config_builder SSL issues with dyson API

[Scaredycrow]

Hi There,

This is a heads-up, I don't believe the issue I'm facing is your code, but thought I'd report it.

When running the config builder I currently get errors relating to ssl validation failures.

ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1131)

However, this is because dyson has incorrectly applied their certificate which can be verified with curl and openssl:

~$ curl https://appapi.cp.dyson.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

~$ openssl s_client -servername appapi.cp.dyson.com -connect appapi.cp.dyson.com:443
CONNECTED(00000003)
depth=0 C = GB, L = Malmesbury, O = Dyson Limited, CN = *.dyson.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = GB, L = Malmesbury, O = Dyson Limited, CN = *.dyson.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:C = GB, L = Malmesbury, O = Dyson Limited, CN = *.dyson.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
---

This can be further validated using ssllabs which reports the same:

[seanrees]

Thanks for filing :-)

I'm pretty sure this was addressed by shenxn/libdyson#14 which imported the new DigiCert certificates. I pushed release 0.3.2 to pick up this change (https://github.com/seanrees/prometheus-dyson/releases/tag/v0.3.2). I'm guessing you're having issues?

If you're building from source you'll likely need to upgrade libdyson -- running bazel clean followed by a build ought to do it, or pip3 install -U libdyson if not using bazel.

[Scaredycrow]

Thanks for the response.

I'm using the precompiled .deb v0.3.2. on a clean ubuntu server 20.04.3 LTS install.

Just tested after running the pip3 upgrade for libdyson, no change unfortunately.

[seanrees]

Got it, thanks! Verified the issue and raised a PR (shenxn/libdyson#16) to fix.

As soon as that goes in & there's a fresh release of libdyson, I'll re-release 0.3.3 of prometheus-dyson :-)

[Scaredycrow]

hi @seanrees Is there an update on this issue? I can see that:

• The reference PR above is closed
• The SSL certificates when using curl are no longer showing an error

However the config_builder still fails with the same errors.

Happy to assist with testing etc.

[seanrees]

Happy New Year :)

I just published v0.3.3 which picks up a new libdyson, which hopefully should resolve the certificate errors for you. Care to give it a whirl?

[Scaredycrow]

Thanks, and happy new year!

0.3.3 solves the SSL issue!

However I'm seeing a new issue with the OTP validation. I'll go ahead and open a new issue for that.