Expired Certificate

[Paxol]

Describe the bug
Today expired the Peugeout certificate in the APK version that you store on psa_apk.

Additional context
Please update the APK so I can login into the app

[gereons]

Adding a DS car also fails with a "client cert expired" error:

[maxim-mityutko]

Getting the same error for Citroen.

[xXValiXx]

Same from Germany with a Opel Corsa E

[alexpelli]

Same from Italy with a Peugeot E-208

[xXValiXx]

Maybe we can find a way to fix it ourself.
So far I found out that the cert is created by setup/apk_parser.py. The certs are created from a file called MWPMYMA1.pfx.
This file is located in a BrandAPK file under assets.

This apk is located under: https://github.com/flobz/psa_apk

[chmtc94]

Same from France with a DS4 e-Tense.

[Paxol]

Maybe we can find a way to fix it ourself. So far I found out that the cert is created by setup/apk_parser.py. The certs are created from a file called MWPMYMA1.pfx. This file is located in a BrandAPK file under assets.

This apk is located under: https://github.com/flobz/psa_apk

The "problem" is to find the password for the changed certificate

[mitasa]

Same goes from Finland with Opel Mokka e. Things were working until yesterday, after that the Opel app ceased to have connection and PSA car controller also stopped updating. After that I installed HAOS update and the PSA car controller stopped working. This has happened to me a couple of times before and I have managed to get it back going with a reinstall. When I tried to do this, I ran into this problem.

[Jjanssen1991]

Same for the Netherlands with Peugeot e208

[GeraldPape]

Same here, Citroen C5,....
KeyError: 'success' {"code":"495", "message": "Invalid or expired client certificate"}

[chreggy]

Same problem for me with docker image on DS3 : KeyError: 'success' {"code":"495", "message": "Invalid or expired client certificate"}

[Dirk-Dirk-Dirk]

@flobz
Same problem in Belgium with HA Green en the Add-on 'PSA Car Controller' after system-restart.

• Invalid or expired client certificate.
  How to fix?

[cairon-ha]

Same problem with 208 GT in germany

[open365j]

Having the same issue. Hopefully there'll be a fix soon

[asbachb]

Can you please stop posting that you have the same issue? It seems to be clear that this is a generic problem.

Just 👍 up the initial report.

[RGx01]

Seems to be working again for me. Not done anything to fix it.

2024-08-28 12:06:02,434 :: INFO :: 172.30.32.1 - - [28/Aug/2024 12:06:02] "�[37mGET /get_vehicleinfo/my vin HTTP/1.1�[0m" 200 - 2024-08-28 12:06:02,437 :: INFO :: <Request 'http://127.0.0.1:5000/charge_control?vin=my vin' [GET]> 2024-08-28 12:06:02,441 :: INFO :: 172.30.32.1 - - [28/Aug/2024 12:06:02] "�[37mGET /charge_control?vin=my vin HTTP/1.1�[0m" 200 -

[cairon-ha]

I am still getting:

Traceback (most recent call last): File "/usr/local/lib/python3.9/dist-packages/psa_car_controller/psa/setup/app_decoder.py", line 100, in __fetch_user_info res_dict = res2.json()["success"] KeyError: 'success' {"code":"495", "message": "Invalid or expired client certificate"}

[raphaelbarreiros]

I've forked the repos and bumped the app versions. The newest ones doesn't have the certificate anymore. They changed how the apps authenticates.
The certificate kept the same until version 1.46. of the apps.
In summary: no luck by updating and using app versions 1.46.
@flobz has to update the authentication if possible to match the latest app versions.

[cairon-ha]

What do we have to do now? I am getting still the same error as before.

[raphaelbarreiros]

What do we have to do now? I am getting still the same error as before.

Based on my previous comment, a developer can help fixing that. Unfortunately my dev skills are quite limited and can't help much

[raphaelbarreiros]

Hmm, actually, the latest app version has that certificate! Still looking into it

[MarcelSa1980]

@flobz is there any outlook when and how this issue can be solved?
@flobz existe-t-il des perspectives quand et comment ce problème pourra être résolu ?

