feat: expert option to disable TLS cert validation of HA WS server

zehnm · zehnm · commit 23a2ab74d7ae · 2025-09-09T14:29:23.000+02:00
Users are still using self-signed certificates in 2025...
A quick fix to disable certificate validation.
DISCOURAGED AND NOT RECOMMENDED! Please use Let's Encrpyt instead.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,11 +8,15 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 _Changes in the next release_
 
+### Added
+- Expert option to disable certificate validation of the Home Assistant WebSocket server connection.
+
 ---
 
 ## v0.12.2 - 2025-04-17
 ### Added
-- Propagate media player attribute `media_position_updated_at`.
+- Propagate media player attribute `media_position_updated_at` ([feature-and-bug-tracker#443](https://github.com/unfoldedcircle/feature-and-bug-tracker/issues/443)).
+
 ### Fixed
 - Media player `media_type` attribute value should be upper case to match entity documentation.
 ### Changed
diff --git a/src/configuration.rs b/src/configuration.rs
@@ -141,6 +141,10 @@ pub struct HomeAssistantSettings {
     // for data migration of existing configurations
     #[serde(default = "default_disconnect_in_standby")]
     pub disconnect_in_standby: bool,
+    /// Disables certificate verification for the Home Assistant WS connection.
+    // for data migration of existing configurations
+    #[serde(default = "default_disable_cert_validation")]
+    pub disable_cert_validation: bool,
 }
 
 impl Default for HomeAssistantSettings {
@@ -154,6 +158,7 @@ impl Default for HomeAssistantSettings {
             reconnect: Default::default(),
             heartbeat: Default::default(),
             disconnect_in_standby: default_disconnect_in_standby(),
+            disable_cert_validation: default_disable_cert_validation(),
         }
     }
 }
@@ -236,6 +241,9 @@ fn default_request_timeout() -> u8 {
 fn default_disconnect_in_standby() -> bool {
     true
 }
+fn default_disable_cert_validation() -> bool {
+    false
+}
 
 #[serde_as]
 #[derive(Clone, serde::Deserialize, serde::Serialize)]
diff --git a/src/controller/handler/ha_connection.rs b/src/controller/handler/ha_connection.rs
@@ -141,7 +141,7 @@ impl Handler<ConnectMsg> for Controller {
                     Ok((r, f)) => (r, f),
                     Err(e) => {
                         warn!("Could not connect to {url}: {e:?}");
-                        return Err(Error::new(ErrorKind::Other, e.to_string()));
+                        return Err(Error::other(e.to_string()));
                     }
                 };
                 info!("Connected to: {url} ({heartbeat})");
diff --git a/src/controller/handler/setup.rs b/src/controller/handler/setup.rs
@@ -158,6 +158,9 @@ impl Handler<SetDriverUserDataMsg> for Controller {
             if let Some(value) = parse_value(&values, "ping_frames") {
                 cfg.heartbeat.ping_frames = value;
             }
+            if let Some(value) = parse_value(&values, "disable_cert_validation") {
+                cfg.disable_cert_validation = value;
+            }
             if let Some(value) = parse_value(&values, "reconnect.attempts") {
                 cfg.reconnect.attempts = value;
             }
@@ -501,6 +504,19 @@ impl Handler<RequestExpertOptionsMsg> for Controller {
                                       "value": self.settings.hass.heartbeat.ping_frames
                                     }
                                 }
+                            },
+                            {
+                                "id": "disable_cert_validation",
+                                "label": {
+                                    "en": "Disable certificate verification",
+                                    "de": "Zertifikatsüberprüfung deaktivieren",
+                                    "fr": "Désactiver la vérification des certificats"
+                                },
+                                "field": {
+                                    "checkbox": {
+                                      "value": self.settings.hass.disable_cert_validation
+                                    }
+                                }
                             }
                         ]
                     }
diff --git a/src/controller/mod.rs b/src/controller/mod.rs
@@ -145,6 +145,7 @@ impl Controller {
                 Duration::from_secs(settings.hass.connection_timeout as u64),
                 Duration::from_secs(settings.hass.request_timeout as u64),
                 matches!(url.scheme(), "wss" | "https"),
+                settings.hass.disable_cert_validation,
             ),
             ha_reconnect_duration: settings.hass.reconnect.duration,
             settings,
diff --git a/src/util/network.rs b/src/util/network.rs
@@ -30,6 +30,7 @@ pub fn new_websocket_client(
     connection_timeout: Duration,
     request_timeout: Duration,
     tls: bool,
+    disable_cert_validation: bool,
 ) -> awc::Client {
     if tls {
         // TLS configuration: https://github.com/actix/actix-web/blob/master/awc/tests/test_rustls_client.rs
@@ -44,7 +45,7 @@ pub fn new_websocket_client(
 
