By default openhab2 comes with a selfsigned certificate
I was looking at the possibility of signing the certificate with my own CA. The only instructions I could find were for openhab1
I could follow the instructions just fine until step 9. The command just fails to execute.
Anybody knows how to proceed ? As far as I understand I just need to configure the password for this jetty service for the new keystore and I am all set
jetty.xml is not located in /var/lib/openhab2/etc (or openhab2/userdata/etc for manual installs).
Given that OH 2 is now hosted on Karaf instead of Eclipse I’m not surprised that that those jar files do not exist. I don’t know what the Karaf equivalent is but I think you will need to research how to set the cert using Karaf documentation, not OH 1 documentation.
If you figure it out, a tutorial would be awesome!
So there is a keystore configured (myKeystore) that I cannot seem to find anywhere. I also change the passwords to some random value and after restarting the openhab service I get errors about wrong password for the keystore. That tells me that they are used somehow.
I have also found the util that generated the password in obfuscated form, it is just a different version than the one documented for openhab1. I replace the keystore with mine and I change the password using the util but it still complains about a wrong password.
Obviously this is a very noob way of trying to figure things out since I have no idea what jetty is I will try to check the docs to see if I can find anything more helpful
My keystore is configured just fine. The problem I have is that I cannot seem to be able to tell the jetty service where the new keystore is and what is the password
I used this to convert my password to obfuscated form
I progressed a bit. I modified the jetty.xml file located here
/usr/share/openhab2/runtime/etc/
Initially I used a very complex password which apparently did not work. I used a simpler one and it seems that now the TLS on port 8443 presents my certificate.
Basically I modified the password and the path to the keystore.
When I start the openhab2 service I see my certificate being presented but in the logs I get the following error during the initialization of the service
2017-02-26 14:49:17.525 [ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate.
java.security.KeyStoreException: Failed to load the keystore /var/lib/openhab2/etc/keystore
at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:124)[168:org.openhab.io.jetty.certificate:2.0.0]
at org.openhab.io.jetty.certificate.internal.CertificateGenerator.start(CertificateGenerator.java:80)[168:org.openhab.io.jetty.certificate:2.0.0]
at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:771)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:1)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_65]
at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:764)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:721)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:941)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:318)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.container.Module.doStart(Module.java:571)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.container.Module.start(Module.java:439)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1582)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1562)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel(ModuleContainer.java:1533)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1476)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)[:1.8.0_65]
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)[:1.8.0_65]
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:225)[:1.8.0_65]
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)[:1.8.0_65]
at java.security.KeyStore.load(KeyStore.java:1445)[:1.8.0_65]
at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:122)[168:org.openhab.io.jetty.certificate:2.0.0]
... 17 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)[:1.8.0_65]
... 22 more
But I can confirm it works. Since what I did resulted pretty much from trial and error I assume that something else is impacted that I cannot see at the moment
If you want to get rid of the error “[ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate.” you need to use default password which is “openhab”, in this case no need to change jetty.xml. This password is hard coded into the source, which is in my opinion big oversight on developers side, it should come from configuration file same as the path to a keystore.
I have been using openhab for about 2 years now with LetsEncrypt certs.
here is a simple guide with minimal commands to run.
the only commands I have to run to update my certs are: