Netatmo issues with certificate

Hi folks,

I’ve just updated from 1.6.2 to 1.7.1, and again the same issue with certificate:

2015-10-03 16:37:06.756 [ERROR] [g.openhab.io.net.http.HttpUtil] - Fatal transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2015-10-03 16:37:06.784 [ERROR] [.service.AbstractActiveService] - Error while executing background thread Netatmo Refresh Service
org.openhab.binding.netatmo.internal.NetatmoException: Could not refresh access token!
at org.openhab.binding.netatmo.internal.messages.AbstractRequest.newException(AbstractRequest.java:50) ~[na:na]
at org.openhab.binding.netatmo.internal.messages.RefreshTokenRequest.execute(RefreshTokenRequest.java:63) ~[na:na]
at org.openhab.binding.netatmo.internal.NetatmoBinding$OAuthCredentials.refreshAccessToken(NetatmoBinding.java:612) ~[na:na]
at org.openhab.binding.netatmo.internal.NetatmoBinding.execute(NetatmoBinding.java:105) ~[na:na]
at org.openhab.core.binding.AbstractActiveBinding$BindingActiveService.execute(AbstractActiveBinding.java:156) ~[na:na]
at org.openhab.core.service.AbstractActiveService$RefreshThread.run(AbstractActiveService.java:173) ~[na:na]
Caused by: java.lang.NullPointerException: null
at java.io.StringReader.(StringReader.java:50) ~[na:1.8.0_31]
at org.codehaus.jackson.JsonFactory.createJsonParser(JsonFactory.java:636) ~[na:na]
at org.codehaus.jackson.map.ObjectMapper.readValue(ObjectMapper.java:1854) ~[na:na]
at org.openhab.binding.netatmo.internal.messages.RefreshTokenRequest.execute(RefreshTokenRequest.java:58) ~[na:na]
… 4 common frames omitted

I’ve already tried all ways to install the certificate, but unsuccessfully. I’m not understanding why I always have this issue with the binding, probably a missing configuration but I’m not able to find the problem.

Can you please help me?

Thanks

Andrea

Here the certificate in my cacerts file (/usr/lib/jvm/java-8-oracle/jre/lib/security/cacerts)



Alias name: startcom-root-ca
Creation date: Oct 3, 2015
Entry type: trustedCertEntry

Owner: EMAILADDRESS=postmaster@netatmo.net, CN=api.netatmo.net, O=Netatmo LLC, L=Lewes, ST=Delaware, C=US, OID.2.5.4.13=ieXGGBU42pKmPQtQ
Issuer: CN=StartCom Class 2 Primary Intermediate Server CA, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
Serial number: 19b61
Valid from: Tue Sep 10 03:59:49 CEST 2013 until: Thu Sep 10 23:53:26 CEST 2015
Certificate fingerprints:
MD5: 05:45:20:8C:67:F7:62:8B:1F:CD:3B:10:06:21:C6:77
SHA1: 70:8A:6A:79:60:38:D0:FA:FD:9A:5E:47:B1:0F:67:36:21:90:11:78
SHA256: 9D:35:DD:60:D2:4A:D2:6C:74:53:64:B2:87:32:DC:3F:97:FC:8F:58:CD:9B:2D:5D:9C:C9:A8:23:58:B0:B4:68
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.startssl.com/sub/class2/server/ca
,
accessMethod: caIssuers
accessLocation: URIName: http://aia.startssl.com/certs/sub.class2.server.ca.crt
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 11 DB 23 45 FD 54 CC 6A 71 6F 84 8A 03 D7 BE F7 …#E.T.jqo…
0010: 01 2F 26 86 ./&.
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://crl.startssl.com/crt2-crl.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.2]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.23223.1.2.3]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 22 68 74 74 70 3A 2F 2F 77 77 77 2E 73 74 61 ."http://www.sta
0010: 72 74 73 73 6C 2E 63 6F 6D 2F 70 6F 6C 69 63 79 rtssl.com/policy
0020: 2E 70 64 66 .pdf

], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 81 EA 30 27 16 20 53 74 61 72 74 43 6F 6D 20 0…0’. StartCom
0010: 43 65 72 74 69 66 69 63 61 74 69 6F 6E 20 41 75 Certification Au
0020: 74 68 6F 72 69 74 79 30 03 02 01 01 1A 81 BE 54 thority0…T
0030: 68 69 73 20 63 65 72 74 69 66 69 63 61 74 65 20 his certificate
0040: 77 61 73 20 69 73 73 75 65 64 20 61 63 63 6F 72 was issued accor
0050: 64 69 6E 67 20 74 6F 20 74 68 65 20 43 6C 61 73 ding to the Clas
0060: 73 20 32 20 56 61 6C 69 64 61 74 69 6F 6E 20 72 s 2 Validation r
0070: 65 71 75 69 72 65 6D 65 6E 74 73 20 6F 66 20 74 equirements of t
0080: 68 65 20 53 74 61 72 74 43 6F 6D 20 43 41 20 70 he StartCom CA p
0090: 6F 6C 69 63 79 2C 20 72 65 6C 69 61 6E 63 65 20 olicy, reliance
00A0: 6F 6E 6C 79 20 66 6F 72 20 74 68 65 20 69 6E 74 only for the int
00B0: 65 6E 64 65 64 20 70 75 72 70 6F 73 65 20 69 6E ended purpose in
00C0: 20 63 6F 6D 70 6C 69 61 6E 63 65 20 6F 66 20 74 compliance of t
00D0: 68 65 20 72 65 6C 79 69 6E 67 20 70 61 72 74 79 he relying party
00E0: 20 6F 62 6C 69 67 61 74 69 6F 6E 73 2E obligations.

]] ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]

#7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
URIName: http://www.startssl.com/
]

#8: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
Key_Agreement
]

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: api.netatmo.net
DNSName: netatmo.net
]

#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 33 61 33 B8 37 84 D4 9F 26 0C 67 F3 CF EA 8D B6 3a3.7…&.g…
0010: 8D 07 D6 FD …
]
]

my openHAB instance is started by the user ‘openhab’ … but the file is readable for all, any issue here?

tried with the certificate on https://api.netatmo.net

sudo $JAVA_HOME/bin/keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias StartCom-Root-CA -file api.netatmo.net.cer

the error message is:

2015-10-03 17:39:43.843 [ERROR] [.service.AbstractActiveService] - Error while executing background thread Netatmo Refresh Service
java.lang.NullPointerException: null
at org.openhab.binding.netatmo.internal.NetatmoBinding.execute(NetatmoBinding.java:206) ~[na:na]
at org.openhab.core.binding.AbstractActiveBinding$BindingActiveService.execute(AbstractActiveBinding.java:156) ~[na:na]
at org.openhab.core.service.AbstractActiveService$RefreshThread.run(AbstractActiveService.java:173) ~[na:na]

I have exactly the same issue with the latest 1.8.0 Snapshot from cloudless

I can confirm, also 1.8.0 has the issue.

trying to investigate if this is a problem of certificate itself

Andrea

andre1, at the moment Netatmo Binding is not working, correct?

@ariela
no, not really. While it worked once (during the first initial startup), it refuses to connect to netatmo overtime I restart the process now.

Mybe @ranielsen can bring some light into this?

I followed again the guide at https://github.com/openhab/openhab/wiki/Netatmo-Binding.
I also reset the keys in the netatmo API settings and now it works :slight_smile:

andre1 can you please explain a bit what you did?

at the moment I’m not receiving any data from my weather station :frowning:

I reset the keys, no way.

Also tried to reach the data manually: https://dev.netatmo.com/doc/methods/devicelist?access_token=xxxxxx

it works like a charm

via Binding, no way at the moment

open issue #3242 (https://github.com/openhab/openhab/issues/3242)

Andrea

I’m still running off of my PR request: https://github.com/openhab/openhab/pull/2891 which doesn’t have any issues. I’ll see if I can figure out what’s going on today.

This is caused by an update to Java. It appears that the update also reverts the cacerts file back to default. Oracle updates Java at least quarterly (see http://www.oracle.com/technetwork/topics/security/alerts-086861.htm), and whenever your system get’s updated with a newer version of Java, you will need to re-install the StartCom CA certificate and restart openHAB. My guess is that this is the first time you restarted openHAB after the Java update, and it wasn’t actually related to the upgrade.

I’ve updated the pull request https://github.com/openhab/openhab/pull/2891 to give a better error message when this happens:

2015-10-04 13:09:10.800 [ERROR] [g.openhab.io.net.http.HttpUtil] - Fatal transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2015-10-04 13:09:10.804 [ERROR] [.service.AbstractActiveService] - Error while executing background thread Netatmo Refresh Service
org.openhab.binding.netatmo.internal.NetatmoException: Could not refresh access token! If you see 'Fatal transport error: javax.net.ssl.SSLHandshakeException' above. You need to install the StartCom CA certificate and restart openHAB. See https://github.com/openhab/openhab/wiki/Netatmo-Binding#missing-certificate-authority for more information.
    at org.openhab.binding.netatmo.internal.NetatmoBinding$OAuthCredentials.refreshAccessToken(NetatmoBinding.java:738) ~[na:na]
    at org.openhab.binding.netatmo.internal.NetatmoBinding.execute(NetatmoBinding.java:114) ~[na:na]
    at org.openhab.core.binding.AbstractActiveBinding$BindingActiveService.execute(AbstractActiveBinding.java:156) ~[na:na]
    at org.openhab.core.service.AbstractActiveService$RefreshThread.run(AbstractActiveService.java:173) ~[na:na]

Well in fact I didn’t update the Java version. Just updated openHAB from 1.6.2 to 1.7.1

And I’ve already tried few times to reinstall the StartCom CA certificate. both ways. Also rebooted the system. Also reset the keys.

My update provides a better message for the initial problem described. It appears that you have a second problem that needs further investigation.

Solved. Thanks Rob for your effort here :smile:

Hi, can I ask you how you did it please? I tried with startcom certificate but it doesn’t work and I didn’t understand how to download the ca.pem file from api.netatmo.net . (with windows 7 or at least with raspeberry)
Thank you very much!

Here’s a shell script I use with Linux:

#!/bin/bash

if (( $EUID != 0 )); then
echo “This needs to be ran as root”
exit
fi

export JAVA_HOME=/usr/lib/jvm/java-8-oracle

cd /tmp
rm -f ca.pem

wget https://www.startssl.com/certs/ca.pem

echo
echo “The password is: changeit”
echo
$JAVA_HOME/bin/keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -alias StartCom-Root-CA -file ca.pem

rm -f ca.pem

thanks a lot!

Why don’t implement that script, if possible, in the Binding, in order to
solve that issue in case the Binding understands there is a problem with
certificate?

just an idea …