[aurelutz2007]

PSA V3.5.1, does not work with the home assistant on the last version. Same certificate issue.
Core 2024.8.3
Supervisor 2024.08.0
Operating System 13.1
HOME ASSISTANT GREEN

[HansUweRempler]

Hmm, actually, the latest app version has that certificate! Still looking into it

@raphaelbarreiros did you find out anything new?

I followed the following path:

• Coming from Invalid or expired client certificate #416 and looking here at this reoccuring issue Expired Certificate #938 I thought to quickly mimic https://github.com/flobz/psa_apk and https://github.com/raphaelbarreiros/psa_apk.

• So, downloaded the lastest myOpel xapk version from https://apkcombo.com/de/myopel/com.psa.mym.myopel/download/apk and extracted the myOpel_1.48.2_APKPure.xapk to get com.psa.mym.myopel.apk, plus renamed it to myopel.apk.

• But I first needed to fix the >100MB file size error "remote: error: File myopel.apk is 111.55 MB; this exceeds GitHub's file size limit of 100.00 MB" via

sudo apt install git-lfs
git lfs install
git lfs track "*.apk"
git add .gitattributes
git add myopel.apk
[...]

• I SSHed (this is more a "note to myself" info, probably mostly irrelevant for somebody else) into my Home Assistant VM on my Synology and inside the Docker flobz/psa_car_controller:v3.5.1 via docker exec -it addon_b9f12d83_psacc /bin/bash to modify /usr/local/lib/python3.9/dist-packages/psa_car_controller/psa/setup/apk_decoder.py with

APP_VERSION = "1.48.1"
GITHUB_USER = "HansUweRempler"

• Unfortunately, the cert error remains:

ConnectionError: Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/psa_car_controller/psa/setup/app_decoder.py", line 100, in __fetch_user_info
KeyError: 'success'
{"code":"495", "message": "Invalid or expired client certificate"}
2024-08-30 07:02:00,234 :: INFO :: 172.30.32.1 - - [30/Aug/2024 07:02:00] "�[37mPOST /_dash-update-component HTTP/1.1�[0m" 200 -

I guess the next step would be to look into apk_parser.py and the save_key_to_pem() part where pkcs12.load_key_and_certificates() is called. But I need to pause here for now.

[raphaelbarreiros]

Yeah, I did almost the same as you @HansUweRempler but then I decided to try to make the API calls from Postman to make sure everything was working ok before making any changes to the code. So I've extracted the Cert, Client_ID and Client_Secret manually - just like the apk_parser.py
The thing is I managed to extract everything and make the API calls! I managed to:
1 - compose and generate the URL, and get the Code just like the tutorial
2 - Exchange the Code for the Tokens
3 - Make a call to /user/vehicles endpoint

The last one I did literally 1 minute before going to bed. Just starting my day here, so as soon as I can I'm going to debug the code but it looks like it's not finding the file with the client id and client secret, they might have changed that in some of the versions, so shouldn't be too difficult to fix!

[kurim]

@HansUweRempler did you restart your container after modify? If not the changes will not be happend, and it still download the old stuff

After restart the container it will run in: res1 must be zero! Which comes from androguard which is used in 3.3.5, maybe a newer version may help here, on the other hand the file can just be unzipped, w/o using androdguard like @raphaelbarreiros described

Here it is how it works:

docker exec -it addon_b9f12d83_psacc /bin/bash to modify /usr/local/lib/python3.9/dist-packages/psa_car_controller/psa/setup/apk_decoder.py

apt install python3.9-distutils
pip install --upgrade androguard

open apk_parser.py

replace:
from androguard.core.bytecodes.apk import APK
with
from androguard.core.apk import APK

open app_decoder.py
update the file:

APP_VERSION = "1.48.1"
GITHUB_USER = "HansUweRempler"

I have issued a pull request for it #944

[raphaelbarreiros]

@kurim brilliant!
I've applied your changes to my repo, so I can start testing and playing with it now. It worked like a charm!

