The message is saying the certificate is not matching the server at all. You should replace or regenerate it. Is the synology able to create CSRs?
How does your certificate look like / what is the content of it ? Does it contain the servers IP address and the IP address of your server changed ? Or does it contain the servers FQDN ?
Sorry, I’m not really understanding what to do.
I downloaded the certificate from the web browser and have imported it to the java trust store. As I understand the dns name is synology. I don’t know if it is changeble somehow. I’m addressing it with a static IP address I gave him.
I found a button called CSR .
Does you mean, I should create a new certificate and it will not work with the current certificate?
The workflow would be the same after the creation; download the certificate and install it in the java trust store?
Depending which options you have when configuring the certificate. Checkout the Button “Konfigurieren” and look for “Common Name”/CN/“Zertifikatsname” and for “(Subject) Alternative Name”/SAN/“Alternativnamen”. One of those names must be the name or ip you access from openhab. Then i’d expect to get a fresh self signed certificate and the import process is the same. Else we need to create an own CA, but let’s try out that first.
Thanks Michael for your assistance and moving me to the right direction.
With “Konfigurieren”, I just can say which certificate (if there are more) to use for which service. So I tried to generate a new certificate and it worked!
The thing is online and the messages are:
2021-05-16 19:58:10.814 [DEBUG] [ar.internal.handler.ICalendarHandler] - The calendar is currently offline as no local copy exists. It will go online as soon as a valid valid calendar is retrieved.
2021-05-16 19:58:13.764 [DEBUG] [ar.internal.handler.ICalendarHandler] - Scheduled update in 360107 seconds
1 Like
Hi @usambara ,
i am currently also struggeling with getting iCalendar binding running with my Synology. I am on DSM 7.0.1 and running OH 3.1.0. I can’t see any ‘CSR’ Button in DSM Certificate Management.
Currently my log on OH says:
2021-11-04 21:20:52.308 [WARN ] [g.icalendar.internal.handler.PullJob] - Download of calendar failed.
Can you tell me, which steps to reproduce so that i get the iCalendar working? Where do i have to download which Certificate, etc? That would be fantastic.
Thanks in advance
Patrick
Edit: In the meantime i have raised log level to ‘TRACE’ and now it is giving a reason:
2021-11-05 00:48:42.505 [DEBUG] [g.icalendar.internal.handler.PullJob] - ExecutionException message is: Max requests queued per destination 1024 exceeded for HttpDestination[http://192.168.178.100:5000]@1fdecff,queue=1024,pool=DuplexConnectionPool@1921420[c=0/2/2,a=2,i=0,q=1024]
I do have 4 calendars which i am watching with 4 additional filters, so in total 8 items. Each had a pull time of 5min. In a first step i have raised this now to 15min/360min. But i dont know why this error shows up. Is there any clue on this?
Hi usambara,
can you tell me how you have imported the certificate in you’re keystore.
I’m running openhab and synology in the same.local network. But I can get the cal to work.
I have still the errors with the certificate.
- ExecutionException message is: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
When I remember right, I created a new certificate on my NAS:
(sorry, it is in German localized)
Systemsteuerung / Zertifikat / Hinzufügen / Hinzufügen
This was exported and imported on my openhab server.
I found in my history the following command:
sudo keytool -import -alias myssl -file /usr/local/share/ca-certificates/extra/nas.crt -keystore /opt/jdk/zulu11.48.21-ca-jdk11.0.11-linux_aarch64/lib/security/cacerts
I’m quite confident that this did the trick.
nas.crt is the certificate exported from the NAS-drive
1 Like
Hi,
Thanks for you’re answer. I will try it during the weekend.
Br Thorsten
Hi Ulrich,
how did you create a certificate?
Under the path you mentioned Systemsteuerung… The only way to create a certificate is with
the help of let’s encrypt.
If I export this i get a zip file containing 6 Files . 3 starting with RCA and 3 with ECC.
But in you’re other message you write to import a crt file.
So I’m confused.
Between Systemsteuerung and Zertifikat was a “Sicherheit” missing, but I’m sure that wasn’t the point. If you follow the path mentioned above, you can select “Neues Zertifikat hinzufügen”. In the next step you have the option “Selbst unterzeichnetes Zertifikat erstellen”. That is what you need to do here.
I have DSM 6.2.4, maybe that’s an issue here.
yes, in dsm 7 that is not available anymore
I would say that’s even better than a selfsigned certificate as you do not need to define exceptions during using them.
maybe, but the only reason to need a certificate, is the openhab I cal binding.
My synology (needed for synology calendar) and my openhab, are not reachable from the inet.
Synolgy only offers a https link to the synology calendar. And if i enter this in the openhab raises the certificate error.
So from my point of view a self signed is enough.
A self signed certificate is not less good than a bought one, if it is unique and verified. I would assume the uniqueness is properly solved by Synology as it’s a mass product and this would be a 10/10 CVSS Vulnerability and by importing it into the keystore manually, you are verifying it.
Was this one every solved on DSM 7.x?
I exported the CA file from my NAS and imported the pem file into the default keystore, which is linked to /etc/ssl/certs//java/cacerst
But I still received an error message if I want to download the calendar into teh icalended add-on.
Download of calendar failed with ExecutionException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
is this the same keystore that is used for openhab which in an apt based installation is located at /var/lib/openhab/etc/keystore ?
Ok, another location to find a keystore. Will try to use that one and see what happens.
Thanks for the hint! 