Openhab2 sign the ssl / tls certificate

cgeo · February 20, 2017, 11:11pm

Hello,

By default openhab2 comes with a selfsigned certificate
I was looking at the possibility of signing the certificate with my own CA. The only instructions I could find were for openhab1

gist.github.com

https://gist.github.com/jpmens/8029383

holymoly.md

# Configure openHAB keystore to use our own TLS server certificates

### 1. Launch openHAB, and verify that the shipped cert is in effect

```
$ openssl s_client -connect localhost:8443
[lots of stuff truncated]
-----END CERTIFICATE-----
subject=/C=Unknown/ST=Unknown/L=Unknown/O=openHAB/OU=Unknown/CN=openhab.org
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=openHAB/OU=Unknown/CN=openhab.org

This file has been truncated. show original

I could follow the instructions just fine until step 9. The command just fails to execute.
Anybody knows how to proceed ? As far as I understand I just need to configure the password for this jetty service for the new keystore and I am all set

rlkoshak · February 22, 2017, 9:43pm

jetty.xml is not located in /var/lib/openhab2/etc (or openhab2/userdata/etc for manual installs).

Given that OH 2 is now hosted on Karaf instead of Eclipse I’m not surprised that that those jar files do not exist. I don’t know what the Karaf equivalent is but I think you will need to research how to set the cert using Karaf documentation, not OH 1 documentation.

If you figure it out, a tutorial would be awesome!

cgeo · February 24, 2017, 6:39pm

Thanks for the reply Rich.

I can find jetty.xml in the openhab2/etc folder

pi@raspberrypi:~ $ sudo find / -name jetty.xml
/home/pi/openhab2-backup-20170124_210155/userdata/etc/jetty.xml
/home/pi/openhab2-backup-20170213_182437/userdata/etc/jetty.xml
/home/pi/openhab2-backup-20170212_193516/userdata/etc/jetty.xml
/home/pi/openhab2-backup-20170212_164655/userdata/etc/jetty.xml
/usr/share/openhab2/runtime/etc/jetty.xml
/var/lib/openhab2/etc/jetty.xml

As you can see it is there and it is also in runtime folder as well. If I check the latter I see that this is as part of the config

 <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
                <Set name="KeyStorePath"><SystemProperty name="jetty.keystore.path" default="/etc/myKeystore" /></Set>
                <Set name="KeyStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="KeyManagerPassword"><SystemProperty name="jetty.ssl.keypassword" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="TrustStorePath"><SystemProperty name="jetty.truststore.path" default="/etc/myKeystore" /></Set>
                <Set name="TrustStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:1uh81uha1toc1wn31toi1ugg1ugi" /></Set>
                <Set name="EndpointIdentificationAlgorithm"></Set>
                <Set name="NeedClientAuth"><SystemProperty name="jetty.ssl.needClientAuth" default="false" /></Set>
                <Set name="WantClientAuth"><SystemProperty name="jetty.ssl.wantClientAuth" default="false" /></Set>
                <Set name="ExcludeCipherSuites">

So there is a keystore configured (myKeystore) that I cannot seem to find anywhere. I also change the passwords to some random value and after restarting the openhab service I get errors about wrong password for the keystore. That tells me that they are used somehow.

I have also found the util that generated the password in obfuscated form, it is just a different version than the one documented for openhab1. I replace the keystore with mine and I change the password using the util but it still complains about a wrong password.

Obviously this is a very noob way of trying to figure things out since I have no idea what jetty is I will try to check the docs to see if I can find anything more helpful

rlkoshak · February 24, 2017, 6:40pm

Jetty is the web server OH uses to host the UIs and REST API.

Temar · February 24, 2017, 9:22pm

My keystore seems to be located in userdata/etc/keystore

You can check if the password is valid by using “keytool” (part of Java):

$ keytool -list -keystore /path/to/keystore -storepass [unencrypted-password]

That will list you the content of the keystore if the password is valid.

Btw, what is the name and location of the password tool you found?

cgeo · February 24, 2017, 10:04pm

Hello Alex,

My keystore is configured just fine. The problem I have is that I cannot seem to be able to tell the jetty service where the new keystore is and what is the password

I used this to convert my password to obfuscated form

/usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util/9.2.19.v20160908/jetty-util-9.2.19.v20160908.jar

Temar · February 25, 2017, 1:22pm

I think you have to configure your keystore in the system.properties file:

$ grep -r keystore *
userdata/etc/system.properties:jetty.keystore.path=${openhab.userdata}/etc/keystore
userdata/etc/system.properties:jetty.truststore.path=${openhab.userdata}/etc/keystore

Which matches with my keystore, located in userdata/etc/keystore

cgeo · February 25, 2017, 2:19pm

Thanks Alex. I will try what you say once I am home today and will let you know

EDIT: That is already set to point to my newly created keystore so we are good.

I am still searching to find where I need to configure the password for the keystore

cgeo · February 26, 2017, 2:58pm

I progressed a bit. I modified the jetty.xml file located here

/usr/share/openhab2/runtime/etc/

Initially I used a very complex password which apparently did not work. I used a simpler one and it seems that now the TLS on port 8443 presents my certificate.

this is what I did

        <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
                <Set name="KeyStorePath"><SystemProperty name="jetty.keystore.path" default="/var/lib/openhab2/etc/keystore" /></Set>
                <Set name="KeyStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:XXXXXXXXXX" /></Set>
