search

jens-maus / RaspberryMatic

:house: A feature-rich but lightweight, buildroot-based Linux operating system alternative for your CloudFree CCU3/ELV-Charly 'homematicIP CCU' IoT smarthome central. Running as a pure virtual appliance (ProxmoxVE, Home Assistant, LXC, Docker/OCI, Kubernetes/K8s, etc.) on a dedicated embedded device (RaspberryPi, etc.) or generic x86/ARM hardware.
https://raspberrymatic.de
Apache License 2.0
1.52k stars 186 forks source link

certificate from homematic can not be deleted or replaced with a new file #2322

Closed antoniobeermann closed 1 year ago

antoniobeermann commented 1 year ago

Describe the issue you are experiencing

I am running 3.69.7.20230506

I tried to replace the original certificate which I generated via GUI about 2022.

I was not able to delete the old one with the GUI button I was not able to replace it from the GUI with a certificate generated on another system with internet access.

None of the actions produced an error. The webserver seemed to restart. Even a manual restart of raspimatic did not solved the problem

Describe the behavior you expected

I thought delete would remove the once uploaded fille instantly. I thought uploading a new one would replace the original one.

Steps to reproduce the issue

  1. Generate a Certificate via the GUI
  2. Try to delete it via GUI
  3. Or try to upload your own
  4. reboot or check the file via ssh

still the old one

What is the version this bug report is based on?

3.69.7.20230506

Which base platform are you running?

rpi3 (RaspberryPi3)

Which HomeMatic/homematicIP radio module are you using?

RPI-RF-MOD

Anything in the logs that might be useful for us?

- I created a pem file on my firewall with a aceme plugin with the correct CN and DNS entry

my solution:
 - ssh into raspimatic
 - saved the original /usr/local/etc/config/server.pem to server-old.pem
 - copied my own pem file over it
 - needed to restart the raspimatic to take effect

worked - no browserwarning anymore

Additional information

No response

SteffnVo commented 1 year ago

thank you for your work around. now working the own certificate pem.

HausOe commented 1 year ago

Hello, I have the same issue like antoniobeermann.

Error message on manual restart of webserver:

root@raspberrymatic:/usr/local/etc/config# /etc/init.d/S50lighttpd reload Reloading lighttpd: creating new SSL cert... _OK

OK, I check the commands for reloading the webserver. The cert check failed with this result (with my let's encrypt cert converted to server.pem) :

root@raspberrymatic:/usr/local/etc/config# /usr/bin/openssl x509 -checkend 86400 -noout -in /etc/config/server.pem unable to load certificate 547605513408:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149: 547605513408:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_CINF 547605513408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509 547605513408:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:

In the past I copied the key-file and the crt-file in one server.pem-file and SSL was working. If I use key-file and the cer-file with my LANCOM-devices, I have a working SSL connection.

RBM-Version 3.69.7.20230626 Hardware Raspberry 3B+ RF-Interface HM-MOD-RPI-PCB & HB-RF-USB-2

My first not working (!) "solution":

Result: SSL-check is passed and no new cert is generated but the webserver is now not starting anymore.

Regards,

Henning

ZTHawk commented 1 year ago

I have the same issue with 3.69.7.20230626.

Then tried this:

Edit: SSH into raspberrymatic and replacing '/usr/local/etc/config/server.pem' followed by a restart did help.

jens-maus commented 1 year ago

@ZTHawk can you please share the principle structure of the server.pem file you tried to upload via the WebUI? There are actually some structure checks which may fail resulting in the behaviour you explained here. Obviously your server.pem files looks different to what the WebUI expects when uploading it.

ZTHawk commented 1 year ago

The structure of the file I tried to upload is the same that I have inserted in the server.pem:

jens-maus commented 1 year ago

The structure of the file I tried to upload is the same that I have inserted in the server.pem:

  • Private key - unexcrypted
  • Cert
  • Cert CA

Sure, but please show it here as an example file. Especially interesting would be which delimiter -----START PRIVATE KEY.... it contains, etc. If you can share your whole / or an older server.pem which also does not work please do so.

ZTHawk commented 1 year ago

Content (I hope this is what you requested):

-----BEGIN RSA PRIVATE KEY-----
private key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
my cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
my CA cert
-----END CERTIFICATE-----
<empty line>
jens-maus commented 1 year ago

Ok, I think I have found and fixed the issue. Thus, with the next nightly snapshot or official release version it should be fixed.

raldone01 commented 6 months ago

Content (I hope this is what you requested):

-----BEGIN RSA PRIVATE KEY-----
private key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
my cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
my CA cert
-----END CERTIFICATE-----
<empty line>

Thanks that worked.

I converted my .p12 file to .pem with: openssl pkcs12 -in ccu.localdomain.p12 -out ccu.pem -nodes

Then I had to delete all the other stuff and manually reorder the blocks so the private key comes first.

-----BEGIN RSA PRIVATE KEY-----
priv key unencrypted
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
cert1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cert2
-----END CERTIFICATE-----