Author |
|
Ktulu Newbie
Joined: March 14 2007 Location: United States
Online Status: Offline Posts: 25
|
Posted: September 30 2011 at 09:41 | IP Logged
|
|
|
I've searched for some info on SSL support for PowerHome's web server but couldn't find much of anything.
How is this implemented? The SSL section of the web server has two items, a check box and a "certificate name" text box. It seems simple enough but I can't get it to work. Among other things, I tried creating a self-signed certificate and placing the path in the "certificate name box. No luck.
Does turning on SSL override the webserver's designated port number? By default SSL/TLS uses port 443.
__________________ Jeff
"Assiduus usus uni rei deditus et ingenium et artem saepe vincit" - Cicero
|
Back to Top |
|
|
dhoward Admin Group
Joined: June 29 2001 Location: United States
Online Status: Offline Posts: 4447
|
Posted: October 03 2011 at 22:30 | IP Logged
|
|
|
Jeff,
I won't be able to provide a full answer until I get back from Korea (October 10) and can look at the source code.
However, going from memory, PowerHome does allow you to override the default port of 443 by entering a different number for the port. It sounds like you're doing everything right so I'll probably have to look at the code to get you a better answer. One last thing, make sure you're accessing the webserver using https://xxx.xxx.xxx.xxx/ph-cgi/main vs http://xxx.xxx.xxx.xxx/ph-cgi/main. The "s" is necessary to tell the browser that you want SSL.
Dave.
|
Back to Top |
|
|
Ktulu Newbie
Joined: March 14 2007 Location: United States
Online Status: Offline Posts: 25
|
Posted: October 06 2011 at 10:27 | IP Logged
|
|
|
No sweat Dave, whenever you have a chance. Have a safe trip.
__________________ Jeff
"Assiduus usus uni rei deditus et ingenium et artem saepe vincit" - Cicero
|
Back to Top |
|
|
dhoward Admin Group
Joined: June 29 2001 Location: United States
Online Status: Offline Posts: 4447
|
Posted: October 21 2011 at 15:22 | IP Logged
|
|
|
Jeff,
Do you need me to look into this further?
Thanks,
Dave.
|
Back to Top |
|
|
pingmustard Newbie
Joined: September 13 2010
Online Status: Offline Posts: 18
|
Posted: September 17 2012 at 00:11 | IP Logged
|
|
|
dhoward wrote:
Jeff,
Do you need me to look into this further?
Thanks,
Dave.
|
|
|
Dave, could you provide / link any instructions for using SSL with the web server? In particular, I think the confusing part would be the Certificate Name field. How do we create self signed certificate and/or get it to be recognized by PH?
Thanks!
|
Back to Top |
|
|
dhoward Admin Group
Joined: June 29 2001 Location: United States
Online Status: Offline Posts: 4447
|
Posted: September 17 2012 at 13:41 | IP Logged
|
|
|
Ping,
Well it took awhile but I finally tracked down the easiest way and confirmed it on my own setup.
First, you'll need the two files contained in this zip http://www.power-
home.com/download/certificates.zip. Create a directory and unzip...they don't need to be installed.
Use the instructions at this link: https://sockettools.com/kb/creating-tls-server-
certificate/
In the first createcert command, I changed TestCA to DWHCA. In the second createcert command, I changed localhost to DWHPH. Obviously I also changed the TestCA
to my previous DWHCA.
The first createcert statement creates a certificate that establishes you as a Certificate Authority hence why I used DWHCA. The second createcert statement uses
creates a signed server certificate named DWHPH that you self sign with DWHCA.
For certificate name in the PH Web configuration, I used the server certificate name. In this case, DWHPH.
You'll get an error in the browser saying the certificate is not signed by an authority (such as Thawte, Verisign, etc) but you can say continue to website anyway
and you'll be sending/receiving fully encrypted.
Hope this helps,
Dave.
Edited by dhoward - June 24 2016 at 16:05
|
Back to Top |
|
|
demko Newbie
Joined: January 08 2009
Online Status: Offline Posts: 15
|
Posted: March 12 2013 at 20:23 | IP Logged
|
|
|
Hi Dave,
Do you know what cert format is needed for the file in
the PH Web configuration? I copied the certificate chain
.pem file that I use on my personal domain and tried to
use that but I kept getting ssl protocol errors. I then
renamed it to a .cer and windows recognized it and
allowed me to import it into windows certificate manager
as a personal certificate. I then tried exporting it as
a DER encoded binary X.509 and pointed the PH config
towards that file and I again got the same ssl protocol
error.
Now to confuse things even more I tried tried following
the steps you gave above using the utilities you
mentioned and I'm still getting the ssl protocol error.
So I'm starting to wonder if there maybe something bigger
going on.
BTW, just to confirm I am about to access the PH
webserver if I turn SSL off. Also I don't think it
should matter but figured I'd also mention that I have
yet to add any devices or controllers to PH so it's just
a bare bones page at the moment. I'm also on the 2.1.4
version.
Any help you (or anyone else) could give would be greatly
appreciated.
Thanks!
Pat
|
Back to Top |
|
|
krommetje Super User
Joined: December 29 2004 Location: Netherlands
Online Status: Offline Posts: 695
|
Posted: March 12 2013 at 23:52 | IP Logged
|
|
|
I am running into the same issues here, for some reason my IIS accepts all SSL-certs, PH doesn't and my certs are all official certs issued by Comodo....
|
Back to Top |
|
|
demko Newbie
Joined: January 08 2009
Online Status: Offline Posts: 15
|
Posted: March 13 2013 at 09:31 | IP Logged
|
|
|
BTW, if you're looking for a place to get a free SSL cert
to test with here's where I got mine.
https://www.startssl.com/?app=1
Edited by demko - March 13 2013 at 09:31
|
Back to Top |
|
|
dhoward Admin Group
Joined: June 29 2001 Location: United States
Online Status: Offline Posts: 4447
|
Posted: March 13 2013 at 20:37 | IP Logged
|
|
|
Demko,
I went through the steps on my post above (a new PH machine that Ive never used SSL on before) and didnt have any problems. Im by no means an expert in this aspect of the web but the Catalyst controls server socket is looking for the name of the certificate as it gets imported into the Certificate manager...not a filename per se.
In my setup, I download the certificates.zip and ran the createcert.exe to create a self signed root certificate. I basically just followed the steps in the KB article in my post above. After creating the selfsigned.cer file, I launched the certmgr utility and imported the certificate into my Trusted root certification Authorities. After that, I ran the createcert utility again (detailed in KB) to create my server certificate. I launched the certmgr again and I could see my new server certificate in my Personal store. The name that appeared in the "Issued To" column is the name I placed in PowerHome's "Certificate Name" field. After doing that, I reinitialized (it took a quite a bit longer for the web server to reinitialize) but after it was up, I was able to hit the page using https. Of course, I got all the "There is a problem with this website's security certificate" in IE but after clicking "Continue to this website", I was able to access PH via SSL.
Since you've already got a .CER file and you've imported it into your personal store using Certificate Manager, I would think all you need to do at this point is use the name in the Issued To column for the Certificate Name.
Hope this helps,
Dave.
|
Back to Top |
|
|
demko Newbie
Joined: January 08 2009
Online Status: Offline Posts: 15
|
Posted: March 15 2013 at 21:31 | IP Logged
|
|
|
Thanks for the help Dave!
I was able to get it to work with your way (creating my own CA and a Cert)
and also with my own certificates.
I think the problems I was having getting your way to work were I wasn't
importing the CA into trusted root certification authorities BEFORE importing
my server certificate and also that I wasn't specifying the the "Issued To"
name from the cert manager in the Powerhome "Certificate Name" field.
I think the problems with my own certificates were related to the type of
certificate I have. My certification is a chained one that has a CA and an
Intermediate CA so when you look at it in a browser you see the CA-
>Intermediate CA -> My Server Cert. My problem was that I needed to to
install the CA and Intermediate CA certificates into the Trusted Root
Certification authorities and Intermediate Certification Authorities BEFORE I
installed my server certificate. Then I also needed to specify the "Issued To"
name form the cert manager in the Powerhome "Certificate Name" field.
Thanks again!
