search

FaserF / hassio-addons

My personal Homeassistant Add-Ons. For more details have a look at the sub-folders.
54 stars 20 forks source link

[Bug]: HTTPS is using a default certificate instead of provided ones #332

Closed espen795 closed 1 month ago

espen795 commented 1 month ago

The problem

Config

Yaml file in the addon:

document_root: /share/htdocs
php_ini: default
default_conf: default
default_ssl_conf: default
website_name: myurl.com
ssl: true
certfile: origin.pem
keyfile: priv.key
init_commands: []

The .conf does appear to be correct (also for SSL)

605cee21-apache2:/etc/apache2/sites-enabled# cat 000-default.conf
<VirtualHost *:80>
ServerName myurl.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/localhost/htdocs/
#Redirect http to https
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
#End Redirect http to https
    ErrorLog /var/log/error.log
        #CustomLog /var/log/access.log combined
</VirtualHost>

605cee21-apache2:/etc/apache2/sites-enabled# cat 000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName myurl.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/localhost/htdocs/
    ErrorLog /var/log/error.log
        #CustomLog /var/log/access.log combined
SSLCertificateFile /ssl/origin.pem
SSLCertificateKeyFile /ssl/priv.key
</VirtualHost>
</IfModule>

Certificates I want used are in the folder.

05cee21-apache2:/etc/apache2/sites-enabled# cat /ssl/origin.pem
-----BEGIN CERTIFICATE-----
ommitted, matches the one I want to be used
-----END CERTIFICATE-----
605cee21-apache2:/etc/apache2/sites-enabled# cat /ssl/priv.key
-----BEGIN PRIVATE KEY-----
ommitted, matches the one I want to be used
-----END PRIVATE KEY-----

Issue

It is serving me the following certificate (empty one with default values)

-----BEGIN CERTIFICATE-----
MIIEIzCCAwugAwIBAgICO7QwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRUwEwYDVQQDDAxiZDUxMTYxNDkwNjMxIDAeBgkqhkiG9w0BCQEWEXJvb3RA
YmQ1MTE2MTQ5MDYzMB4XDTI0MTAwNzEzMTAwNloXDTI1MTAwNzEzMTAwNlowgakx
CzAJBgNVBAYTAi0tMRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVD
aXR5MRkwFwYDVQQKDBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3Jn
YW5pemF0aW9uYWxVbml0MRUwEwYDVQQDDAxiZDUxMTYxNDkwNjMxIDAeBgkqhkiG
9w0BCQEWEXJvb3RAYmQ1MTE2MTQ5MDYzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAms7/dbdIzX1gTF/waM3CVJX1hRer+R3j1W3rpew1JA2P+4VmVrrj
wveAkelXiUhnOjjdtq0CgMxFIa7VYVR9fDt8n57aRTKr1ZeAQB+npCALDsxvLtBe
WnPEgYwbUZXyfuAbjpZdqDbK/kSzHdU5Uw2segBIyX25sqCED4OflVyp+nttPNEo
7JAPOXmHulA/F6CKu9cNgg4E+TBqEgRmpy7/w6jYDj5V78fDw2UQAzpz0CcnL/0J
/0L9cDo6BVquMSTOObMSaE4bBVxupx2K1TSUeo1J36I9eaGWyizXezobIxzqLBx7
MwXds4nLKxe2elzWL2WJehEQuPXrraWZjQIDAQABo1MwUTAdBgNVHQ4EFgQUJdwb
JZaZzq4qzd34/tNbon48zFYwHwYDVR0jBBgwFoAUJdwbJZaZzq4qzd34/tNbon48
zFYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAiHL61Dm1D7fT
LnNNaiWWs+NkwwL+WvYnoylvOlKKVwcf2ZHrHZPa4wXIcb0VuhXRwlVrSlMR2y+N
oH4tiUmYcBFsTYEPhqYrPxHcCw2HNbxGBr4o7OCJCTh7Y00ekZBW8/ynUngHejav
2rHpCZDQMr7bG4BdsNqAetCCGdELc2axYXrOnQ4ZgLMeEwF1UvW1KTTlrdMIBPE1
FKv4XWdhE/uNnmMqeNVZ5I1D2Rq9Bd5pneQL+R4EarDOOpXoCM/OiewxapzHWHnF
l5Ct45vWk8++h/mzK3Wt8L26rJp8W2GBtSRcRpAgM6poK/TpE+2WNDW57M8CE8wc
y7f+Xd+PCQ==
-----END CERTIFICATE-----

