Owntracks cannot send information to GPSTracker binding (reverse proxy setup)

KissGe83 · January 13, 2020, 4:25pm

Dear All,

I would like to ask for your kindly help.
I’m running an OpenHAB 2.5 version on RP 4 (OS: Openhabian). I’ve successfully installed the SSL protocol, I’m able to reach OpenHAB from remote with SSL connection. Aditionally, I installed the SSL-ClientCertificate as well, there is no problem with that neither. I can access to OpenHAB via Chrome or via my application as well.

I installed the GPSTracker binding to be able to receive directly the position via HTTPS protocol, but I got an error unfortunately on my phone: HTTP code 400 (error)

It is working once I use myopenhab.org cloud and set up my URL in this way:
https://home.myopenhab.org/gpstracker/owntracks

If I use my own server where I have “no-ip.org” DNS registered, I got back the error message, however the request is received by my server, I can find the line in the /var/log/ngnix/access.log:
37.76.127.240 - automation [13/Jan/2020:17:03:11 +0100] “POST /gpstracker/owntracks HTTP/1.1” 400 253 “-” “Owntracks/21302”

I found a forum where somebody mentioned that he needed to set up a cname on his DNS for home.openhab.domain.hu which should point to openhab.domain.hu and this is working in that way…

The documentation says I can set up the host two ways:

https://<your.ip.address>/gpstracker/owntracks or
https://home.myopenhab.org/gpstracker/owntracks

I just would like to ask if this cname solution is the real solution for this problem?
Unfortunately, I cannot set up a cname due I use free no-ip DNS solution…

Many thanks for your reply if you had some similar issue.

Kindest Regards,
Gergely

mstormi · January 13, 2020, 5:05pm

400 can be anything so no, it may be ONE solution but not THE solution.
Works for me without CNAME, it took me some time to play around with nginx config. I don’t recall all the details but I think you need the header lines.
Here’s the relevant part of the config.

server {
        listen 9091 ssl;
        server_name myname.hoster.org;

        root /var/www/myname.hoster.org;
        index index.html index.htm index.nginx-debian.html;


        ssl on;
        ssl_certificate /etc/letsencrypt/live/myname.hoster.org/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/myname.hoster.org/privkey.pem; # managed by Certbot
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
#               proxy_http_version                    1.1;
                proxy_pass                            http://192.168.1.1:8080/;
#               proxy_buffering                       off;
                proxy_set_header Host                 $http_host;
                proxy_set_header X-Real-IP            $remote_addr;
                proxy_set_header X-Forwarded-For      $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto    $scheme;

                auth_basic                            "Username and Password Required";
                auth_basic_user_file                  /etc/nginx/.htpasswd;

                satisfy  any;
                allow    192.168.1.0/24;
                allow    127.0.0.1;
                deny     all;
        }

        location /.well-known/acme-challenge/ {
                root /var/www/myname.hoster.org;
        }
}

KissGe83 · January 13, 2020, 7:06pm

Thank you very much!
The interesting part is that, I can access to my OpenHAB webpage on any platform without any issue. I’m using the certificate, I give the password and it is working smoothly.
The Owntrack the only application which cannot connect

This is my part of the config file:

server {
<------>listen 80;
<------>server_name 192.168.1.101;
<------>location / {
<------>proxy_pass http://192.168.1.101:8080/;
<------>}
<------>}
server {
<------>listen 443 ssl;
<------>server_name mydomain.ddns.net;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/mydomain.ddns.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.ddns.net/privkey.pem;
    add_header Strict-Transport-Security "max-age=31536000";

    ssl_client_certificate /etc/nginx/root_CA.pem;
    ssl_verify_client on;

<------>location / {
<------>    proxy_pass http://localhost:8080/;
<------>    proxy_set_header Host $http_host;
<------>    proxy_set_header X-Real-IP $remote_addr;
<------>    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
<------>    proxy_set_header X-Forwarded-Proto $scheme;
<------>    proxy_set_header Upgrade $http_upgrade;
<------>    proxy_set_header Connection "Upgrade";
<------>    satisfy any;
<------>    allow 192.168.1.0/24;
<------>    allow 127.0.0.1;
<------>    deny all;
<------>    auth_basic "Username and Password Required";
<------>    auth_basic_user_file /etc/nginx/.htpasswd;
<------>}

<------>location /.well-known/acme-challenge/ {
<------>    root /var/www/mydomain.ddns.net;
<------>}

}

KissGe83 · January 13, 2020, 7:44pm

I think I found the problem…
Owntracks does not use the Client Certificate which has been installed on my mobile.

I switched off the “ssl_client_certificate” function and it is working perfectly now.

The Owntracks manual writes:

Save the certificate to your device in an easy accessible location
Import the certificate into the app (Preferences, Connection, Security, Client certificate, Select) by opening it with the file choser.
The file will be copied to the secure storage location of the app. If the import is successfull, the original file can be removed from the device.
Specify the certificate password (certificates without password are not supported).

The interesting thing is that I do not have any “Security” menu under the Connection…so I cannot setup my client cert.