Reverse proxy certificate not trusted

E1i0 · June 12, 2020, 12:11am

Platform information:
- Hardware: _ 1.5 GHz 64-bit quad-core [ARM Cortex-A72]/4GB/32GB MicroSD_
- OS: Openhabian [stable]v1.5-640(a3f6e8a)
- Java Runtime Environment: _Zulu 8.46.0.225-CA-linux_aarch32hf version: 1.8.0_252 _
- openHAB version: OpenHAB2
Issue of the topic: When trying to safely connect with my openhab server using reverse proxy, the certificate issued by Let’s encrypt is not trusted.
Please post configurations (if applicable):
- Items configuration related to the issue
- Sitemap configuration related to the issue
- Rules code related to the issue
- Services configuration related to the issue
If logs where generated please post these here using code fences:
I recently set up reverse proxy on my openhab server using nginx. The setup was complete, and certbot (Let’s encrypt) assigned me a certificate. When trying to connect via webbrowser and https, the browser tells me my certificate is not trusted. I ran a test at https://www.ssllabs.com/ssltest/, with this as result:
image1014×896 35.2 KB

I don’t know where I made a mistake, or what went wrong. I also question why the certificate is self-signed, as I have set it up using a DDNS (duckdns).
I followed this tutorial for the reverse proxy: https://www.smarthomeblog.net/openhab-reverse-proxy/
Anyone knows where it went wrong?

gitMiguel · June 12, 2020, 12:53am

Please check your nginx config. Looks like you haven’t changed it to use your new certificates.

E1i0 · June 12, 2020, 1:02pm

Thanks for your answer.
I am using certbot from Let’s encrypt to get my certs. These are also the certs that are assigned in my nginx config file, as seen here:

I don’t get why it gives me a self-signed cert

(The white part is my domain)

E1i0 · June 12, 2020, 4:43pm

I also noticed this at the start of the test on ssllabs.com:

How is this possible? Doesn’t the certbot create a certificate with my domain name listed in it?

Wolfgang_S · June 12, 2020, 8:43pm

Did you reload the configuration after the certificate was created/installed ?

Run

openssl x509 -in /etc/letsencrypt/live/<your-domain-here>/fullchain.pem -text -noout

and check the output. Does it contain your domain ? Is the issuer correct ? Then the certificate is ok but it is not used.

E1i0 · June 13, 2020, 12:19am

Wolfgang_S:

Run
openssl x509 -in /etc/letsencrypt/live/<your-domain-here>/fullchain.pem -text -noout
and check the output. Does it contain your domain ? Is the issuer correct ? Then the certificate is ok but it is not used.

It does contain my domain and the issuer is Let’s Encrypt, which adds up. How do I reload the configuration?

E1i0 · June 13, 2020, 12:23am

I tried sudo nginx -s reload, but that didn’t fix it…
I also tried quitting the nginx service, but when I try to reopen I get an error message:

gitMiguel · June 13, 2020, 5:40am

sudo systemctl restart nginx

E1i0 · June 13, 2020, 12:11pm

So, I restarted nginx, and reloaded the configuration, but I still don’t get the right certificate in my webbrowser
I get the same self-signed certificate issued by openhab.org, which boggles my mind.
What can I do to troubleshoot this?

Wolfgang_S · June 13, 2020, 1:37pm

Post your nginx configuration files. The certificate stuff might not be in the right section.

E1i0 · June 14, 2020, 1:06pm

Here you can see my config for nginx:

(Domain is marked out)

I’m not sure where I went wrong… All the paths seem to add up.

mstormi · June 14, 2020, 2:01pm

No screendumps please