search

openhab / openhab-vscode

VS Code extension for openHAB configuration files
https://marketplace.visualstudio.com/items?itemName=openhab.openhab
Eclipse Public License 2.0
159 stars 47 forks source link

API via HTTPs - Error: self signed certificate in certificate chain #314

Closed litronics closed 1 year ago

litronics commented 1 year ago

I am running openHAB 3.4.0.M4 VSCode extension Version [1.0.0]

On Openhab I have a valid certificate from my own CA (offline Root - Subordinate) and deliver the full chain with the ssl certificate to the browser.

My Workspace configuration:

{
    "openhab.connection.authToken": "TOKEN...",
    "openhab.useRestApi": true,
    "openhab.connection.host": "https://openhab.domain.local",
    "openhab.connection.port": 9443
}

Expected Behavior

I would expect that the API connection works without certificate errors.

Current Behavior

Currently I get the following Error message:

Could not reload items for Things Explorer

---
    Error:
        Error while connecting to openHAB REST API.

    Message:
        Error: self signed certificate in certificate chain
---

Possible issue / resolution

The extension verifies all certificates in the chain and throws an error if a selfsigned is found. As my root certificate is selfsigned by default - the extension should accept selfsigned certificates as long as they represent the root certificate (should be verified with the trusted root certificate on the machine)

Confectrician commented 1 year ago

I am no expert at certificate chains to be honest.

But i remember that we had some toipics related to this already. (Reference: #82)

deliver the full chain with the ssl certificate to the browser

Can you confirm that this is configured according to https://github.com/openhab/openhab-vscode/blob/main/docs/USAGE.md#openhab-rest-api-and-ssl-certificates ?

I have no idea what should be wrong otherwise currently.

litronics commented 1 year ago

Thanks for your reply.

While reading though some other issues and documentation - it could be also be connected to the Docker container where mein VScode Devenvironment is running in.

The error message would be somehow misleading if it would be a non existant trusted root certificate in the container, but I am currently assuming that this might be the issue. Will test it later on and come back to this issue with the results.

litronics commented 1 year ago

Digging deeper into that I discovered the root cause which is kind of stupid but if you know that issue it is avoidable.

Description of issue 1:

I am running my development environment in a docker container based on Ubuntu 22.04. I initially missed to install my root certificate within the container

Description of issue 2:

I installed the FULL certificate chain (including the self signed root certificate) in OH. According to that configuration OH provided three certificates (root / subordinate / host) to the client where the root certificate, by design, must be selfsigned. This leads, for example, also to an error message in openssl :) Good description of the issue and how to prevet can be founde here: https://www.microfocus.com/documentation/visual-cobol/vc70/CSWin/HHSTSTCERT06.html

Solution

I did the following:

  1. reconfigured OH keystore to provide only the host and subordinate certificates within the chain
  2. added my root and subordinate certificates to the trusted certificates within the devcontainer (done within Docker file)