Trust Evaluation Agent errors

Posted on
Thu Feb 10, 2022 9:02 am
gt3mike offline
Posts: 225
Joined: Dec 31, 2017
Location: Colorado

Re: Trust Evaluation Agent errors

FlyingDiver wrote:
gt3mike wrote:
I've wondered about that myself. Do Ecobee2 and Pushover use SSL? I'm not noticing these trust warnings from either of them.


Yes to both. But the certificate chains could be different, with different intermediate certificates, so they might not be hitting the same "bad" cert.

It's interesting that the plugins that are triggering this warning are still working. I wonder if this is just a benign warning.

Are you running miniUnifi and/or Email+ on Monterey? If so, are you certain you don't have these warnings in launchd.log?

Posted on
Thu Feb 10, 2022 11:22 am
jay (support) offline
Site Admin
User avatar
Posts: 18199
Joined: Mar 19, 2008
Location: Austin, Texas

Re: Trust Evaluation Agent errors

gt3mike wrote:
Are you running miniUnifi and/or Email+ on Monterey? If so, are you certain you don't have these warnings in launchd.log?


I'm running Email+ on Monterey 12.2 and not seeing any of these errors. I'm not using Gmail however.

Are you logged in to iCloud and do you have keychains being synced? I wonder if you have a bad certificate(s) stored in your keychain that might be causing the issue. You can see them by opening Keychain Access, selecting login (check System as well) in the left side then clicking on Certificates. I have two in there of interest: UniFi and UbiquitiRouterUI, though honestly I have no idea of they have any relation to your issues. I do agree with Joe that it seems like you've got some kind of certificate issue.

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Thu Feb 10, 2022 12:43 pm
gt3mike offline
Posts: 225
Joined: Dec 31, 2017
Location: Colorado

Re: Trust Evaluation Agent errors

OH! This should have occurred to me earlier.

I don't know why Email+ would have issues connecting with Gmail. I'm sure their certs are in fine order. But miniUnifi connects to my Unifi controller, and if it's using SSL to do so there's going to be a problem. I don't have a trusted certificate on the controller. I always get an SSL warning when I connect to it from my browser.

Could that be the reason for the miniUnifi TrustEvaluationAgent issue?

Posted on
Thu Feb 10, 2022 1:44 pm
jay (support) offline
Site Admin
User avatar
Posts: 18199
Joined: Mar 19, 2008
Location: Austin, Texas

Re: Trust Evaluation Agent errors

Haven you made any changes to certificate verification policies on your Mac or on specific certificates? I believe the UniFi stuff uses self-signed certs. The default system policy is to prompt whenever a connection is made to a self-signed cert, but of course that's when used from a browser. @Joe, does your code that connects to that service specifically have verify disabled (a param in the requests calls)? I wonder if there's something there...

Jay (Indigo Support)
Twitter | Facebook | LinkedIn

Posted on
Thu Feb 10, 2022 1:53 pm
FlyingDiver offline
User avatar
Posts: 7189
Joined: Jun 07, 2014
Location: Southwest Florida, USA

Re: Trust Evaluation Agent errors

gt3mike wrote:
OH! This should have occurred to me earlier.

I don't know why Email+ would have issues connecting with Gmail. I'm sure their certs are in fine order. But miniUnifi connects to my Unifi controller, and if it's using SSL to do so there's going to be a problem. I don't have a trusted certificate on the controller. I always get an SSL warning when I connect to it from my browser.

Could that be the reason for the miniUnifi TrustEvaluationAgent issue?


Probably not. The plugin specifically disables the certificate checking, so it can do SSL without a valid certificate.

joe (aka FlyingDiver)
my plugins: http://forums.indigodomo.com/viewforum.php?f=177

Posted on
Thu Feb 10, 2022 1:54 pm
FlyingDiver offline
User avatar
Posts: 7189
Joined: Jun 07, 2014
Location: Southwest Florida, USA

Re: Trust Evaluation Agent errors

jay (support) wrote:
Haven you made any changes to certificate verification policies on your Mac or on specific certificates? I believe the UniFi stuff uses self-signed certs. The default system policy is to prompt whenever a connection is made to a self-signed cert, but of course that's when used from a browser. @Joe, does your code that connects to that service specifically have verify disabled (a param in the requests calls)? I wonder if there's something there...


At the start of the plugin.py file:

Code: Select all
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)


Also:
Code: Select all
        ssl_verify = device.pluginProps.get('ssl_verify', False)
        if ssl_verify is False:
            from requests.packages.urllib3.exceptions import InsecureRequestWarning
            requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
   
        try:
            r = requests.head('https://{}:{}'.format(device.pluginProps['address'], device.pluginProps['port']), verify=ssl_verify, timeout=5.0)

joe (aka FlyingDiver)
my plugins: http://forums.indigodomo.com/viewforum.php?f=177

Posted on
Thu Feb 10, 2022 2:05 pm
gt3mike offline
Posts: 225
Joined: Dec 31, 2017
Location: Colorado

Re: Trust Evaluation Agent errors

jay (support) wrote:
Haven you made any changes to certificate verification policies on your Mac or on specific certificates? I believe the UniFi stuff uses self-signed certs.

I haven't changed anything.

jay (support) wrote:
Are you logged in to iCloud and do you have keychains being synced? I wonder if you have a bad certificate(s) stored in your keychain that might be causing the issue. You can see them by opening Keychain Access, selecting login (check System as well) in the left side then clicking on Certificates. I have two in there of interest: UniFi and UbiquitiRouterUI, though honestly I have no idea of they have any relation to your issues. I do agree with Joe that it seems like you've got some kind of certificate issue.

I do have iCloud Keychain turned on. But I looked at Keychain Access, and I didn't see anything significant in there.

Posted on
Sat Feb 12, 2022 9:18 am
gt3mike offline
Posts: 225
Joined: Dec 31, 2017
Location: Colorado

Re: Trust Evaluation Agent errors

At this point, I have to believe these warnings are benign. Both plugins are pretty much working fine. I think the occasional issues with miniUnifi I'm experiencing (and others), which is why I dug into this in the first place, are networking related.

Who is online

Users browsing this forum: No registered users and 5 guests