In case someone wants to install my fork in the meantime: https://github.com/raphaelbarreiros/psacc-ha
I'll also add the vehicles pending merge quite soon :)

[mitasa]

@raphaelbarreiros your fork works well. Thank you very much!

[HansUweRempler]

@kurim Ah, yes, of course, you're absolutely right, I missed to restart the container! Thank you very much for your hints, it worked like a charm 🥇.

@raphaelbarreiros thank you for starting all of this. Let's see how long this will hold up until the next update.

[SabatoArdolino]

@kurim I've applied your suggestion but I receive the same error .. Where I wrong ?

[Jjanssen1991]

@raphaelbarreiros

I used your fork now I don't get the error cert... anymore, but as soon as I have entered my data and click submit it loads for a very long time, restarts my ha and nothing happens.

What can i do?

[SabatoArdolino]

How can install the fork? Il giorno sab 31 ago 2024 alle 08:31 Jjanssen1991 ***@***.***> ha scritto:

…

@raphaelbarreiros <https://github.com/raphaelbarreiros> I used your fork now I don't get the error cert... anymore, but as soon as I have entered my data and click submit it loads for a very long time, restarts my ha and nothing happens. What can i do? — Reply to this email directly, view it on GitHub <#938 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BAXC6YNJWJCIPB4V4S54QSDZUFPMTAVCNFSM6AAAAABNBSEUIOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRSG44TMMRUGA> . You are receiving this because you commented.Message ID: ***@***.***>

[Jjanssen1991]

@SabatoArdolino

You need to use the url https://github.com/raphaelbarreiros/psacc-ha then you get de psa controllor fix

[raphaelbarreiros]

@raphaelbarreiros

I used your fork now I don't get the error cert... anymore, but as soon as I have entered my data and click submit it loads for a very long time, restarts my ha and nothing happens.

What can i do?

Seems like your HA can't process the APK for some reason. It shouldn't restart.
The process is that the application downloads the apk from the repository, decompile and then search for some strings. Looks like your server is crashing during this process. Hard to tell where without the logs. If you drop them we can try to help

[Jjanssen1991]

@raphaelbarreiros
this is what the log says:

[raphaelbarreiros]

@raphaelbarreiros

this is what the log says:

Doesn't say anything. Maybe HA logs or keep trying to get them after you try to make the login, before it crashes

[SabatoArdolino]

@SabatoArdolino

You need to use the url https://github.com/raphaelbarreiros/psacc-ha then you get de psa controllor fix

In HA I think is not possible ... Do you now when "official" release will be updated ?

[Dirk-Dirk-Dirk]

I work with PSA Car Controller via HA Addons.
I can't do anything with the proposed url https://github.com/raphaelbarreiros/psacc-ha.
A working or updated PSA Car Controller Addon would be welcome for the non-programmers among us.

[Jjanssen1991]

@raphaelbarreiros

The log from psa now says this:

This takes a while and then it drops out

My logs of HA says noting

[jmA500]

Hi,

Thanks to everyone inspecting and solving the problem.
I wanted to add a quick note: Updating the mypeugeot.apk to the version 1.48.1 also fixes the Problem for my Peugeot.

I am using the version found here:
https://download.apkcombo.com/com.psa.mym.mypeugeot/MYPEUGEOT%20APP_1.48.1_apkcombo.com.xapk
To test this, I extracted the .xapk, renamed the .apk found in it to mypeugeot.apk and manually copied it into the folder in which psa_car_controller expects it. Inspired by the contributioins by @HansUweRempler and @kurim I then made the following changes in app_decoder.py:

1. set APP_VERSION = "1.48.1"
2. in the function get_content_from_apk comment out the call to urlretrieve_from_github

This is a temporary fix, but an ugly one. Unfortunately, I have no bandwith for git-lfs on github, so I can not prepare a pull request with a proper fix. But maybe it would make sense to have a configuration variable that can change the source of the .apk used so that one can manually circumvent the hard coded github repo that is used for this.

