From 530c5fb5335a85dc84aecc0ae409f538276de547 Mon Sep 17 00:00:00 2001
From: Aarno Aukia <aarno.aukia@vshn.ch>
Date: Sat, 16 Dec 2023 14:11:43 +0100
Subject: [PATCH] add warning for docker build TLS certificate in readme

---
 README.md | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 39e2524..17b140d 100644
--- a/README.md
+++ b/README.md
@@ -6,12 +6,16 @@
 
 Python API for ControlMySpa.com cloud-controlled of Balboa spa control systems for hot tubs.
 
-* https://www.balboawatergroup.com/ControlMySpa
-* https://controlmyspa.com
+- https://www.balboawatergroup.com/ControlMySpa
+- https://controlmyspa.com
+
+## 2023-12-13: iot.controlmyspa.com missing intermediate certificate
+
+Since approximately June 2023 iot.controlmyspa.com has a new TLS certificate. This certificate is signed by digicert, but the intermediate certificate chain is not served by iot.controlmyspa.com and is also missing in the python certifi trust store. Instead of disabling the TLS certificate validation, we download the intermediate certificate from digicert over a successfully verified TLS connection and add it to the local trust store on first run. This does, however, not work for read-only runtimes like Docker containers. See https://github.com/arska/controlmyspa-porssari/blob/main/Dockerfile and https://github.com/arska/controlmyspa-porssari/blob/main/get_certificate.py for an example how to download the certificate at Docker image build time instead.
 
 ## Usage
 
-see example.py for runnable example
+see example.py for a runnable example
 
 ```python
 from controlmyspa import ControlMySpa