Pat
|
Back to Top |
|
|
jgjerset Newbie
Joined: December 01 2020 Location: United States
Online Status: Offline Posts: 2
|
Posted: December 01 2020 at 18:36 | IP Logged
|
|
|
Hi,
This is an old thread, but I'm having a similar issue and
I'm wondering if anyone has any pointers. I've tried the
recommendations in this thread.
I'm running PH 2.2 beta 3 on Windows 10.
I have a certificate issued by GoDaddy and I have
imported the intermediate certs into the trusted root
authorities and the certificate into the personal
certificate store.
I've set the "Web Server Port" to 443 and have "Use SSL"
checked with the "Issued To" name in the Certificate
Name" field.
When I attempt to access the site using https:// I get an
ERR_CONNECTION_CLOSED response back in Chrome.
I've checked the port status with the netstat -an command
and when PH is running, the command shows the system is
listening on 443.
Everything works fine when I don't use SSL. I can access
the webserver with a non-secure connection with no
problem.
Any recommendations would be appreciated.
Thanks
Jon
|
Back to Top |
|
|
dhoward Admin Group
Joined: June 29 2001 Location: United States
Online Status: Offline Posts: 4447
|
Posted: December 03 2020 at 20:53 | IP Logged
|
|
|
Jon,
I got a chance to spend quite a bit of time on this today and it's obvious I need to come back and do some additional work concerning SSL on the webserver.
In PowerHome 2.2beta3, there are actually 3 different webservers that you can choose from. The default webserver is a C# server component I developed and I
did not yet create the option to handle SSL so this would be your main problem.
That leaves the other 2 server types. The previous default server type used a Catalyst socket control and I expected that to work once I changed to it but
I could not get it to work. The final server type is a Catalyst webserver control and I was successful in getting that to work in my development
environment. However, it didnt work for me in a different environment, hence the need to readdress this section of code.
Which webserver PowerHome uses when it is launched, is controlled by the "webservertype" option under the [WebServer] section of the pwrhome.ini file.
You'll have to manually edit this option in notepad.exe.
webservertype=0 is the Catalyst Socket control (does not work for me)
webservertype=1 is the Catalyst Webserver control (works in devel but not on another machine)
webservertype=2 is the C# server control Im in the process of developing and it does not yet have code for handling SSL (will never work until new version)
In all my test cases, I was using a self signed certificate I created using the "makecert.exe" utility as described in earlier posts in this thread. I
checked the "Use SSL" option and the Certificate Name column was set to the name that is displayed in the Microsoft Certificate Manager. In all cases, my
self signed certificate was in the "Personal" store.
Ive got looking into this on my todo list for beta4 so I'll try to have this fixed for the next version. In the meantime, try setting the webservertype=1
and see if it makes a difference for you.
Dave.
|
Back to Top |
|
|
dhoward Admin Group
Joined: June 29 2001 Location: United States
Online Status: Offline Posts: 4447
|
Posted: December 03 2020 at 21:17 | IP Logged
|
|
|
As a followup, spent some more time playing with this and was able to get everything reliably working with webservertype=1 by scrapping the self signed
certificates that I originally created with the deprecated "makecert.exe" utility and followed the instructions at this location
OpenSSL Server certificate to create self signed certificates using OpenSSL
instead.
Hope this helps,
Dave.
|
Back to Top |
|
|
dhoward Admin Group
Joined: June 29 2001 Location: United States
Online Status: Offline Posts: 4447
|
Posted: December 03 2020 at 21:30 | IP Logged
|
|
|
One final update. Using the self signed OpenSSL certficates I created above, webservertype=0 also now works.
Dave.
|
Back to Top |
|
|
jgjerset Newbie
Joined: December 01 2020 Location: United States
Online Status: Offline Posts: 2
|
Posted: December 05 2020 at 14:50 | IP Logged
|
|
|
Hi Dave,
Thanks for the update. I gave this a try and I have had
some mixed success, but I'm not to the point where I can
use a secure connection as my primary connection to the
server.
I started by running through the steps you included to
create a self-signed cert using OpenSSL. After installing
the root and personal certificates I was able to get a
secure connection to "localhost" with Chrome 87.0.4280.88
(latest as of this post). Everything appeared to work
fine with webservertype=0 and 1 as you described.
