Reverse proxy certificate not trusted

  • Platform information:
    • Hardware: _ 1.5 GHz 64-bit quad-core [ARM Cortex-A72]/4GB/32GB MicroSD_
    • OS: Openhabian [stable]v1.5-640(a3f6e8a)
    • Java Runtime Environment: _Zulu 8.46.0.225-CA-linux_aarch32hf version: 1.8.0_252 _
    • openHAB version: OpenHAB2
  • Issue of the topic: When trying to safely connect with my openhab server using reverse proxy, the certificate issued by Let’s encrypt is not trusted.
  • Please post configurations (if applicable):
    • Items configuration related to the issue
    • Sitemap configuration related to the issue
    • Rules code related to the issue
    • Services configuration related to the issue
  • If logs where generated please post these here using code fences:
    I recently set up reverse proxy on my openhab server using nginx. The setup was complete, and certbot (Let’s encrypt) assigned me a certificate. When trying to connect via webbrowser and https, the browser tells me my certificate is not trusted. I ran a test at https://www.ssllabs.com/ssltest/, with this as result:
    I don’t know where I made a mistake, or what went wrong. I also question why the certificate is self-signed, as I have set it up using a DDNS (duckdns).
    I followed this tutorial for the reverse proxy: https://www.smarthomeblog.net/openhab-reverse-proxy/
    Anyone knows where it went wrong?

Please check your nginx config. Looks like you haven’t changed it to use your new certificates.

2 Likes

Thanks for your answer.
I am using certbot from Let’s encrypt to get my certs. These are also the certs that are assigned in my nginx config file, as seen here:


I don’t get why it gives me a self-signed cert :confused:
(The white part is my domain)

I also noticed this at the start of the test on ssllabs.com:


How is this possible? Doesn’t the certbot create a certificate with my domain name listed in it?

Did you reload the configuration after the certificate was created/installed ?

Run

openssl x509 -in /etc/letsencrypt/live/<your-domain-here>/fullchain.pem -text -noout

and check the output. Does it contain your domain ? Is the issuer correct ? Then the certificate is ok but it is not used.

1 Like

It does contain my domain and the issuer is Let’s Encrypt, which adds up. How do I reload the configuration?

I tried sudo nginx -s reload, but that didn’t fix it…
I also tried quitting the nginx service, but when I try to reopen I get an error message:image

sudo systemctl restart nginx
1 Like

So, I restarted nginx, and reloaded the configuration, but I still don’t get the right certificate in my webbrowser :confused:
I get the same self-signed certificate issued by openhab.org, which boggles my mind.
What can I do to troubleshoot this?

Post your nginx configuration files. The certificate stuff might not be in the right section.

1 Like

Here you can see my config for nginx:


(Domain is marked out)

I’m not sure where I went wrong… All the paths seem to add up.

No screendumps please

1 Like