Closed litronics closed 1 year ago
I am no expert at certificate chains to be honest.
But i remember that we had some toipics related to this already. (Reference: #82)
deliver the full chain with the ssl certificate to the browser
Can you confirm that this is configured according to https://github.com/openhab/openhab-vscode/blob/main/docs/USAGE.md#openhab-rest-api-and-ssl-certificates ?
I have no idea what should be wrong otherwise currently.
Thanks for your reply.
While reading though some other issues and documentation - it could be also be connected to the Docker container where mein VScode Devenvironment is running in.
The error message would be somehow misleading if it would be a non existant trusted root certificate in the container, but I am currently assuming that this might be the issue. Will test it later on and come back to this issue with the results.
Digging deeper into that I discovered the root cause which is kind of stupid but if you know that issue it is avoidable.
I am running my development environment in a docker container based on Ubuntu 22.04. I initially missed to install my root certificate within the container
I installed the FULL certificate chain (including the self signed root certificate) in OH. According to that configuration OH provided three certificates (root / subordinate / host) to the client where the root certificate, by design, must be selfsigned. This leads, for example, also to an error message in openssl :) Good description of the issue and how to prevet can be founde here: https://www.microfocus.com/documentation/visual-cobol/vc70/CSWin/HHSTSTCERT06.html
I did the following:
I am running openHAB 3.4.0.M4 VSCode extension Version [1.0.0]
On Openhab I have a valid certificate from my own CA (offline Root - Subordinate) and deliver the full chain with the ssl certificate to the browser.
My Workspace configuration:
Expected Behavior
I would expect that the API connection works without certificate errors.
Current Behavior
Currently I get the following Error message:
Possible issue / resolution
The extension verifies all certificates in the chain and throws an error if a selfsigned is found. As my root certificate is selfsigned by default - the extension should accept selfsigned certificates as long as they represent the root certificate (should be verified with the trusted root certificate on the machine)