After running through those steps, I realized the issue
with my purchased certificate was possibly that I didn't
have the private key included in the certificate when I
imported it into the personal store. When I created the
csr, I used IIS and I installed the cert through IIS and
then later also imported it into many different places as
I was trying different things. That it turns out isn't
the correct way to get this working with PH.
I backtracked and created a new CSR using this command
openssl.exe req -newkey rsa:2048 -keyout PRIVATEKEY.key -
out MYCSR.csr
and requested the CA rekey my cert using the mycsr.csr.
Once I had the new cert, I used the command below to add
the private key to the certificate. This was one of the
steps that the directions from OpenSSL described.
openssl.exe pkcs12 -export -out cert.pfx -inkey
PRIVATEKEY.key -in 64a3e3eb49c5e2cd.crt -certfile
gd_bundle-g2-g1.crt -password pass:testing
Then in windows explorer, I right clicked on cert.pfx and
installed the certificate into the personal store as the
OpenSSL directions had described.
I fired up PH and I was able to get a secure connection
to my PW web server using the CAs certificate and the
full domain name of the server. Everything appears to
work perfectly on the LOCAL COMPUTER where PH is running.
I can log into the PH website and run through all of the
different pages with Chrome.
The problem I'm now having is when I try to access the PH
webserver from any other computer, whether on the local
network or outside my FW.
I'm getting mixed results. Chrome, Opera, and Edge
(Chromium-based browsers) all appear to establish a
secure connection to the server and prompt for the login,
but after logging in, all three display a blank Main
page. If I paste in the URL for the logs, the control
center, and most of the other pages, they work. It just
appears to be the Main page that I can't access. Opera
does complain with - cauth Failed to load resource: the
server responded with a status of 400 (Bad Request) - I
think that is a cookie authentication complaint.
Firefox, on the other hand, does load the Main page, but
not all of it. I have over 50 devices in my home and the
Main device table cuts off after 47 rows. Also, another
thing to note is Firefox only works with webservertype=0.
I tried whitelisting my IP addresses and many other
things thinking the issue was possibly authentication
related, but I can't get it to work with Chrome on an
external computer so far.
It appears I've made it past getting HTTPS to work, and
I'm now bumping into another issue.
If you have any other suggestions, let me know and I'll
give them a try.
Thanks for your help with this.
Jon
|
Back to Top |
|
|
dhoward Admin Group
Joined: June 29 2001 Location: United States
Online Status: Offline Posts: 4447
|
Posted: December 16 2020 at 22:40 | IP Logged
|
|
|
Jon,
Just wondering if you've tried turning off SSL and whether you're able to access the main page from a remote machine or not. As long as the SSL
connection is being made, Im not sure why that would prevent the data (for apparently just the main page) from being returned.
Can you send me a screenshot of the incoming remote request in the eventlog? Both with SSL on and SSL off? I might be able to discern a little more.
Thanks,
Dave.
|
Back to Top |
|
|
Resolute Newbie
Joined: January 11 2016
Online Status: Offline Posts: 32
|
Posted: December 18 2021 at 08:12 | IP Logged
|
|
|
I'm trying to use Let's Encrypt! certs with Powerhome 2.1.5d web server. I have been using a Comodo wildcard cert for many years now, with just some minor ssl hickups, mostly related to latency
and content loading, of which I can live with.
But I decided to save some bucks and go with LetsEncrypt for all of my web services, and Powerhome is the only hickup. My browsers report that the cert is either expired or revoked (I've seen
both), depending on the browser. Chrome reports revoked, Firefox reports expired. Manual checks with openssl reports all is good with the chain. My other sites (Apache and IIS services) are
using certs just fine. That leaves me with the web server as the issue. How does the intermediate cert get pushed to the client? From the Windows cert store? Does Powerhome web server support
intermediate certs?
Since I am using IFTTT for voice controlled automation (Alexa based), I need SSL for that web request into my edge, so reverting back to port 80 is not an option. As a last resort I could set
up a reverse proxy, but I would rather not do that....
Ideas or thoughts?
|
Back to Top |
|
|