This matches the file found in (partly ommited): 

605cee21-apache2:/etc/ssl/apache2# cat server.pem
-----BEGIN CERTIFICATE-----
MIIEIzCCAwugAwIBAgICO7QwDQYJKoZIhvcNAQELBQAwgakxCzAJBgNVBAYTAi0t
........
l5Ct45vWk8++h/mzK3Wt8L26rJp8W2GBtSRcRpAgM6poK/TpE+2WNDW57M8CE8wc
y7f+Xd+PCQ==
-----END CERTIFICATE-----

Workaround

If I do 

605cee21-apache2:/etc/ssl/apache2# cp /ssl/origin.pem server.pem
605cee21-apache2:/etc/ssl/apache2# cp /ssl/priv.key server.key
605cee21-apache2:/etc/ssl/apache2# httpd
httpd (pid 2693) already running
605cee21-apache2:/etc/ssl/apache2# kill 2693
605cee21-apache2:/etc/ssl/apache2# httpd

I get the right certificate. But that shouldn't be needed I assume. Is there a fix? Thanks in advance!

What version of Home Assistant Core has the issue?

2024.10.0

What version of the addon has the issue?

2.9.4

What type of installation are you running?

Home Assistant OS

Add-On causing the issue

Apache2

Log information

Logs### 
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
No username and/or password was provided. Skipping account set up.
You have activated SSL. SSL Settings will be applied
Here is your web file architecture.
total 240
-rwxrwxrwx    1 root     root           405 Feb  6  2020 index.php
-rwxrwxrwx    1 root     root           168 Oct  7 11:53 info.php
-rwxrwxrwx    1 root     root         19915 Jan  1  2024 license.txt
-rwxrwxrwx    1 root     root          7409 Jun 18 13:59 readme.html
-rwxrwxrwx    1 root     root          7387 Feb 13  2024 wp-activate.php
drwxrwx--x    9 root     root          4096 Oct  7 11:36 wp-admin
-rwxrwxrwx    1 root     root           351 Feb  6  2020 wp-blog-header.php
-rwxrwxrwx    1 root     root          2323 Jun 14  2023 wp-comments-post.php
-rwxrwxrwx    1 root     root          3033 Mar 11  2024 wp-config-sample.php
-rw-rw-rw-    1 apache   apache        3332 Oct  7 14:28 wp-config.php
drwxrwx--x    5 root     root          4096 Oct  7 14:30 wp-content
-rwxrwxrwx    1 root     root          5638 May 30  2023 wp-cron.php
drwxrwx--x   30 root     root         12288 Oct  7 14:21 wp-includes
-rwxrwxrwx    1 root     root          2502 Nov 26  2022 wp-links-opml.php
-rwxrwxrwx    1 root     root          3937 Mar 11  2024 wp-load.php
-rwxrwxrwx    1 root     root         51238 May 28 13:13 wp-login.php
-rwxrwxrwx    1 root     root          8525 Sep 16  2023 wp-mail.php
-rwxrwxrwx    1 root     root         28774 Jul  9 17:43 wp-settings.php
-rwxrwxrwx    1 root     root         34385 Jun 19  2023 wp-signup.php
-rwxrwxrwx    1 root     root          4885 Jun 22  2023 wp-trackback.php
-rwxrwxrwx    1 root     root          3246 Mar  2  2024 xmlrpc.php
Starting Apache2...
[Fri Oct 11 15:21:07.896101 2024] [mpm_prefork:notice] [pid 79:tid 79] AH00163: Apache/2.4.62 (Unix) PHP/8.3.12 mod_wsgi/5.0.0 Python/3.12 OpenSSL/3.3.2 configured -- resuming normal operations
[Fri Oct 11 15:21:07.896125 2024] [core:notice] [pid 79:tid 79] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

Additional information

No response

FaserF commented 1 month ago

Hi, I understand your issue, but I cannot reproduce it. There is no "default" SSL certificate, that will be choosen if none has been provided. So the "default" certificate you are getting is not from my addon and seems to be from wordpress I guess?

I think wordpress uses another config, not the default apache config, where my addon writes in the ssl path.

Could you try choosing a different path in the addon with no files, but with the same parameters for SSL then? You should see the default HA Apache2 page with the correct SSL certificate. If thats the case, everything is working from the addon.

espen795 commented 1 month ago

Hi, Thank you for the quick response. You are very right, I removed everything Wordpress-related and it did work again. Even after re-deploying Wordpress it no longer occurs. I will close it.