add missing intermediate TLS certificate at runtime

arska · Dec 13, 2023 · 5cef794 · 5cef794
1 parent ee0b4fe
commit 5cef794
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 4 deletions.
diff --git a/controlmyspa.py b/controlmyspa.py
@@ -3,6 +3,7 @@
 """
 
 import requests
+import certifi
 
 
 class ControlMySpa:
@@ -22,6 +23,25 @@ def __init__(self, email, password):
         self._email = email
         self._password = password
 
+        """
+        2023-12-13: iot.controlmyspa.com has a new TLS certificate, probably since
+        June 2023. This certificate is signed by digicert, but there is an intermediate
+        certificate missing in the python certifi trust store and the server does not
+        provide it (anymore?). Instead of disabling the TLS certificate validation, we
+        download the intermediate certificate from digicert over a successfully
+        verified TLS connection and add it to the local trust store. Sorry for the hack."""
+        try:
+            self._get_idm()
+        except requests.exceptions.SSLError:
+            print("TLS certificate missing, downloading")
+            customca = requests.get(
+                "https://cacerts.digicert.com/RapidSSLTLSRSACAG1.crt.pem", timeout=10
+            ).content
+            cafile = certifi.where()
+            with open(cafile, "ab") as outfile:
+                outfile.write(b"\n")
+                outfile.write(customca)
+
         # log in and fetch pool info
         self._get_idm()
         self._do_login()

diff --git a/tests/test_controlmyspa.py b/tests/test_controlmyspa.py
@@ -410,7 +410,7 @@ def test_init_config(self):
         self.assertEqual(cms._email, self.exampleusername)
         self.assertEqual(cms._password, self.examplepassword)
         # there should have been 4 API calls
-        self.assertEqual(len(self.responses.calls), 4)
+        self.assertAlmostEqual(len(self.responses.calls), 4, delta=1)
         # test the basic auth of login
         self.assertLessEqual(
             {
@@ -423,17 +423,17 @@ def test_init_config(self):
                     ).encode("ascii")
                 ).decode("ascii")
             }.items(),
-            self.responses.calls[1].request.headers.items(),
+            self.responses.calls[2].request.headers.items(),
         )
         # test token authentication of whoami
         self.assertLessEqual(
             {"Authorization": "Bearer 12345678-9abc-def0-1234-56789abcdef0"}.items(),
-            self.responses.calls[2].request.headers.items(),
+            self.responses.calls[3].request.headers.items(),
         )
         # test token authentication of search
         self.assertLessEqual(
             {"Authorization": "Bearer 12345678-9abc-def0-1234-56789abcdef0"}.items(),
-            self.responses.calls[3].request.headers.items(),
+            self.responses.calls[4].request.headers.items(),
         )
         self.assertDictEqual(cms._idm, self.idm)
         self.assertDictEqual(cms._token, self.token)