search

etesync / etesync-dav

This is a CalDAV and CardDAV adapter for EteSync
https://www.etesync.com
GNU General Public License v3.0
295 stars 50 forks source link

Self-hosting with self-signed certificate #97

Closed Schabolon closed 5 years ago

Schabolon commented 5 years ago

Hi, my problem is, that I am running my own etesync-server with a self-signed certificate. When I try to add a new user to the etesync-dav adapter, I get the following error:

HTTPSConnectionPool(host='192.168.5.83', port=8000): Max retries exceeded with url: /api-token-auth/ (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate (_ssl.c:1056)')))

How should I fix this problem?

tasn commented 5 years ago

You need to set an environment variable to tell etesync-dav to accept your self-signed cert: export REQUESTS_CA_BUNDLE=/path/to/your/certificate.pem.

I'm closing this as fixed, please reopen if it doesn't fix it.

Schabolon commented 5 years ago

So first of all, thank you very much for your answer. I think it kind of worked, but now I am getting another error message: HTTPSConnectionPool(host='192.168.5.83', port=8000): Max retries exceeded with url: /api-token-auth/ (Caused by SSLError(SSLCertVerificationError('no appropriate commonName or subjectAltName fields were found'))) Can't reopen the issue, because I didn't close it.

tasn commented 5 years ago

It means that you didn't generate the self-signed certificate correctly. More specifically, it means that the address you gave to etesync-dav to use, does not match the hostname of the certificate served.

How did you generate the cert and what's the hostname you're using?

Schabolon commented 5 years ago

I am not quite sure, how I generated the cert (was rather long ago). I provided etesync-dav with the ip-address of the server (so just the numbers with https:// in front). But if I understand it correctly, the certificate should include the ip-address as well. I think it should be no problem for me to just generate new certificates in this case.

tasn commented 5 years ago

If you are using the ip address, yes, it should be included. If you are using a hostname, it should be set.

This is how I generate certs for development: openssl req -x509 -sha256 -key domain.key -subj "/CN=myserver.local" -out cert.pem -days 5000

You should replace the myserver.local part with your server's hostname or ip address. This is not a limitation of etesync-dav, it's just the Python standard library complaining about a bad certificate. You can probably use an env var to tell it not to complain, but it's better to just have correct certs.

Schabolon commented 5 years ago

Ok, it works now :) Thank you very much for your help.

tasn commented 5 years ago

With pleasure.