Skip to content

[hue] Work around for new (black) bridge v3 certificate bug #19401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

[hue] Work around for new (black) bridge v3 certificate bug #19401

wants to merge 10 commits into from
+126 −17

Conversation

andrewfg
Copy link
Contributor

@andrewfg andrewfg commented Sep 28, 2025
edited
Loading

The new Hue Bridge (black) version 3 uses a different certificate chain than the older version 1 and 2 bridges. The new chain has a three link chain, and unfortunately Signify does not (yet) supply the intermediate certificate.

This PR is a work around for the time being until Signify does (eventually) supply the missing intermediate certificate. On v3 bridges we currently use a TrustAllTrustManager for verifying the HTTPS connections.

Whenever the missing intermediate certificate is finally provided, we will need to make another PR to do the certificate validation properly.

Fixes #19337

Signed-off-by: Andrew Fiddian-Green software@whitebear.ch

@andrewfg
add support for bridge v3 certificate
4d163e1 
Signed-off-by: Andrew Fiddian-Green <software@whitebear.ch>
@andrewfg andrewfg self-assigned this Sep 28, 2025
@andrewfg andrewfg added enhancement An enhancement or new feature for an existing add-on additional testing preferred The change works for the pull request author. A test from someone else is preferred though. labels Sep 28, 2025
Copilot

This comment was marked as outdated.

Sign in to view

@andrewfg
copilot fix
8b469f6 
Signed-off-by: Andrew Fiddian-Green <software@whitebear.ch>
@andrewfg
Copy link
Contributor Author

@jpalo ping: could you please test this?

@openhab-bot
Copy link
Collaborator

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/cant-connect-new-hue-bridge-pro-to-openhab/166243/13

lsiepel

This comment was marked as off-topic.

Sign in to view

@andrewfg

This comment was marked as off-topic.

Sign in to view
@lsiepel

This comment was marked as off-topic.

Sign in to view
@andrewfg

This comment was marked as off-topic.

Sign in to view
@andrewfg

This comment was marked as outdated.

Sign in to view
@andrewfg

This comment was marked as off-topic.

Sign in to view
@andrewfg
fix discovery
c386d3f 
Signed-off-by: Andrew Fiddian-Green <software@whitebear.ch>
@andrewfg
use other jpalo certificate
6da5cbc 
Signed-off-by: Andrew Fiddian-Green <software@whitebear.ch>
@andrewfg
Copy link
Contributor Author

andrewfg commented Oct 3, 2025

The developer guideline is here..

https://developers.meethue.com/develop/application-design-guidance/using-https/

@andrewfg
Copy link
Contributor Author

andrewfg commented Oct 3, 2025

There is probably a missing intermediate certificate..

currently the device certificate is signed directly by the root certificate. In the future – in particular when we would switch to the secondary root certificate – the device certificates will likely be signed by an intermediate certificate which is in turn signed by the root. You still only have to bundle the root certificates with your client application, since the Hue Bridge would present both its device certificate and intermediate certificate during the TLS handshake. However, care should be taken that the HTTPS library you are using has support for certificate chains with intermediate certificates.

@andrewfg
work in progress
14d2988 
Signed-off-by: Andrew Fiddian-Green <software@whitebear.ch>
@andrewfg
Copy link
Contributor Author

andrewfg commented Oct 3, 2025

Also perhaps this..

https://developers.meethue.com/forum/t/hue-bridge-ssl-certificates-are-not-compliant-and-must-be-fixed/7096

@openhab-bot
Copy link
Collaborator

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/cant-connect-new-hue-bridge-pro-to-openhab/166243/21

@lsiepel

This comment was marked as off-topic.

Sign in to view
@andrewfg
Copy link
Contributor Author

andrewfg commented Oct 5, 2025

from what i understand the PEM file can hold multiple certificates, so if you have all certificates in the chain, it should work.

  • Prior bridges have a two step "v1" validation chain (leaf cert in the bridge, v1 root cert provided by the manufacturer in a pem file).
  • The new bridge has a three step "v2" validation chain (leaf cert in the bridge, v2 root cert provided by the manufacturer and located in a pem file). But currently the middle intermediate certificate seems to be AWOL .. it is neither (yet) provided by the manufacturer in a pem file, nor (yet) by the bridge itself.

I have written to Signify asking for either a) the intermediate cert, or b) to update their firmware.

But in the meantime we can do nothing but wait..

@andrewfg
Copy link
Contributor Author

@JPAlp @lsiepel @lolodomo I modified this PR to be a temporary fix until Signify finally gets around to publishing the missing intermediate certificate. => I think it would be good to merge this ASAP since I don't know how long it will take Signify to do their homework.

@andrewfg andrewfg requested review from Copilot and lsiepel October 20, 2025 15:53
@andrewfg andrewfg added bug An unexpected problem or unintended behavior of an add-on and removed enhancement An enhancement or new feature for an existing add-on additional testing preferred The change works for the pull request author. A test from someone else is preferred though. labels Oct 20, 2025
Copilot
Copilot AI reviewed Oct 20, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@openhab-bot
Copy link
Collaborator

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/cant-connect-new-hue-bridge-pro-to-openhab/166243/33

@andrewfg
copilot fixes
f228ea2 
Signed-off-by: Andrew Fiddian-Green <software@whitebear.ch>
@andrewfg andrewfg changed the title [hue] Add support for new (black) bridge v3 certificate [hue] Work around for new (black) bridge v3 certificate bug Oct 20, 2025
@andrewfg
Copy link
Contributor Author

@kaikreuzer it looks like the CI build is once again not able to download the thing type xml schema..

@andrewfg andrewfg mentioned this pull request Oct 20, 2025
Open
@lsiepel lsiepel added the rebuild Triggers Jenkins PR build label Oct 20, 2025
@github-actions github-actions bot removed the rebuild Triggers Jenkins PR build label Oct 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lolodomo lolodomo Awaiting requested review from lolodomo

@lsiepel lsiepel Awaiting requested review from lsiepel

At least 1 approving review is required to merge this pull request.

Assignees

@andrewfg andrewfg

Labels

bug An unexpected problem or unintended behavior of an add-on

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[hue] OH doesn't trust the server certificate of the new (black) Hue bridge

3 participants

@andrewfg @openhab-bot @lsiepel