Could not create SSL/TLS secure channel

It’s been a while since I’ve been able to access the Lifx servers.

I’m using ttps://api.lifx.com/v1/lights/all with a bearer token. To make sure I just generated a new token but it didn’t fix the problem.

For now, I’m using the LAN API but it means I can’t get updated info from the servers.

Possibly related: My Vera stopped activating my LIFX notifications - #14 by daniel_hall

Hi folks! LIFX’s TLS certificates have expired! Our own integrations with LIFX recently stopped working, because the certificate for *.lifx.com (served from both api.lifx.com and cloud.lifx.com) expired on Aug 30 23:41:28 2019 GMT.

Someone from LIFX should renew their certificate immediately.

A little more investigation appears to show that if your TLS connection supplies the Server Name Indication extension (SNI) in your TLS requests, you will get a valid, non-expired certificate. If you don’t supply a SNI extension, however, you will be served an expired certificate.

I’m not sure if LIFX will be updating the certificate for connections that don’t supply the SNI extension in their TLS requests, but we are going to update our end immediately to pass in the correct SNI extension.

I can confirm that the non-SNI certificate we use is currently expired. This is due to a bug in our certificate renewal system. We are currently working on getting it updated to the latest version to fix this issue as a priority.

A good workaround for now (and you should really be doing this if you can) is to use a SNI capable client.

Thanks.

For now, I’ve worked around it using local control. When I have time, I’ll look into updating my software … or wait for your fix.

Bob Frankston

https://Frankston.com

We have corrected the issue in our certificate renewal system, and have updated the affected certificates. This issue is now resolved; clients not using SNI will now be able to connect.

If anyone has any issues regarding this matter, please don’t hesitate to contact either myself or @daniel_hall.

I’m still getting the error but currently use the LAN API to avoid depending on the cloud.

Any suggestions for how to track this down?

Could you provide some background as to how your integration is accessing the HTTP API, in particular which language/framework you are using and which versions, and which endpoints you are calling?

I finally got to try it again and still have the problem
I have the token as “lifxToken”

using (var wc = new WebClient()) {
       wc.Headers[HttpRequestHeader.Authorization] = "Bearer " + lifxToken;
       return wc.DownloadString(url);
}
  

the url is
https://api.lifx.com/v1/lights/all"

Error:

"System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel."

While that error is rather generic, it could be caused by the web client attempting to connect with an older version of TLS. You need to make sure that your connection is via TLS1.2.

Thanks. I added

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

And it worked! Thanks!

(I’ll admit that I’m pleasently surprised when fixes work).

1 Like