Summary
When adding the OpenClaw integration via Manual Configuration with Verify SSL certificate unchecked, the integration still performs strict TLS verification and fails with the same SSL error message regardless of the checkbox state. The flag appears to be ignored at runtime.
Environment
- Home Assistant Core: 2026.5.4 (Green hardware, HAOS 17.3, aarch64)
- Home Assistant Supervisor: 2026.05.1
- OpenClaw addon (techartdev/OpenClawHomeAssistant): latest,
access_mode: lan_https, gateway_bind_mode: lan, enable_openai_api: true
- OpenClaw integration (this repo): latest from HACS
Steps to reproduce
- Install the OpenClaw addon with
access_mode: lan_https and enable_openai_api: true
- Auto-discovery does not trigger (separate issue, see note below)
- Open Manual Configuration form
- Fill: Gateway Host =
<addon hostname>, Port = 18789, Token = valid token
- Check
Use SSL (HTTPS)
- Uncheck
Verify SSL certificate (explicitly leave the checkbox empty)
- Set Agent ID =
main, Submit
Expected
When Verify SSL certificate is unchecked, the integration should connect using ssl.CERT_NONE / verify_ssl=False and accept the self-signed certificate served by the addon's built-in HTTPS proxy. The README explicitly documents this combination as the recommended setup for lan_https mode (Common Remote Scenarios table).
Actual
The form returns the error:
SSL certificate verification failed. If using self-signed certificates (e.g. lan_https mode), uncheck 'Verify SSL certificate' or use automatic discovery.
This same error appears whether the checkbox is checked or unchecked. Submitting with the box unchecked has no effect on the verification behavior.
Evidence — verification fails even with proper trust setup
To confirm this is not a missing CA issue, I manually installed the addon's self-signed CA into both the system trust store and Python's certifi bundle inside the HA Core container:
docker exec homeassistant cp /config/openclaw-ca.crt /usr/local/share/ca-certificates/
docker exec homeassistant update-ca-certificates
docker exec homeassistant sh -c 'cat /config/openclaw-ca.crt >> /usr/local/lib/python3.14/site-packages/certifi/cacert.pem'
ha core restart
Re-tested with Verify SSL certificate: ON — still fails with the same generic error.
Direct Python test inside the HA Core container reveals the underlying cause for the verification failure:
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed: CA cert does not include key usage extension
This indicates the CA generated by the addon is missing the keyUsage X.509 extension required by RFC 5280, which Python 3.14 / modern OpenSSL strict-mode rejects. This is a separate but related bug filed against the addon repo.
However, the primary issue here remains: even setting verify_ssl=False in the manual config does not bypass verification, so users cannot work around the malformed CA.
Suggested fix
Ensure the verify_ssl boolean from the config flow is actually plumbed through to the underlying HTTP client (aiohttp TCPConnector(ssl=False) or ssl=ssl.SSLContext() with verify_mode=ssl.CERT_NONE). The current code likely constructs the connector without honoring the form value.
Note on auto-discovery
In my setup, auto-discovery does not trigger even with the addon properly configured (enable_openai_api: true, access_mode: lan_https, gateway state running). Restarting HA Core, reinstalling the integration via HACS, and removing pending discovery flows all had no effect. The README states "just click Submit on the confirm step", but the confirm step never appears — only Manual Configuration. This may be related to the same fix area.
Workaround currently in use
Switched the addon to access_mode: custom + gateway_bind_mode: lan to expose plain HTTP on the Supervisor bridge network. Manual Configuration then completes with Use SSL: OFF. This works but should not be necessary in lan_https mode.
Logs / config
Available on request if useful. Happy to test patches.
Summary
When adding the OpenClaw integration via Manual Configuration with
Verify SSL certificateunchecked, the integration still performs strict TLS verification and fails with the same SSL error message regardless of the checkbox state. The flag appears to be ignored at runtime.Environment
access_mode: lan_https,gateway_bind_mode: lan,enable_openai_api: trueSteps to reproduce
access_mode: lan_httpsandenable_openai_api: true<addon hostname>, Port = 18789, Token = valid tokenUse SSL (HTTPS)Verify SSL certificate(explicitly leave the checkbox empty)main, SubmitExpected
When
Verify SSL certificateis unchecked, the integration should connect usingssl.CERT_NONE/verify_ssl=Falseand accept the self-signed certificate served by the addon's built-in HTTPS proxy. The README explicitly documents this combination as the recommended setup forlan_httpsmode (Common Remote Scenarios table).Actual
The form returns the error:
This same error appears whether the checkbox is checked or unchecked. Submitting with the box unchecked has no effect on the verification behavior.
Evidence — verification fails even with proper trust setup
To confirm this is not a missing CA issue, I manually installed the addon's self-signed CA into both the system trust store and Python's certifi bundle inside the HA Core container:
Re-tested with
Verify SSL certificate: ON— still fails with the same generic error.Direct Python test inside the HA Core container reveals the underlying cause for the verification failure:
This indicates the CA generated by the addon is missing the
keyUsageX.509 extension required by RFC 5280, which Python 3.14 / modern OpenSSL strict-mode rejects. This is a separate but related bug filed against the addon repo.However, the primary issue here remains: even setting
verify_ssl=Falsein the manual config does not bypass verification, so users cannot work around the malformed CA.Suggested fix
Ensure the
verify_sslboolean from the config flow is actually plumbed through to the underlying HTTP client (aiohttpTCPConnector(ssl=False)orssl=ssl.SSLContext()withverify_mode=ssl.CERT_NONE). The current code likely constructs the connector without honoring the form value.Note on auto-discovery
In my setup, auto-discovery does not trigger even with the addon properly configured (
enable_openai_api: true,access_mode: lan_https, gateway staterunning). Restarting HA Core, reinstalling the integration via HACS, and removing pending discovery flows all had no effect. The README states "just click Submit on the confirm step", but the confirm step never appears — only Manual Configuration. This may be related to the same fix area.Workaround currently in use
Switched the addon to
access_mode: custom+gateway_bind_mode: lanto expose plain HTTP on the Supervisor bridge network. Manual Configuration then completes withUse SSL: OFF. This works but should not be necessary inlan_httpsmode.Logs / config
Available on request if useful. Happy to test patches.