core: SSL handshake Fail

@conklech I’m sorry but this issue is rather important for devs that use HA extensively. It effectively renders loggers unusable, which would otherwise show you real problems. Now, given the amount of logs that should not be there you just ignore it completely being unable to sniff other real issues.

If it wasn’t important you wouldn’t see it being the most bumped Home Assistant issue and so many people chiming in.

I was seeing the SSL: HTTP_REQUEST error that this issue is directed to. I had recently enabled SSL, and had a browser tab open somewhere to http://localhost:8123/ that was trying to reconnect. As soon as I closed that tab, the errors went away.

I agree with @namadori: The real issue here is that failed client connections should not show up in the log as scary six-line “ERROR” messages. Home Assistant isn’t doing anything wrong; it’s correctly failing/rejecting an improper connection attempt. I’d like to filter this error or downgrade it to DEBUG.

I have the same issue.

0.81 on RPi3, HassIO.

http:
     base_url: <myduckdnsname>.duckdns.org
     ssl_certificate: /ssl/fullchain.pem
     ssl_key: /ssl/privkey.pem
     ssl_profile: intermediate

Notes:

1. Traffic to port 443 on my external router interface is forwarded to port 8123 on my HassIO platform.
2. Traffic to port 8123 on my external router interface is also forwarded to port 8123 on my HassIO platform.
3. I have tried various permutations of base_url, including, but not limited to:
   • https://<myduckdnsname>.duckdns.org
   • https://<myduckdnsname>.duckdns.org:443
   • https://<myduckdnsname>.duckdns.org:8123
   • <myduckdnsname>.duckdns.org:443
   • <myduckdnsname>.duckdns.org:8123

2018-10-29 15:35:27 ERROR (MainThread) [homeassistant.core] Error doing job: SSL handshake failed
 Traceback (most recent call last):
   File "uvloop/handles/stream.pyx", line 609, in uvloop.loop.UVStream._on_eof
   File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata
   File "/usr/local/lib/python3.6/ssl.py", line 689, in do_handshake
     self._sslobj.do_handshake()
 ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:841)
 2018-10-29 15:35:27 ERROR (MainThread) [homeassistant.core] Error doing job: SSL error errno:1 reason: HTTP_REQUEST
 Traceback (most recent call last):
   File "uvloop/sslproto.pyx", line 504, in uvloop.loop.SSLProtocol.data_received
   File "uvloop/sslproto.pyx", line 204, in uvloop.loop._SSLPipe.feed_ssldata
   File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata
   File "/usr/local/lib/python3.6/ssl.py", line 689, in do_handshake
     self._sslobj.do_handshake()
 ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:841)

Ok, same here - for the second time around. Why do bugs like this stay open for over 6 months while not being solved in later releases?

I had this error but resolved it by

• using “virtual servers” instead of “Port triggering” on my router
• following this guide https://help.konnected.io/support/solutions/articles/32000023964-set-up-hass-io-with-secure-remote-access-using-duckdns-and-nginx-proxy.

Give NginX SSL Proxy a try if you are stuck on this issue.

I was seeing the SSL: HTTP_REQUEST error that this issue is directed to. I had recently enabled SSL, and had a browser tab open somewhere to http://localhost:8123/ that was trying to reconnect. As soon as I closed that tab, the errors went away.

I agree with @namadori: The real issue here is that failed client connections should not show up in the log as scary six-line “ERROR” messages. Home Assistant isn’t doing anything wrong; it’s correctly failing/rejecting an improper connection attempt. I’d like to filter this error or downgrade it to DEBUG.

THANK YOU! This was messing with my log (and head) badly. I thought I made a mistake along my journey of migrating from my RPi3 to my Qnap NAS Docker installation. I closed the non-SSL tab and the errors went POOF! 🙂

I still agree with @namadori that this should not be recorded in the logs as it is in the current way.

Just a “me too” to bump the issue. Same configuration as anyone on Hassio with DuckDNS add-on and standard configuration.

My 2 cents: if this is simply “stuff” (plugins, random people on the net, hackers…) trying to connect to HA in HTTP and not HTTPS, the “handshake failed” error is not really an error, but only a refused connection… can’t HA simply stop logging it?

2019-01-29 21:31:49 ERROR (MainThread) [homeassistant.core] Error doing job: SSL handshake failed
Traceback (most recent call last): 
File "uvloop/handles/stream.pyx", line 609, in uvloop.loop.UVStream._on_eof 
File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata 
File "/usr/local/lib/python3.6/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() 
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:841) 

2019-01-29 21:31:49 ERROR (MainThread) [homeassistant.core] Error doing job: SSL error errno:1 reason: HTTP_REQUEST Traceback (most recent call last): 
File "uvloop/sslproto.pyx", line 504, in uvloop.loop.SSLProtocol.data_received 
File "uvloop/sslproto.pyx", line 204, in uvloop.loop._SSLPipe.feed_ssldata 
File "uvloop/sslproto.pyx", line 171, in uvloop.loop._SSLPipe.feed_ssldata 
File "/usr/local/lib/python3.6/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() 
ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:841)

Just FYI, rather than write multiple comments I think it make sense to put a 👍 reaction to the initial comment/summary.

@jeffehobbs @sirs2k There are over a thousand open issues. This one only results in log spam. Such comments are not constructive.

That said, there are three paths to resolution, as I outlined earlier in this thread:

1. For users: Something is trying to connect to your server over HTTP instead of HTTPS. If it’s yours, make it stop. If it isn’t yours, mark it down as a failed intrusion attempt.
2. For developers: Figure out how to catch the exception and provide a more helpful message; preferably graded warning or debug.
3. For writers: Document that this message does not indicate anything wrong with HA, but rather something wrong with a client, and get that documentation posted somewhere visible.

Had the same issue and resolved by:

• Making sure that my 8123 is forwarded to 8123
• Setting the base_url: https://[My_domain].com (Note no port)
• Setting the ssl_certificate: /ssl/fullchain.pem and ssl_key: /ssl/privkey.pem
• Making sure I go to https😕/[My_domain].com:8123 (Double check if you get ssl.SSLError: [SSL: HTTP_REQUEST] http request (_ssl.c:841))

I don’t think that adding multiple issues for the same issue is an option as these would simply be closed as duplicate. Bumping the issue with reaction seems like a reasonable option. The issue that has most 👍 so far has only 11 of them so eventually we can bring this to attention. I agree that this issue is really troublesome.