SLL handshake error?

[flatsiedatsie]

If I start mycroft pointed at the local server, I get a TLS error:

./start-mycroft.sh debug
Already up to date.
Starting all mycroft-core services
Initializing...
Starting cli
12:27:59.603 - mycroft.api:is_paired:514 - WARNING - Could not get device info: SSLError(MaxRetryError('HTTPSConnectionPool(host=\'0.0.0.0\', port=6712): Max retries exceeded with url: /v0.1/device/ (Caused by SSLError(SSLError("bad handshake: Error([(\'SSL routines\', \'tls_process_server_certificate\', \'certificate verify failed\')])")))'))

It seems Mycroft doesn't like self-signed certificates? How can that be changed?

[el-tocino]

You have to add the self signed cert to your local python keystore, then you can make this work.

There's also let's encrypt, though you have to renew pretty regularly.

[JarbasAl]

during testing i disabling verification to simply ignore this error, in the requests library this means simply adding verify=False (in mycroft-core api code)

self signed certificates are not safe, i think this error should be there, it will go away if you do what el-tocino said, if we just silence the error we are giving a false sense of security and you will be vulnerable to man in the middle attacks

we def need documentation on setting up proper lets encrypt certificates however

[flatsiedatsie]

How do I add it to my local keystore? By adding a path?

[flatsiedatsie]

in the requests library this means simply adding verify=False (in mycroft-core api code)

How do I do that?

Since I'm running this on the same device as the Mycroft code, setting up lets encrypt feels like overkill? Once set up, I also plan to not have this device connected to the internet, so network security is not so much an issue overall.

[el-tocino]

Google adding self-signed to the python keystore, lots of documentation on that, same with the requests library.

[flatsiedatsie]

I did, but the solution I found (adding a path) didn't work?

Will I have to compile Mycroft to make this change?

[el-tocino]

No idea what "adding a path" means.

https://stackoverflow.com/questions/30405867/how-to-get-python-requests-to-trust-a-self-signed-ssl-certificate https://stackoverflow.com/questions/39356413/how-to-add-a-custom-ca-root-certificate-to-the-ca-store-used-by-pip-in-windows

Python isn't usually compiled, it's interpreted, so making changes usually just requires a restart of things.

[JarbasAl]

if you are running on the same device you do not need to use ssl, i also recommend using 127.0.0.1 as host instead of 0.0.0.0

[flatsiedatsie]

Alright, I now have tried this:

~/mycroft-core/mycroft/configuration/mycroft.conf

  // Address of the REMOTE server
  "server": {
    "url": "http://127.0.0.1:6712",
    "version": "v0.1",
    "update": true,
    "metrics": true,
    "ssl": false
  },

  // The mycroft-core messagebus websocket
  "websocket": {
    "host": "0.0.0.0",
    "port": 8181,
    "route": "/core",
    "ssl": false
  },

  // The GUI messagebus websocket.  Once port is created per connected GUI
  "gui_websocket": {
        "host": "0.0.0.0",
        "base_port": 18181,
        "route": "/gui",
        "ssl": false
  },

~/.mycroft/personal_backend

{
"backend_port": 6712,
"website_port": 5000,
"ssl": false,
"ssl_key": "/home/pi/.mycroft/personal_backend/certs/MycroftPersonalServer.key",
"ssl_cert": "/home/pi/.mycroft/personal_backend/certs/MycroftPersonalServer.crt$
"mail_port": 465,
"mail_server": "smtp.blablabla.com",
"mail_user": "xxx@gmal.com",
"mail_password": "xxx",
"secret_key": "MY_PRECIOUS_SECRET_KEY",
"salt": "MY_TABLE_SALT"
}

I've modified the code to avoid the requirement to verify an email address.

By the way, I noticed the certificate generation python script uses SHA1 instead of SHA256. I notived this because Chrome gave a warning/error about the certificate being too unsafe.