[LOGIN] rest-prod.immedia-semi.com: HTTP 406 error (was: SSL Certificate mismatch and endpoint error (HTTP 403))

[AndreasAchtzehn]

Describe the bug
Login API server rest.prod.immedia-semi.com returns a cloudfront SSL certificate not covering the login API domain.
Even when certificate error is ignored, server returns "Not Found".
This leads to failure to login with blinkpy / home assistant integration setup.

To Reproduce
Steps to reproduce the behavior:

1. curl -v -H "Host: prod.immedia-semi.com" -H "Content-Type: application/json" --data-binary '{ "password" : "xxxxx", "client_specifier" : "iPhone 9.2 | 2.2 | 222", "email" : "[email protected]" }' --compressed https://rest.prod.immedia-semi.com/login
   ==> returns a certificate mismatch error
2. curl -k -v -H "Host: prod.immedia-semi.com" -H "Content-Type: application/json" --data-binary '{ "password" : "xxxxx", "client_specifier" : "iPhone 9.2 | 2.2 | 222", "email" : "[email protected]" }' --compressed https://rest.prod.immedia-semi.com/login

==> returns 403 error

3. curl -k -v -H "Host: prod.immedia-semi.com" -H "Content-Type: application/json" --data-binary '{ "password" : "xxxxx", "client_specifier" : "iPhone 9.2 | 2.2 | 222", "email" : "[email protected]" }' --compressed https://rest.prod.immedia-semi.com/api/v5/account/login

==> returns 403 error

< HTTP/2 403
< server: CloudFront
< date: Sat, 06 May 2023 xx:xx:xx GMT
< content-type: text/html
< content-length: 915
< x-cache: Error from cloudfront
< via: 1.1 10cxxxxxxxxxx3d92.cloudfront.net (CloudFront)
< x-amz-cf-pop: HAM50-C3
< x-amz-cf-id: moxxxxx=
<

<TITLE>ERROR: The request could not be satisfied</TITLE>

403 ERROR

The request could not be satisfied.

---

Bad request. We can't connect to the server for this app or website at this time. There might be too much traffic or a configuration error. Try again later, or contact the app or website owner.
If you provide content to customers through CloudFront, you can find steps to troubleshoot and help prevent this error by reviewing the CloudFront documentation.

---

Generated by cloudfront (CloudFront)
Request ID: mxxxxxxxxxxx==
Expected behavior

Auth token should be returned.
Home Assistant version (if applicable): 

2023.5.2

blinkpy version (not needed if filling out Home Assistant version):
Log Output/Additional Information

2023-05-06 20:27:16.021 ERROR (SyncWorker_11) [blinkpy.auth] Login endpoint failed. Try again later.

[fronzbot]

Ok I've definitely seen this happen before and it was when Blink started changing API endpoints related to login. It's been awhile, and I can't seem to find the related issues, but I'm 90% sure that's what it's related to.

So options are:

1. wait about a week and see if it continues occuring. If it stops, that means their SSL cert probably expired and we're just catching them during a lapse

2. If it doesn't stop, the login endpoint (or data that has to be sent) may be changing which is more challenging. You could try a curl with v6 instead of v5 because int he past that's all they've really changed. Otherwise, it's a waiting game for someone to sniff the network requests to find the right API calls

[AndreasAchtzehn]

SSL issue hopefully resolved. The server name differs between API.md and the constants.py. Blink resolves both names. Ugh. Correct one is in constants.py: rest-prod.immedia-semi.com

This leaves me with a 406 error for the request. I've tried to sniff an app-originating request, but since I do not have a way to run a MITM proxy with injected certificate for the proxy I was not able to retrieve a proper API call stream. :(

curl -v -H "Content-Type: application/json" -A "xxx" --data-binary '{ "password" : "xxxx", "client_specifier" : "vdfvdffd", "email" : "[email protected]" }' https://rest-prod.immedia-semi.com/api/v5/account/login

• Trying 52.222.191.2:443...
• TCP_NODELAY set
• Connected to rest-prod.immedia-semi.com (52.222.191.2) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
• ALPN, server accepted to use h2
• Server certificate:
• subject: CN=*.immedia-semi.com
• start date: Apr 10 00:00:00 2023 GMT
• expire date: May 8 23:59:59 2024 GMT
• subjectAltName: host "rest-prod.immedia-semi.com" matched cert's "*.immedia-semi.com"
• issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x55cfcb18abc0)

POST /api/v5/account/login HTTP/2
Host: rest-prod.immedia-semi.com
user-agent: xxx
accept: /
content-type: application/json
content-length: 91

• We are completely uploaded and fine
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
  < HTTP/2 406
  < content-type: text/plain; charset=utf-8
  < content-length: 20
  < date: Sun, 07 May 2023 10:xx:xx GMT
  < x-content-type-options: nosniff
  < x-cache: Error from cloudfront
  < via: 1.1 26d7ab8ad101f56719c67579c002221c.cloudfront.net (CloudFront)
  < x-amz-cf-pop: HAM50-C2
  < x-amz-cf-id: 1l-Ae0VkoOkQif17IXjh9px8kDfA8uFxtIfsUy9nEljyxXPTcY0Aag==
  <
  406 Not Acceptable

[AndreasAchtzehn]

Waited for a week, unfortunately no progress. Anyone interested in jointly working on an update? I can do coding and testing, but would need support with protocol sniffing.

