Page 1 of 1

SSL does not seem to work for me

Posted: Saturday 09 February 2019 17:19
by tre4bax
I am using a Linux Ubuntu host running in a virtual machine on a QNAP Nas.

All works fine however the server seems unable to handle HTTPS. I should be able to have the basic server_cert.pem certificate working and deal with no proper padlock, however that does not work. The following is an extract from the logs.

2019-02-09 16:11:17.973 Status: Domoticz V4.9701 (c)2012-2018 GizMoCuz
2019-02-09 16:11:17.976 Status: Build Hash: b47a877f, Date: 2018-06-23 15:27:56
2019-02-09 16:11:17.977 Status: Startup Path: /home/homeadmin/domoticz/
2019-02-09 16:11:18.145 Sunrise: 07:25:00 SunSet: 17:06:00
2019-02-09 16:11:18.145 Day length: 09:41:00 Sun at south: 12:05:00
2019-02-09 16:11:18.145 Civil twilight start: 06:51:00 Civil twilight end: 17:41:00
2019-02-09 16:11:18.145 Nautical twilight start: 06:12:00 Nautical twilight end: 18:20:00
2019-02-09 16:11:18.145 Astronomical twilight start: 05:33:00 Astronomical twilight end: 18:58:00
2019-02-09 16:11:18.257 Active notification Subsystems: email, pushover (2/13)
2019-02-09 16:11:18.264 Starting shared server on: :::6144
2019-02-09 16:11:18.145 Status: EventSystem: reset all events...
2019-02-09 16:11:18.252 Status: PluginSystem: Started, Python version '3.6.7'.
2019-02-09 16:11:18.258 Status: WebServer(HTTP) started on address: :: with port 8080
2019-02-09 16:11:18.264 Status: Proxymanager started.
2019-02-09 16:11:18.266 Status: TCPServer: shared server started...
2019-02-09 16:11:18.266 Status: RxQueue: queue worker started...
2019-02-09 16:11:18.261 Error: [web:443] missing SSL certificate chain file ./server_cert.pem!
2019-02-09 16:11:18.261 Error: [web:443] missing SSL certificate file ./server_cert.pem!
2019-02-09 16:11:18.261 Error: [web:443] missing SSL private key file ./server_cert.pem!
2019-02-09 16:11:18.261 Error: [web:443] missing SSL DH parameters file ./server_cert.pem!
2019-02-09 16:11:18.262 Error: [web:443] missing SSL certificate chain file ./server_cert.pem!
2019-02-09 16:11:18.262 Error: [web:443] missing SSL certificate file ./server_cert.pem!
2019-02-09 16:11:18.262 Error: [web:443] missing SSL private key file ./server_cert.pem!
2019-02-09 16:11:18.262 Error: [web:443] missing SSL DH parameters file ./server_cert.pem!
2019-02-09 16:11:18.263 Error: [web:443] missing SSL certificate chain file ./server_cert.pem!
2019-02-09 16:11:18.263 Error: [web:443] missing SSL certificate file ./server_cert.pem!
2019-02-09 16:11:18.263 Error: [web:443] missing SSL private key file ./server_cert.pem!
2019-02-09 16:11:18.263 Error: [web:443] missing SSL DH parameters file ./server_cert.pem!
2019-02-09 16:11:18.263 Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 443: bind: Permission denied
2019-02-09 16:11:18.263 Error: WebServer(SSL) check privileges for opening ports below 1024
2019-02-09 16:11:20.267 Status: Hardware Monitor: Started
2019-02-09 16:11:20.276 Status: EventSystem: reset all events...
2019-02-09 16:11:20.277 Status: EventSystem: reset all device statuses...
2019-02-09 16:11:20.416 Status: Python EventSystem: Initalizing event module.
2019-02-09 16:11:20.418 Status: EventSystem: Queue thread started...
2019-02-09 16:11:20.418 Status: EventSystem: Started
2019-02-09 16:11:20.656 Status: PluginSystem: Entering work loop.
2019-02-09 16:11:21.872
2019-02-09 16:11:21.293 Status: RFXCOM: Using serial port: /dev/ttyUSB0
2019-02-09 16:11:21.948 Error: RFXCOM: Invalid data received!....
2019-02-09 16:15:09.705 Status: Incoming connection from: 192.168.1.99

As you can see the whole middle is dedicated to telling me the server_cert.pem does not exist. I checked and it does.

When I set this up it was using the second method of autostartup configuring the domoticz.service and using systemctl to manage it. I thought that it would use domoticz.sh within the home directory to kick this off so all would be fine. I am now confused. It all works fine in http, just not in https.

If anyone has any ideas I could follow that would be really helpful.

Re: SSL does not seem to work for me

Posted: Monday 18 February 2019 10:07
by snehalpatil2391
if you do not have a SSL certificate on your origin server, or simply can’t use port 443 for web traffic, then you will need to use the Flexible setting in your Cloudflare dashboard. Selecting either the Full or Strict setting without a SSL certificate at your server will result in a 525/526 error
Selecting Flexible when your origin has a redirect from http to https leads to a redirect loop (see also Fixing redirect loops when using Flexible SSL). In this case, assuming there is an SSL certificate at the origin, you should use Full or Full(strict).
If you know you have an SSL certificate at your server (even self-signed), then you can use Full setting.
If you have a valid certificate issued by a trusted certificate authority, using strict mode provides additional defense against Man in the middle attacks, and more trust between your web server and our edge.
You're accessing a subdomain not covered by the Cloudflare-issued SSL certificate
Cloudflare-issued SSL certificates cover the root-level domain (eg- example.com) and one level of subdomains (eg- *.example.com). If you're attempting to access a second level of subdomains (eg- *.*.example.com) through Cloudflare using the Cloudflare-issued certificate, a HTTP 403 error will be seen in the browser as these host names are not present on the certificate. If you need to have SSL working for these type of host names you would either need to purchase a Dedicated Certificate with Custom Hostnames through Cloudflare, purchase your own SSL cert and upload it to us as a Custom SSL Certificate or grey-cloud this DNS record so the traffic goes directly to your origin server.

The Cloudflare-issued SSL certificate is not yet active for your domain
When you first sign up your domain with Cloudflare, The Cloudflare-issued SSL certificates may have not yet been issued. Please allow 15 minutes (on paid plans) or 24 hour (on our Free plan) for this process to complete. You will know if your SSL certificates are active through your CloudFlare dashboard under the Crypto tab.
Hardware networking

Re: SSL does not seem to work for me

Posted: Monday 18 February 2019 14:42
by tre4bax
Hi there,

I have a certificate, however the instructions says it would use the default one even if I did not. When it failed with my certificate I then tried it with the out of the box certificate. None of them worked :-) I got the errors below.