Support skipping TLS verification

[MangoScango]

Is your feature request related to a problem? Please describe.
With the new authentication feature, it is necessary to disable TLS on port 8971 in Frigate due to SSL verification inevitably failing.

Describe the solution you'd like
For security purposes, it would be ideal to allow the integration to be able to communicate over https regardless of whether or not the certificate is trusted.

Describe alternatives you've considered
A reverse proxy can be used to create a valid certificate for access over port 8971, however this requires external setup outside of Frigate that is potentially cumbersome.

Additional context
Nothing else, thanks for getting authentication support implemented!

[19980202yyq]

Second this issue, I want to close the 5000 unauthenticated port but I do not want to manage certificate

[hackmoore]

Third. I'm blown away that it took this long to get HA to communicate securely with Frigate and this seems to be the final blocker for it to work.

I would suggest that a common setup would be HA, Frigate running on two different devices but on the same internal network, in which case a valid SSL cert is unlikely. Exposing it to the internet just for a valid cert seems bonkers.

[dermotduffy]

Exposing it to the internet just for a valid cert seems bonkers.

It's an Open Source version of Occam's razor: It's just that no-one has implemented this yet, not that there is an intentional design decision. PRs are very welcome!

[blakeblackshear]

Exposing it to the internet just for a valid cert seems bonkers.

There is no need to expose it. You can use the DNS method to get a valid cert with let's encrypt. If security is truly a priority on your internal network, then you shouldn't be disabling TLS verification anyway.

[MangoScango]

Certainly this would not be the ideal setup, but I would posit that it improves security of the average setup. I have to imagine that for the average user with Frigate running on a separate host from Hass, learning how to create and maintain a valid certificate would be a significant enough hassle as to cause them to continue leaving port 5000 open for any bad actor that may come across their network. Even without TLS verification the average user gets the benefit of not having to leave port 5000 open, and not having their credentials sent over plain text. Yes this doesn't protect against a MITM attack, but I think increasing the security against crimes of opportunity are more important on a local network anyway.

[ncareau]

I have an self-hosted acme server for my CA and imported it in Home Assistant with this plugin: https://github.com/Athozs/hass-additional-ca But i'm still getting an error . I have also added the cert to the host and i'm not able to make it work. Any ideas on getting a self-hosted cert to be valid in this integration ? If not, the option to skip TLS verification is a must.

[janusn]

@ncareau

I am using a docker image provided by Linuxserver.io. It allows me to run processes before the main process does. Here is what I have put into custom-cont-init.d

$ cat /custom-cont-init.d/add_ca.sh
#!/bin/bash

##########################################################################################
# Add additional CA certificates to the additional_ca
# The CA certificates in "/config/additional_ca" will be added.
# All the CA certificates have to be named with ".crt" extension.
##########################################################################################

SOURCE_DIR='/config/additional_ca'
TARGET='/usr/local/share/ca-certificates'
ORIGINAL_CERTS='/etc/ssl/certs/ca-certificates.crt'
BACKUP='/opt/certifi_original'
FLAG_DONE='additional_ca_done'

# certs you want to add
SOURCE_LIST=()
# my CA cert
SOURCE_LIST+=('my_cert.crt')

code=0

if [ -f "$BACKUP/$FLAG_DONE" ] ; then
	# it has been patched.
	echo "Additional CA certs have been added. Skip."
	exit 0
fi

# it has not been patched.
echo "backing up the original CA certs..."
mkdir -p "$BACKUP"
cp -r "$ORIGINAL_CERTS" "$BACKUP"
code=$?
if [ $code -ne 0 ]; then
	echo "Failed to backup original CA certs. Code: $code"
	echo "Give up now."
	exit $code
fi
echo "CA certs backed up."

for SOURCE in "${SOURCE_LIST[@]}"
do
	echo "Copying '${SOURCE_DIR}/${SOURCE}' to '$TARGET'..."
	cp "${SOURCE_DIR}/${SOURCE}" "$TARGET"
	code=$?
	if [ $code -ne 0 ]; then
		echo "CA certs copying '${SOURCE_DIR}/${SOURCE}' to '${TARGET}' failed with code $code."
		exit $code
	fi
done

echo "All CA certs copied."
update-ca-certificates -v
code=$?
if [ $code -ne 0 ]; then
	echo "CA certificates updated failed with code ${code}."
	exit $code
fi

# set up a flag to indicate CA certs updated.
touch "$BACKUP/$FLAG_DONE"
echo "CA certificates updated successfully."

exit $code