Closed mwildbolz closed 1 month ago
Did you install the CA certificate in the device CA cert store?
Yes, I did. I also tried with another certificate and there the error was clearly a not accepted certificate.
Can you either post or mail us your CA cert and endpoint so i can test?
@mwildbolz our email address is support@owntracks.org
@mwildbolz our email address is support@owntracks.org
Mail sent - thanks in advance!
Got it.
The certificate presented by your endpoint is missing a X509v3 Subject Alternative Name, or SAN. OT (and the rest of the modern web) doesn't validate names against CN any more - your hostname that you want to connect to needs to be present as a SAN field. Example from https://owntracks.org cert:
$ openssl x509 -in owntracks.org.pem -text
Certificate:
Data:
Version: 3 (0x2)
...
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
58:C9:B2:AA:68:E6:A5:48:CC:D8:2B:E8:42:B2:BF:7F:BE:45:66:68
X509v3 Authority Key Identifier:
14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
Authority Information Access:
OCSP - URI:http://r3.o.lencr.org
CA Issuers - URI:http://r3.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:owntracks.org
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Suggest you use a tool like mkcert for generating modern self-signed CA certs, or delegate it to a real CA like Letsencrypt.
Thanks, sounds promising. I already tried adding the SAN information into the certificate before, but maybe there was an error doing this with my openssl commands. I'll give a short notice after trying again!
Just one thing to mention: Would be fine, if one could get this information out of the logs (at least in DEBUG mode), maybe there is a way to implement logging in this area.
Thanks a lot!
Working now - was a problem with my commands for generating the certificates using the SAN information. Thanks a lot!
Since the last updates (also with Beta2) I'm not able to connect via TLS to my mosquitto broker any more. Owntracks just says "TLS Error: MqttException", owntracks log:
On the broker side I see the following log entry:
Certificates were generated using instructions from this site TLS connection to the broker in principle works - mosquitto_sub, paho (python) mqtt client and also MQTT-Explorer are able to connect using the installed CA certificate (with validation turned on).
I don't have an idea where to look further. Debug Log switched on on owntracks side does not bring more information. Debug logging on broker side is also not more verbose during the connection attempt. CA certificate is installed inside Android