Jan

[Dirk-Dirk-Dirk]

Okay, everything works as before now and probably even better than before after updating HA-Addon to v3.5.3.
Thanks to the people who made this possible. :)

[alexpelli]

Still a lot of problems here.. and home assistant reboot everytime I start psacontroller... see here below
Containerised psa_car_controller loading...
2024-09-10 14:33:51,906 :: INFO :: App version 3.5.3
2024-09-10 14:33:51,908 :: ERROR :: No config file
2024-09-10 14:33:51,914 :: WARNING :: Can't get language
2024-09-10 14:33:55,285 :: INFO :: update_data
2024-09-10 14:33:55,428 :: INFO :: * Running on http://0.0.0.0:5000/ (Press CTRL+C to quit)
2024-09-10 14:34:21,221 :: INFO :: Initial setup...
2024-09-10 14:34:45,797 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:34:45] "POST /_dash-update-component HTTP/1.1" 200 -
2024-09-10 14:35:29,205 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:35:29] "GET /config_connect?url=https://idpcvs.peugeot.com/am/oauth2/authorize?client_id%3D1eebc2d5-5df3-459b-a624-20abfcf82530%26redirect_uri%3Dmymap%253A%252F%252Foauth2redirect%252Fit%26response_type%3Dcode%26scope%3Dopenid%2520profile%26state%3DvquVm_fQDvkuchvs-HfopA%26code_challenge%3DUwRZuuSJzxn78YADepGqZCsqXLozWz6aWZrUNv1Qyug%26code_challenge_method%3DS256 HTTP/1.1" 200 -
2024-09-10 14:35:29,322 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:35:29] "GET /_dash-layout HTTP/1.1" 200 -
2024-09-10 14:35:29,346 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:35:29] "GET /_dash-dependencies HTTP/1.1" 200 -
2024-09-10 14:35:29,401 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:35:29] "POST /_dash-update-component HTTP/1.1" 200 -
2024-09-10 14:35:29,462 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:35:29] "POST /_dash-update-component HTTP/1.1" 204 -
2024-09-10 14:37:47,098 :: ERROR :: finish_oauth:
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/psa_car_controller/web/view/config_oauth.py", line 56, in finish_oauth
config_views.INITIAL_SETUP.connect(code)
File "/usr/local/lib/python3.9/dist-packages/psa_car_controller/psa/setup/app_decoder.py", line 112, in connect
self.psacc.connect(code)
File "/usr/local/lib/python3.9/dist-packages/psa_car_controller/psacc/application/psa_client.py", line 35, in connect
self.manager.connect_with_code(code)
File "/usr/local/lib/python3.9/dist-packages/psa_car_controller/psa/oauth.py", line 55, in connect_with_code
self._token_request({"grant_type": 'authorization_code', "code": code,
File "/usr/local/lib/python3.9/dist-packages/oauth2_client/credentials_manager.py", line 205, in _token_request
CredentialManager._handle_bad_response(response)
File "/usr/local/lib/python3.9/dist-packages/oauth2_client/credentials_manager.py", line 87, in _handle_bad_response
raise OAuthError(HTTPStatus(response.status_code), error.get('error'), error.get('error_description'))
oauth2_client.credentials_manager.OAuthError: 400 - invalid_grant : The provided access grant is invalid, expired, or revoked.
2024-09-10 14:37:47,126 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:37:47] "POST /_dash-update-component HTTP/1.1" 200 -
2024-09-10 14:38:44,153 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:38:44] "POST /_dash-update-component HTTP/1.1" 200 -
2024-09-10 14:38:44,211 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:38:44] "POST /_dash-update-component HTTP/1.1" 200 -
2024-09-10 14:38:44,237 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:38:44] "POST /_dash-update-component HTTP/1.1" 204 -
2024-09-10 14:38:44,245 :: INFO :: 172.30.32.1 - - [10/Sep/2024 14:38:44] "POST /_dash-update-component HTTP/1.1" 204 -
2024-09-10 14:38:56,266 :: INFO :: Initial setup...
home assistant reboot