Hi all, I am trying to figure out how to turn on SSL access to Openhabian on port 8443. I swear I have searched the forums and cannot figure it out. I am not running a reverse proxy (and don’t want to). I just want to turn on HTTPS access to my internal Openhabian instance. In the Openhab docco it says to do this but I can’t figure it out on Openhabian because the /etc/defaults/openhab2 file does not exist
8443 can be changed by setting the environment variables OPENHAB_HTTP_PORT resp. OPENHAB_HTTPS_PORT. In an apt installation, you would best do this in the file /etc/defaults/openhab2
Those instructions will change the port that OH listens on but does not do anything to actually enable SSL. It should already be enabled by default. You don’t have to do anything to connect over SSL
What URL are you using to connect? It should be something like:
i have an apt get installation on debian server. I tried https://server-ip:8443 and now i get error messages from my browser (chrome on windows 10), saying that this is not save:
Do i have to change something in my configuration? With http:// and port 8080 it works without problems. With https and 8443 it works too, but with this error mesages.
The problem is that openHAB ships with a self-signed certificate from a self-created certificate authority (CA). This is a requirement because the certificate should be unique for each server.
Because Chrome/Windows/et al have no knowledge of this self-created CA it cannot trust the certificates signed by that CA. A certificate is used for more than just encrypting the network traffic between a server and your client, it is also used to prove that the holder of the certificate is who they say they are.
The way it works on the web is that a company or a person provides some proof to a CA that they are who they say they are and that they own the domain name and physical machine for which they are acquiring the certificate. When the CA is satisfied with your identity they issue you a certificate signed by them. The web browsers and computer operating systems come with a list of trusted CAs which means that any certificate signed by a trusted CA is automatically trusted.
A CA will never sign a cert for a server that is being distributed to others because that would essentially destroy one of the key benefits a CA provides, a certification that a give server is what it claims it is. If they did distribute a signed cert with something like OH, anyone could install a man-in-the-middle between you and your OH using this generic cert and you would be non-the wiser. So servers like OH come with a generic self-signed certificate that is signed by a self-created CA which is not included in the list of trusted CAs.
The specific error you are seeing is the browser saying that the cert is signed by a non-trusted CA and therefore there is no way to verify that the server is THE server you think you are talking to or whether someone has set up a man-in-the-middle between you and your server. Therefore the connection itself is untrusted.
To get rid of that error you will need to create your own self-signed certificates and add your created CA as a trusted authority to your Chrome/Windows/et al. You can search the web for tutorials. It is probably good practice to do this rather than to keep using the cert that OH comes with.
It isn’t super easy to do, more tedious than challenging, and I suspect most people don’t bother. I know I don’t. I know that my servers are only accessible on my LAN so if there is someone who has set up a man-in-the-middle on my LAN, I’ve got bigger problems than certificates. However, I get annoyed by the warnings and the “this page is not safe, are you sure you want to continue” pages I might go through the effort at some point.
