Closed marcgarciamarti closed 4 months ago
rmoesbergen
commented
1 year ago @marcgarciamarti Are you sure SSL support is active on 8123 and the certificate is not self-signed and has the correct common name/ SAN? What happens if you try the wget with http:// instead of https:// ?
marcgarciamarti
commented
1 year ago @marcgarciamarti Are you sure SSL support is active on 8123 and the certificate is not self-signed and has the correct common name/ SAN? What happens if you try the wget with
http://instead ofhttps://?
Yes, HA is listening on the 8123. SSL is not self-signed; I'm using duckdns add-on, which takes care of certificate renewal.
Not sure about the correct name. What do you mean? I'm using a public duckdns public record that is of course hassio.lan/hassio.local. Not sure if this is what you mean.
As per the output requested above, here you go:
root@OpenWrt:~# wget https://hassio.lan:8123/api/services/device_tracker/see -O -
Downloading 'https://hassio.lan:8123/api/services/device_tracker/see'
Connecting to 192.168.1.5:8123
Connection error: Invalid SSL certificate
root@OpenWrt:~# wget http://hassio.lan:8123/api/services/device_tracker/see -O -
Downloading 'http://hassio.lan:8123/api/services/device_tracker/see'
Connecting to 192.168.1.5:8123
(null) 0 - stalled -
Connection reset prematurely
I'm also attaching a snapshot of my configuration on my openwrt router. As you can see, I'm doing a NAT from the external 443 port to internal 8123. I access my network from outside through port 443, and my router will translate this connection to 8123. I hope this shows that internally my HA listens on port 8123.
Thanks!!
rmoesbergen
commented
1 year ago Ok, so SSL is active, but the wget (and python urllib) report an invalid certificate. Getting proper SSL set up is not really in scope for this project. Try to figure out why the certificate is seen as invalid. Maybe do a openssl s_client -connect 192.168.1.5:8123 and check the output. Perhaps your router does not have a root CA store?
marcgarciamarti
commented
1 year ago Ok, so SSL is active, but the wget (and python urllib) report an invalid certificate. Getting proper SSL set up is not really in scope for this project. Try to figure out why the certificate is seen as invalid. Maybe do a
openssl s_client -connect 192.168.1.5:8123and check the output. Perhaps your router does not have a root CA store?
Hi! I followed this article to ensure my openwrt trusted letsencrypt certificate by adding it to the root CA store, just in case. After following it, the results are unfortunately the same.
root@OpenWrt:~# wget https://hassio.lan:8123/api/services/device_tracker/see -O -
Downloading 'https://hassio.lan:8123/api/services/device_tracker/see'
Connecting to 192.168.1.5:8123
Connection error: Invalid SSL certificatealso, I executed the command above and this is what I see:
root@OpenWrt:~# openssl s_client -connect 192.168.1.5:8123
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = _REDACTED_
verify return:1
---
Certificate chain
0 s:CN = _REDACTED_
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEUTCCAzmgAwIBAgISA+z8ZAkfLoxWZvnhqCuvkNayMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEwMDMxOTI4MThaFw0yNDAxMDExOTI4MTdaMCMxITAfBgNVBAMT
GGtpdHVzbmV0d29yay5kdWNrZG5zLm9yZzB2MBAGByqGSM49AgEGBSuBBAAiA2IA
BC9wY00FQGFo6ALWz1D3/8Xjgj1ABUNlz8Zl42rROiSHkSKkQKWEi3WcZ6/qPjcL
_REDACTED_
2EXKVnr2E8GmzFVcA5QUQN
0QJzXc5sSESN/k+jH/VizBo6p/G4OOE4ILP8GfgNJJFmplHTv9KqQQjFrY49e+tD
sRL+EFUuJ8iiZmTz/x6FNO7RmpTSCA7u6+5KcueSgoF+XP+Aj
CB9VXqA=
-----END CERTIFICATE-----
subject=CN = _REDACTED_
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA384
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4207 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 384 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: _REDACTED_
Session-ID-ctx:
Resumption PSK: _REDACTED_
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - c4 3c 3b 13 16 0f ea 14-3c 51 5e 85 ab 1c f4 e1 .<;.....<Q^.....
0040 - 1f 48 31 24 04 a4 ca 96-78 ce 06 02 32 ce 5c f3 .H1$....x...2.\.
0050 - 2b f0 0c b3 03 15 1d de-c5 83 d7 54 7f 0d d2 9d +..........T....
_REDACTED_
Start Time: 1697554645
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: REDACTED
Session-ID-ctx:
Resumption PSK: REDACTED
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - c4 3c 3b 13 16 0f ea 14-3c 51 5e 85 ab 1c f4 e1 .<;.....<Q^.....
0010 - 27 bf f3 40 2f 1e 04 db-53 65 fd cc 9b 76 1d 4b '..@/...Se...v.K
0080 - 7b a9 ff 7e 40 db 6f 8e-41 f6 66 8c 95 f8 3e cb {..~@.o.A.f...>.
REDACTED
Start Time: 1697554645
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Results do not seem to suggest openssl s_client has any issue with the certificate, right?
marcgarciamarti
commented
1 year ago UPDATE: just decided to try with a different SSL website and it works just fine
root@OpenWrt:~# wget https://www.ssllabs.com/ssltest/ -O -
Downloading 'https://www.ssllabs.com/ssltest/'
Connecting to 64.41.200.100:443
Writing to stdout
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>SSL Server Test (Powered by Qualys SSL Labs)</title>
<link href="/includes/ssllabs.css" rel="styleSheet" type="text/css">
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="keywords" content="ssl, ssl test, ssl check, certificate, x509, cipher suite, encryption, ssl server test, ssl server check, certificate check, ssl assessment, tls, tls assessment, fips compliance, pci compliance" />
<meta name="description" content="A comprehensive free SSL test for your public web servers.">
<link href="/includes/report.css" rel="styleSheet" type="text/css">
<link href="/includes/main.css" rel="styleSheet" type="text/css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js" integrity="sha256-FgpCb/KJQlLNfOu91ta32o/NMZxltwRo8QtmkMRdAu8=" crossorigin="anonymous"></script>
</head>
<body>
Does this not suggest there is something wrong with letsencrypt certificate?
thanks!
rmoesbergen
commented
1 year ago |Does this not suggest there is something wrong with letsencrypt certificate?
I guess so. Are you 100% sure that the certificate has the hassio.lan common name and/or S.A.N.? Also, wget probably doesn't use openssl, but wolfssl, which might react differently, or look in a different place for root CA's.
Hello!
thanks for this awesome initiative!
I'm trying to set up this but I can't seem to be able to get past the SSL portion of my setup. I hope you can shed some light on how to move forward.
This is what I see:
and this is my settings file:
any idea of what I may be doing wrong?
thanks!!!