                <Set name="KeyManagerPassword"><SystemProperty name="jetty.ssl.keypassword" default="OBF:XXXXXXXXXX" /></Set>
                <Set name="TrustStorePath"><SystemProperty name="jetty.truststore.path" default="/var/lib/openhab2/etc/keystore" /></Set>
                <Set name="TrustStorePassword"><SystemProperty name="jetty.ssl.password" default="OBF:XXXXXXXXXX" /></Set>
                <Set name="EndpointIdentificationAlgorithm"></Set>

Basically I modified the password and the path to the keystore.
When I start the openhab2 service I see my certificate being presented but in the logs I get the following error during the initialization of the service

2017-02-26 14:49:17.525 [ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate.
java.security.KeyStoreException: Failed to load the keystore /var/lib/openhab2/etc/keystore
        at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:124)[168:org.openhab.io.jetty.certificate:2.0.0]
        at org.openhab.io.jetty.certificate.internal.CertificateGenerator.start(CertificateGenerator.java:80)[168:org.openhab.io.jetty.certificate:2.0.0]
        at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:771)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.BundleContextImpl$3.run(BundleContextImpl.java:1)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at java.security.AccessController.doPrivileged(Native Method)[:1.8.0_65]
        at org.eclipse.osgi.internal.framework.BundleContextImpl.startActivator(BundleContextImpl.java:764)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:721)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:941)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:318)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.Module.doStart(Module.java:571)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.Module.start(Module.java:439)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1582)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.incStartLevel(ModuleContainer.java:1562)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.doContainerStartLevel(ModuleContainer.java:1533)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1476)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.container.ModuleContainer$ContainerStartLevel.dispatchEvent(ModuleContainer.java:1)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.framework.eventmgr.EventManager.dispatchEvent(EventManager.java:230)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
        at org.eclipse.osgi.framework.eventmgr.EventManager$EventThread.run(EventManager.java:340)[org.eclipse.osgi-3.10.101.v20150820-1432.jar:]
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:780)[:1.8.0_65]
        at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)[:1.8.0_65]
        at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:225)[:1.8.0_65]
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)[:1.8.0_65]
        at java.security.KeyStore.load(KeyStore.java:1445)[:1.8.0_65]
        at org.openhab.io.jetty.certificate.internal.CertificateGenerator.ensureKeystore(CertificateGenerator.java:122)[168:org.openhab.io.jetty.certificate:2.0.0]
        ... 17 more
Caused by: java.security.UnrecoverableKeyException: Password verification failed
        at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:778)[:1.8.0_65]
        ... 22 more

But I can confirm it works. Since what I did resulted pretty much from trial and error I assume that something else is impacted that I cannot see at the moment

igvk · August 14, 2017, 11:01am

Did you manage to fix this keystore error?
Seems that there is something else that uses wrong password.

cgeo · August 31, 2017, 7:07am

No I had not pursued it further unfortunately.

Konstantin_Panchenko · March 30, 2020, 5:50am

If you want to get rid of the error “[ERROR] [ficate.internal.CertificateGenerator] - Failed to generate a new SSL Certificate.” you need to use default password which is “openhab”, in this case no need to change jetty.xml. This password is hard coded into the source, which is in my opinion big oversight on developers side, it should come from configuration file same as the path to a keystore.

rlkoshak · March 30, 2020, 4:29pm

If you think it is a security issue you can file it by following the instructions at Security Policy · openhab/openhab-core · GitHub. If not you can file an issue at Issues · openhab/openhab-core · GitHub.

Konstantin_Panchenko · March 31, 2020, 7:01pm

Thank you Rich, I don’t think that’s a really big security issue, more like just a functionality oversight, I’ll file an issue report.

mohitgodiya · July 30, 2020, 5:12am

Hey All,
I was following this post and soon after I stumbled upon this post.

I am now able to use Lets Encrypt certs for all my needs including openhab over SSL.

Hope that helps.

mohitgodiya · September 5, 2022, 8:25pm

Update to my own post,

I have been using openhab for about 2 years now with LetsEncrypt certs.
here is a simple guide with minimal commands to run.
the only commands I have to run to update my certs are:

openssl pkcs12 -export -in /etc/letsencrypt/DOMAIN.TLD/fullchain.pem -inkey /etc/letsencrypt/DOMAIN.TLD/privkey.pem -out /tmp/DOMAIN.TLD.p12 -passout pass:openhab -name mykey

scp /tmp/DOMAIN.TLD root@openhab:/tmp/

ssh root@openhab "keytool -importkeystore -deststorepass openhab -destkeypass openhab -destkeystore /tmp/keystore -srckeystore /tmp/DOMAIN.TLD.p12 -srcstoretype pkcs12 -srcstorepass openhab -alias mykey"

ssh root@openhab "mv /var/lib/openhab/etc/keystore rm /var/lib/openhab/etc/keystore.bak"

ssh root@openhab "/tmp/keystore /var/lib/openhab/etc/"

ssh root@openhab "chown openhab:openhab /var/lib/openhab/etc/keystore"

ssh root@openhab "systemctl restart openhab.service"

NOTE: except for changing DOMAIN.TLD, you should not need to change anything.
Hope this helps