Issue with FW 1.20.0

Issue with FW 1.20.0

My GW updated to 1.20.0 last night. Tesla in their wisdom have included an https redirect on the local port but have failed to include a valid cert. I hope this will be corrected quickly as it is a severe impediment to those of us who monitor their equipment locally.

sylviaw79 | July 17, 2018

I wouldn't hold your breath on that. Best to retrieve Tesla's certificate and install it as an trusted certificate. Then block further access to the net for the GW so that Tesla cannot further mess things up for you. Of course, that will prevent you from using the ap.

sashton | July 18, 2018

I have got over the issue. I wasn't happy about importing the cert so I updated the script to ignore SSL/TLS errors for that local address.
I only use it to check the SoC of the battery. With that info and the expected insolation the following day the code makes decisions about when to run the appliances and when to charge the car (off-peak or partially from the PW). So the only damage was that my wife's car wasn't charged last night so she took mine this morning and I'm stuck here until the clouds clear.
I would prefer to stay connected as I am very interested in partaking in aggregated grid load mitigation and feel sure that will be a feature in the pipeline soon. If not by frequency response then by some other method (if it isn't due it bloody well should be!)

cwied | July 18, 2018

The normal certificate validation is meaningless in a LAN, unfortunately. The certificate authority (CA) is supposed to verify that the holder of the certificate is who they say they are. This works by DNS name in the Internet. On a LAN, it's your router (and you) that controls how you address the Powerwall, so there is no way for the certificate authority to know what to certify.

In a corporate environment, you'd probably use PKI and the IT group would certify the local LAN name of the device. You would trust the CA certificate and then automatically trust any certificates granted by that authority.

In the case of Home LANs where there's no IT, a self-signed certificate is probably the best you can do if you for some reason want encrypted communication on the LAN.

Honestly, I'm not quite clear why they think they need https on the LAN. It's somewhat an odd decision, but I guess Tesla has done other weird software things before. I get the sense that they sometimes lack expertise in technical areas and tend to reinvent the wheel.

sylviaw79 | July 18, 2018

My own gateway is completely refusing to negotiate TLS at the moment - the browser just hangs until it times out. I telephoned support, but the guy there didn't even know that the web interface existed.

The whole security on the web page concept seems illconceived. Before it stopped working, I found that a new password system has been introduced - but to reset the password, you only need to know the serial number, so what was the point? It's a shame Tesla don't use their development resources for something useful rather than wasting time on this.

cwied | July 19, 2018

The point of the password recovery system is that you need to prove physical access in order to reset it. This means a hacker can't change your password over the Internet. That part is actually reasonable.

There've been reports on other forums (e.g. that Tesla has turned off the Web UI on the gateway for some users. You might be in the same situation. Is it responding to http requests to do the redirect?

sylviaw79 | July 19, 2018

No, it's not doing the redirect either. It is, however, allowing the socket connection, it's not just responding to anything thereafer.

sylviaw79 | July 19, 2018

It does indeed appear that Telsa have disabled web access on my systems. Since it appears increasingly likely that this is going to end up before the NSW Civil and Administrative Tribunal, and that I am not the only one who is contemplating that, I think I'd start a commentary on the legal aspects in another thread.

sylviaw79 | July 19, 2018

I started the thread. It appears to have been deleted!

chrisc | September 14, 2018

It is very annoying that Tesla have done this. I just want to be able to have a monitor of that shows me the status. I even got a cheap Tablet that runs Android but the apk won't run on it! Finding it very hard to get through to the web based version which used to work.

cwied | September 15, 2018

Since this thread was created, people have concluded that this is actually a bug and not intentional on Tesla's part. It's not clear what causes it to happen, but for some people resetting the gateway has helped. If you have a reset button on your gateway, you can try that.

Shygar | September 17, 2018

I installed the self signed cert into my java keystore on my raspberry pi. I was back to uploading data again to after doing so.