt 

Hi all,

no details, as I am writing using the phone - but I was able to get it working again by importing both certificates … will post a how to from my computer tomorrow …

regards,
Patrik

Indeed, that is similar to what I read on other places somehow the whole chain is needed is most cases.

I started using the way described by @apfelflo89, it looks good but the troubles that are multiple hosts behind the single ip, so a servername param has to be passed then its more easy, I first got the *.icloud.com certificate of the openssl command which was not the one we actually got when running.

echo -n | openssl s_client -servername fmipmobile.icloud.com -host fmipmobile.icloud.com -port 443 -prexit -showcerts 2>/dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/icloud2.crt
cd /tmp

csplit -f cert /tmp/icloud2.crt '/^-----BEGIN CERTIFICATE-----/' {*}

// back to java dir, in my case /usr/lib/java-8
bin/keytool -importcert -file /tmp/cert01 -alias icloudfmi1 -trustcacerts -keystore ./jre/lib/security/cacerts -storepass changeit
bin/keytool -importcert -file /tmp/cert02 -alias icloudfmi2 -trustcacerts -keystore ./jre/lib/security/cacerts -storepass changeit

My account is now online, and after forcing a refresh by updating my accounts my devices came online as well. Thanks for the fragments of tips and tricks and good luck solving it locally.

Thanks for the summary martinvw, worked great for me!

Thanks for the tutorial @martinvw

I´m back online too, thanks for looking in to it!

Did you find information about how long the certificate will be valid?