Connect to REST API via HTTPS

[OliverHi]

My openhab instance is running on a raspberry pi and shares its config files via samba. On another windows pc in the network I have installed VS Code with openhab addon. I am getting a "Error while connecting to openHAB REST API." error though.

I think my problem is that openhab is only reachable over https on a special port. https://192.168.2.xxx:8444/rest is working and returning some text. So I added

{
"openhab.host": "https://192.168.2.xxx",
"openhab.port": 8444
}

to my config but the error remains. I also tried it with https://dns-name but no luck either. Expected behavior for this would be to either just connect with the https in the host string or another setting to enable https

[lsiepel]

I had trouble too. After vs code restart they where gone. If that doesn't help, could you look into the access.log if any https request gets logged?

[OliverHi]

@lsiepel I restarted several times and tried different settings, so I think this does not help. What access.log are you talking about? Something from openhab or VS code? I will take a look at it if you tell me where to find it.

[kubawolanin]

Hi @OliverHi @lsiepel,

Could you try a copy of the extension from this post?

Cheers

[OliverHi]

@kubawolanin With this copy I still get an error message but a more interesting one: Error while connecting to openHAB REST API. self signed certificate

This is true, I am using the certificate generated by openhab. This is just fine for me though. Can I somehow tell the extension to ignore this?

[kubawolanin]

@OliverHi did you try those steps described in the official VSCode docs? I have no experience with self signed certificates so can't help much.

[OliverHi]

@kubawolanin I am not really sure what to do. I tried importing the certificate in windows but that did not help. I also tried to start VSCode with the --ignore-certificate-errors argument from the command line but that did not change anything. Is there something I overlooked?

[rbi]

@kubawolanin I have installed the extension you've linked in your comment. For me it works now. I have a valid certificate from lets encrypt. My configuration is:

    "openhab.host": "https://openhab.somedomain.de",
    "openhab.port": 443,
...

just with another domain.

[justClouds]

I am running vscode-openhab 0.4.0 and try to connect to the REST API via https. I use an Let's Encrypt certificate for that domain. The OH ports are behind an NGINX proxy running on a separate host. When trying to open the OH menu on the left VS Code throws:

Error while connecting to openHAB REST API. Parse Error

My VS Code extension settings:

"openhab.host": "https://openhab.domain.nl",
"openhab.port": 443,
...

Connecting to https://openhab.domain.nl/rest via the browser gives:

{"version":"1","links":[{"type":"uuid","url":"https://openhab.domain.nl/rest/uuid"},{"type":"thing-types","url":"https://openhab.domain.nl/rest/thing-types"},{"type":"bindings",
...

Apparently @rbi was successful with version 0.3.5 of the extension, but with the current version it does not work for me. BTW, when connecting directly (not via proxy) using http on port 8080 on the OH host, the REST API works and I get all the items and things in the left pane.

[Confectrician]

Hey @justClouds -> did you try it with the 0.3.5 version already? Maybe we can tear down the problem to changes that were made between these versions.

[justClouds]

Sorry, little busy. Will test asap.

[pinkkoff]

0.4.1 extension REST API not working via HTTPS. I have domain name, valid cert and i have access to /rest via browser

[Confectrician]

Could you please share a scren of your broser and your openhab host and port settings just to double check the config?

[pinkkoff]

Could you please share a scren of your broser and your openhab host and port settings just to double check the config?

my fault. I restarted my VS code several times and https with right port and auth working well. I checked it yesterday and it didnt work. Some troubles in config, i guess. Sorry for that.

Is there any way to use https with domain name with auth, deny access to OH via LAN (only with proxy) and use LSP?

[Confectrician]

Is there any way to use https with domain name with auth, deny access to OH via LAN (only with proxy) and use LSP?

Not sure about this, since the language server uses a different port. But we are working on another lsp implementation (see pull requests). The LSP server is an "extension internal one" for the beginning, which uses the rest api to fetch item/thing names.

With this setup and a working rest connection over https this should be possible. Not sure how it will be for the remoteLSP part then.

[SamuelBrucksch]

You can not access the LSP server from outside or over http/https protocol. The LSP uses its own port and protocol and is not tunelled through http(s) or openhab remote service. So the only way to access openhab lsp is to connect to it directly through local network. Or if you have a VPN that behaves like a local network.

[Confectrician]

Not sure how it will be for the remoteLSP part then.