         // Disable TLS verification
         // Requires: rustls = { ... optional = true, features = ["dangerous_configuration"] }
-        if bool_from_env(ENV_DISABLE_CERT_VERIFICATION) {
+        if disable_cert_validation || bool_from_env(ENV_DISABLE_CERT_VERIFICATION) {
             config
                 .dangerous()
                 .set_certificate_verifier(Arc::new(danger::NoCertificateVerification {}));

Original file line number	Diff line number	Diff line change
`@@ -141,6 +141,10 @@ pub struct HomeAssistantSettings {`
`141`	`141`	`// for data migration of existing configurations`
`142`	`142`	`#[serde(default = "default_disconnect_in_standby")]`
`143`	`143`	`pub disconnect_in_standby: bool,`
	`144`	`+ /// Disables certificate verification for the Home Assistant WS connection.`
	`145`	`+ // for data migration of existing configurations`
	`146`	`+ #[serde(default = "default_disable_cert_validation")]`
	`147`	`+ pub disable_cert_validation: bool,`
`144`	`148`	`}`
`145`	`149`
`146`	`150`	`impl Default for HomeAssistantSettings {`
`@@ -154,6 +158,7 @@ impl Default for HomeAssistantSettings {`
`154`	`158`	`reconnect: Default::default(),`
`155`	`159`	`heartbeat: Default::default(),`
`156`	`160`	`disconnect_in_standby: default_disconnect_in_standby(),`
	`161`	`+ disable_cert_validation: default_disable_cert_validation(),`
`157`	`162`	`}`
`158`	`163`	`}`
`159`	`164`	`}`
`@@ -236,6 +241,9 @@ fn default_request_timeout() -> u8 {`
`236`	`241`	`fn default_disconnect_in_standby() -> bool {`
`237`	`242`	`true`
`238`	`243`	`}`
	`244`	`+fn default_disable_cert_validation() -> bool {`
	`245`	`+ false`
	`246`	`+}`
`239`	`247`
`240`	`248`	`#[serde_as]`
`241`	`249`	`#[derive(Clone, serde::Deserialize, serde::Serialize)]`
Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,7 @@ impl Handler<ConnectMsg> for Controller {`
`141`	`141`	`Ok((r, f)) => (r, f),`
`142`	`142`	`Err(e) => {`
`143`	`143`	`warn!("Could not connect to {url}: {e:?}");`
`144`		`- return Err(Error::new(ErrorKind::Other, e.to_string()));`
	`144`	`+ return Err(Error::other(e.to_string()));`
`145`	`145`	`}`
`146`	`146`	`};`
`147`	`147`	`info!("Connected to: {url} ({heartbeat})");`
Original file line number	Diff line number	Diff line change
`@@ -158,6 +158,9 @@ impl Handler<SetDriverUserDataMsg> for Controller {`
`158`	`158`	`if let Some(value) = parse_value(&values, "ping_frames") {`
`159`	`159`	`cfg.heartbeat.ping_frames = value;`
`160`	`160`	`}`
	`161`	`+ if let Some(value) = parse_value(&values, "disable_cert_validation") {`
	`162`	`+ cfg.disable_cert_validation = value;`
	`163`	`+ }`
`161`	`164`	`if let Some(value) = parse_value(&values, "reconnect.attempts") {`
`162`	`165`	`cfg.reconnect.attempts = value;`
`163`	`166`	`}`
`@@ -501,6 +504,19 @@ impl Handler<RequestExpertOptionsMsg> for Controller {`
`501`	`504`	`"value": self.settings.hass.heartbeat.ping_frames`
`502`	`505`	`}`
`503`	`506`	`}`
	`507`	`+ },`
	`508`	`+ {`
	`509`	`+ "id": "disable_cert_validation",`
	`510`	`+ "label": {`
	`511`	`+ "en": "Disable certificate verification",`
	`512`	`+ "de": "Zertifikatsüberprüfung deaktivieren",`
	`513`	`+ "fr": "Désactiver la vérification des certificats"`
	`514`	`+ },`
	`515`	`+ "field": {`
	`516`	`+ "checkbox": {`
	`517`	`+ "value": self.settings.hass.disable_cert_validation`
	`518`	`+ }`
	`519`	`+ }`
`504`	`520`	`}`
`505`	`521`	`]`
`506`	`522`	`}`