Innogy binding no longer working, java error (certificate)

winniele · August 25, 2018, 5:08pm

Hi,

i installed openhab 2.3.0.005 and the innogy binding 2.3.0 on a synology station.
It run for some weeks without problems. Without changing any configurations or updating any bindings or file, the innogy SmartHome Controller reports the following error:

Status: OFFLINE - COMMUNICATION_ERROR sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

the log reports the following error:
18:56:53.432 [ERROR] [smarthome.handler.InnogyBridgeHandler] - Error initializing innogy SmartHome client.

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) [?:?]

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917) [?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301) [?:?]

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295) [?:?]

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1369) [?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:156) [?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:925) [?:?]

at sun.security.ssl.Handshaker.process_record(Handshaker.java:860) [?:?]

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) [?:?]

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) [?:?]

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371) [?:?]

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355) [?:?]

at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) [?:?]

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) [?:?]

at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) [?:?]

at com.google.api.client.http.javanet.NetHttpRequest.execute(NetHttpRequest.java:93) [207:org.openhab.binding.innogysmarthome:2.3.0]

at com.google.api.client.http.HttpRequest.execute(HttpRequest.java:981) [207:org.openhab.binding.innogysmarthome:2.3.0]

at org.openhab.binding.innogysmarthome.internal.client.InnogyClient.executeGet(InnogyClient.java:283) [207:org.openhab.binding.innogysmarthome:2.3.0]

at org.openhab.binding.innogysmarthome.internal.client.InnogyClient.initializeSession(InnogyClient.java:181) [207:org.openhab.binding.innogysmarthome:2.3.0]

at org.openhab.binding.innogysmarthome.internal.client.InnogyClient.initialize(InnogyClient.java:134) [207:org.openhab.binding.innogysmarthome:2.3.0]

at org.openhab.binding.innogysmarthome.handler.InnogyBridgeHandler$Initializer.run(InnogyBridgeHandler.java:107) [207:org.openhab.binding.innogysmarthome:2.3.0]

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [?:?]

at java.util.concurrent.FutureTask.run(FutureTask.java:266) [?:?]

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) [?:?]

at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) [?:?]

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [?:?]

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [?:?]

at java.lang.Thread.run(Thread.java:745) [?:?]

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351) ~[?:?]

… 23 more

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[?:?]

at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[?:?]

at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:?]

at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:?]

at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:?]

at sun.security.validator.Validator.validate(Validator.java:260) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:?]

at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) ~[?:?]

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1351) ~[?:?]

… 23 more

can someone give me a hint or a step by step guide to solve the cert-problem on a sync-station?
thank you

rlkoshak · August 26, 2018, 2:56am

I’m afraid I can’t help with soecifics but I did find the following which might be helpful.

winniele · August 26, 2018, 1:10pm

Thank you Rich,

i imported the certificates to my syno-station but the error still exists. Maybe I have to import them to the openhab-docker. I have no idea how to do that.

rlkoshak · August 26, 2018, 2:27pm

Yes, OH also needs to have the car in it’s trust store or else it won’t trust the cert coming from the station.

I don’t know how to do it permanently in Docker. You can do it temporarily by opening a terminal into the running container and issue the commands, but you will have to do it again next time you create a new container (e.g. upgrade).

Docker exec -it openhab2 /bin/bash

winniele · August 26, 2018, 3:00pm

Hi Rich,

got it.
I imported the wrong certificate.
After importing the innogy certificate (saved with firefox and imported by the keytool command ) and restarting openhab, reconfiguring the innogysmarthome-station, the certificate was accepted and the station is online again.
Thank you for the tips

nik70000 · September 11, 2018, 8:30pm

Hi Winnie,

I am struggeling with the same issue - but with less Linux skills
Can you please give me some more hints: which certificate did you use? (is it the one for *.innogy-smarthome.de ?) And what were your parameters for the keytool?

Thank you!

winniele · September 12, 2018, 4:21pm

Hi Nik,

yes ist is the certificate from *.innogy-smarthome.de.

open terminal and login via ssh.
then type:

keytool -importcert -alias “yourcertificatename” -file pathtoyourcertificate/yourcertificatename
if it does not work type first:
keystore yourjavahome\lib\security\cacerts <-depending from your java certs path (yourjavahome is variable)

maybe you have to try it with:
sudo keytool -importcert -alias "your certificate…
first type your root password, next the java standard pass
the standard pass of the keystone is “changeit”

greets
Winniele

nik70000 · September 12, 2018, 8:03pm

Hi Winnile,

thank you for your hints - this worked for me with one additional thing: I had to import the certificates for innogy.com and digicert (root CA of the innogy certificates) as well. Now I am back online (most likely until mid-July 2019, when the current innogy certificate expires…)

Greets & thumbs up
Nik