[fronzbot]

Related to this maybe? This was a new addition about a year ago and the blinkpy library definitely does NOT send the location tier during login right now.

https://github.com/MattTW/BlinkMonitorProtocol/blob/master/auth/login.md

EDIT- an issue someone had where sending the account tier resulted in a correct login MattTW/BlinkMonitorProtocol#66

[AndreasAchtzehn]

MattTW/BlinkMonitorProtocol#66 seems to resolve an issue in the later stage of the login process. So far I cannot get the Blink API to give me an auth token at all.

With the step 1 login I get a HTTP 406 error (following https://github.com/MattTW/BlinkMonitorProtocol/blob/master/auth/login.md):

curl -v -H "Content-Type: application/json" -d '{ "unique_id": "0000000-000-000-0000-00000", "password" : "xxxx", "email" : "xxxx@xxx" }' 'https://rest-prod.immedia-semi.com/api/v5/account/login'
*   Trying 52.222.191.116:443...
* TCP_NODELAY set
* Connected to rest-prod.immedia-semi.com (52.222.191.116) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.immedia-semi.com
*  start date: Apr 10 00:00:00 2023 GMT
*  expire date: May  8 23:59:59 2024 GMT
*  subjectAltName: host "rest-prod.immedia-semi.com" matched cert's "*.immedia-semi.com"
*  issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M02
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562eeda95be0)
> POST /api/v5/account/login HTTP/2
> Host: rest-prod.immedia-semi.com
> user-agent: curl/7.68.0
> accept: */*
> content-type: application/json
> content-length: 101
> 
* We are completely uploaded and fine
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 406 
< content-type: text/plain; charset=utf-8
< content-length: 20
< date: Sat, 20 May 2023 10:50:32 GMT
< x-content-type-options: nosniff
< x-cache: Error from cloudfront
< via: 1.1 ee2b06ec36961da809e0377705d74e04.cloudfront.net (CloudFront)
< x-amz-cf-pop: HAM50-C2
< x-amz-cf-id: em324Clhmk-rl6NwmZxau5kSlCCp6cNVqWDKeQHlmpXL98-KJ2l5uQ==
< 
**406 Not Acceptable**

* Connection #0 to host rest-prod.immedia-semi.com left intact

I I tried also other server names to check whether it may indeed be related to the tier:

prod.immedia-semi.com ==> name not resolved

rest.prod.immedia-semi.com ==> resolves, but returns a mismatching cloudfront.net certificate. Ignoring certificate
return 406 HTTP error.
rest.prde.immedia-semi.com ==> same as rest.prod.immedia-semi.com

rest-prde.immedia-semi.com ==> 406 HTTP error, no certificate issues

Any other tiers I may try for Germany/Europe?

[fronzbot]

Just to clarify: you cannot login using the blinkpy library either? So far you've only posted curl commands

[AndreasAchtzehn]

Just to clarify: you cannot login using the blinkpy library either? So far you've only posted curl commands

So far I have been using blinkpy as part of homeassistant. It stopped working some time back. Since I couldn't get it to run again, I upgraded to homeassistant 2023.5.2 with blinkpy 0.19.2 and tried to reinstall the Blink integration. The dialogue for entering the credentials shows up, but after entering the credentials and clicking on "send" I'm faced with an empty response box. The integration then does not proceed in the installation process.

When I try it via the console I run into an login endpoint failure:

(homeassistant) homeassistant@server05:/srv/homeassistant$ python3
Python 3.11.3 (main, Apr  5 2023, 14:15:06) [GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from blinkpy.blinkpy import Blink
>>> 
>>> blink = Blink()
>>> blink.start()
Username: [email protected]
Password:
Login endpoint failed. Try again later.
Cannot setup Blink platform.
False

EDIT: Just confirmed the error with the latest version of blinkpy and debugging enabled. The same 406 HTTP error is returned:

(venv) xxx@server05:~/blinkpy/blinkpy$ python3
Python 3.11.3 (main, Apr  5 2023, 14:15:06) [GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from blinkpy.blinkpy import Blink
>>> import logging
>>> logging.basicConfig(level=logging.DEBUG)
>>> blink = Blink()
>>> blink.start()
Username:[email protected]
Password:
INFO:blinkpy.auth:Token expired, attempting automatic refresh.
INFO:blinkpy.auth:Attempting login with https://rest-prod.immedia-semi.com/api/v5/account/login
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): rest-prod.immedia-semi.com:443
DEBUG:urllib3.connectionpool:https://rest-prod.immedia-semi.com:443 "POST /api/v5/account/login HTTP/1.1" 406 20
ERROR:blinkpy.auth:Login endpoint failed. Try again later.
ERROR:blinkpy.blinkpy:Cannot setup Blink platform.

[oilervoss]

New cat and mouse run? Would this help #568 (comment)?

https://github.com/alufers/mitmproxy2swagger

[AndreasAchtzehn]

@oilervoss : Thanks for the API dump, that's indeed what's necessary to see and try to fix the issue! Do you happen to have a dump from the login procedure as well? In the extract I found only regular interactions after the user is already authenticated. But maybe I missed something?

[oilervoss]

I'm so sorry @AndreasAchtzehn I wasn't able to extract the dump myself. That dump was a @selfagency 's work on Jun 15, 2022.
I've tried but I'm not skillful enough.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.