Accessing Domoticz with X.509 client certificate using RESTask for Tasker

[BakSeeDaa]

I've set up X.509 Authentication using this excellent thread.

I'm now exposing my Domoticz server on port 80 and 443 using a nginx server forcing HTTPS traffic and requiring that a client certificate is installed on the client. It logs me in to Domoticz automatically. I access Domoticz with my web browser which is X.509 enabled.

When I'm away from home, I not only want to remote control my home, I also want to do some automation. I use Tasker for that. I've successfully set up a the SSH plugin for Tasker so I can issue bash commands (typically by using curl to set switches etc ...) but that's not X.509 authentication. I'm looking for a way to use a X.509 enabled application to carry out the Tasker tasks for me. While this SSH method seems to work good I'd be happy to eliminate it if I can find a X.509-enabled way to do it instead.

@gordonb3 suggested that that can be done using the free RESTask for Tasker plugin.

According to this web page here tasker should be able to do it:
http://tinsley.io/2015/03/openhab-tasker-android-phone/

I've installed that plugin and now experimenting to see if it works with my X.509 certificate or not. The certificate is self generated using XCA. Currently it's close but no cigar. I can load my certificate but I get a return code of "400".

It would be interesting to know if someone else has this working or not.

[nayr]

400 is what Nginx will toss with an invalid or no certificate IIRC..

can you use chrome to do the get request from the url window?

[BakSeeDaa]

Hi nayr

400 is what Nginx will toss with an invalid or no certificate IIRC..

can you use chrome to do the get request from the url window?

I'm not sure what you mean but I can access Domoticz on my public network interface using chrome. After selecting my client certificate I get logged in.

I'm also not sure what certificate to load in the RESTask settings. I guess I shall load my client certificate. Using XCA, I exported the client certificate as a binary DER with a .CER extension. In this thread the loaded certificate comes from the server which confuses me a lot.

[BakSeeDaa]

I don't know OpenHAB, but it seems to me that it includes a tool to generate client certificates using its own CA. This is not any different from the manual procedure you are following. The problem in this case may be how the client software (i.e. Tasker) handles the certificate. When using a normal browser you will usually see warning signs popping up if something is wrong with a certificate, which may vary from it being expired, non matching hostname(s) or not being able to verify its origin because the CA public key is missing or expired. Sometimes the client application will simply refuse to use such a certificate and it appears likely that Tasker does this because it has no reference to the CA public key. My guess is that it will work if you append the CA.cer content to your client.cer.

Thanks @gordonb3. I tried to merge the CA.crt with my client.crt (i put CA.crt first) but I think RASTask actually only loaded the first one. Anyway, it still doesn't work. But thanks anyway for your kind help.

[BakSeeDaa]

I had an interesting e-mail reply from the author of RESTask

Sorry for the late reply. RESTask does not send the certificate loaded. Instead, it compares the server certificate with it to validate the certificate from server. I assume you are using a self-signed certificate for nginx and try to connect to Domoticz through it. It this is the case you should simply load the public key (.pem) of the nginx cert you are using and should be able to connect to it with RESTask.

I haven't had the time to test it out yet.

[BakSeeDaa]

I've tried the suggested solution but it doesn't make any difference. I think the client certificate won't get sent at all that way.

[BakSeeDaa]

That seems to be the other way around. When the server is configured to accept x.509 client certificates it will request the web client to supply one. When using Firefox I can see that request being made by a popup asking me if it is okay to send that info - with the option to remember that decision but obviously during testing you will want to see what happens if you do not allow it to be sent. If RESTask does not honour that request then I'm afraid you will not be able to use it this way.

Not directly anyway. I guess it should be possible to let RESTask submit the command through another web client. Links/Lynx maybe?

Thanks gordonb3

I think I've just found the simple solution to the problem.

The SSH plugin turned out to throw "unknown errors" quite often. I couldn't figure out why. Also RESTask doesn't seem to allow me to do what I want to do (Using Tasker to send commands to my Domoticz server securely using X509 authentication from any Internet connection while I'm not at home)

While I'm at home I use the Tasker's task "HTTP Get" to switch switches, set variables or whatever. I've figured out I can do the same thing now (while not at home using my wifi) by using the Tasker task "Browse URL". Firefox has been setup to use my client certificate without asking. It seems to work great. The only downside is that it opens up a browser window, but I can live with that.

It's a simple solution but sometimes simple solutions are the best. I won't need the SSH plugin, nor RESTask to achive my goal.

[nayr]

almost too damn easy hah!

keep us updated if you find anything more elegant.. can you get tasker to enable/disable a egiGeoZone? that could do binary switches perhaps.