That's why i wrote this. We will have at least local LSP functionality since we are usign the RestAPI for caching items. SO the local part should run fine, when one has only rest with https enabled.

[wwebers]

This is seriously a bummer when heavily working with textual configuration files. Without the access to the REST API I could even work native with any text editor. I have no clue what the problem is with this extension: chromium's not complaining, chrome's not complaining.

[Update] I found something which hints that this fricking "request-promise-native" library is the culprit. Maybe better ditching this one and use something that works with SSL-chains. I tested a bit locally and it seems this library works best with single SSL certificate, but not so well with chains.

I'm not that inside this JavaScript world (I luckily where able to refuse that part in my life), so I cannot give a better alternative. However, it seems to me this library is pretty much dead (no updates since years, pretty much like QueryDSL in my Java world).

Maybe the maintainer of this extensions could review another one?

[wwebers]

Exactly as I thought: node.js is the culprit (as always). This framework from hell has problems with certificate chains, more exactly with certificate being signed with an intermediate certificate from the orginal CA. That's quiet usual and sometimes lead to problems in the past. However, Node.js seem to be quiet picky about those chains. Even though I imported the intermediate cert into my operating systems trusted chain, it's claiming to be unable to verify the first certificate.

Solution: Create a chained certificate like mentioned here in the NGINX documentation:

http://nginx.org/en/docs/http/configuring_https_servers.html

Take care to use the correct order when merging together all certificates. Additionally, when using "cat" under Linux or Mac double check to have separated boths certs with a 'newline' character.

[SamuelBrucksch]

If you access your openhab installation from local network why bother using ssl anyway for local development?

[wwebers]

@SamuelBrucksch Seriously? No I will not answer or discuss your question here. Only so much: Why 2019 still offering unencrypted traffic in the first place?

I explained the problem, found the culprit and presented a solution. Issue closed.

[SamuelBrucksch]

This is normally used for local development. I understand you want to use https when you expose openhab to the internet. But on local network there really is no need to use https.

[wwebers]

@SamuelBrucksch As I said, this is one perspective. But not mine as it is exactly this perspective leading to those massive security exploits inside our "smarter home" walls. Just one culprit inside the network is enough. Do you seriously claim you know what processes are running one your smart phone, tablet, computer, NAS, TV, .... I don't.

[SamuelBrucksch]

Thats a reason i can understand. If you comment issues here you should explain more in details your reasons as noone can read your mind and knows whats going on. If you are just bashing node and node modules and this extension noone will be serious about helping you.

Which node versions are affected by the certificate problems? They also work on solving issues, so maybe in a newer node version this problem does not exist anymore. If it still exists why not open an issue at node github?

If you can give me a step by step instruction on how to run into this problem i might give it a shot and try to investigate if there are workarounds.

BTW any programming language has their pros and cons, so just because you dont like node it doesnt have to be bad.

[wwebers]

Well, I tested every version (running locally within RunKit and even directly) and it seems this one sits deep with their "request" library. I found some related issues on Github, but they're every open since years or closed after a long discussion without giving any explanation. (That's why I personally ditch NodeJS). I like OpenSource, and I like to analyze problems and provide solution. But I dislike folks who do not care. And NodeJS seem to care more about new features and releases than fixing old issues. But that's my personal opinion. However, this becomes quiet off topic and I suggest we somehow document the solution to this problem and close this issue?

[stefan-muc]

@wwebers Yes I would also suggest documenting this somewhere! I ran into that issue too: OpenHAB SSL in Internet Explorer and Firefox were running perfectly, but Visual Studio Code Extension still complained: "Error while connecting to openHAB REST API, unable to verify the first certificate"

An easier way to get certificate chain (especially when there are more certificates in between): Open page in Firefox and show certificates of this page. You can see all certificates in that chain, Firefox collects them automatically. Click "Download: PEM (chain)" and voilà you get the full chain to set for your server. This one worked for me, thanks for your comment!

[Confectrician]

Hey @stefan-muc,

Thank you for your valuable input. Would you like to add a page or paragraph in our docs?

There is a docs folder in this repository and a Usage.md file where the information could last.

[stefan-muc]

@Confectrician Yeah, I did a proposal, see pull request. I hope it's not too long, but I'd rather like to go into detail than to write something that can't be understood.

I'm sorry, I don't know what's wrong with my signed-off line, there's an automatic check complaining about it, despite I added one as required in contributing.md