Secure Connection in Android App

elwyngoossen · October 22, 2019, 2:52am

This my question too. It looks like Android app needs a certificate installed. Where do I get this? Here are some screen shots.

elwyngoossen · October 22, 2019, 2:54am

Here is my second screen shot.

opus · October 22, 2019, 5:03am

You quoted a question @gitMiguel already quoted from someone else. Did you read and understand what @gitMiguel answered?

gitMiguel · October 22, 2019, 5:41am

It really doesn’t need any certificates. They are optional.

You have to make them.

Please get your self familiar with server and client certificates and how to setup them. As I stated in my earlier post google is your friend. Here’s a few links to get you started:

mueller-ma · October 22, 2019, 9:49am

Can you make a screenshot of the preference subpages (local and remote)? You should redact the user name before posting.

mueller-ma · October 22, 2019, 9:54am

There’s a post by @slawekjaranowski about SSL client certificates: Using NGINX Reverse Proxy for client certificate authentication - start discussion

maniac103 · October 22, 2019, 11:54am

In fact that one is opened when touching the question mark in the screenshot
Maybe we could/should improve context by linking the help icon to a short docs page giving a bit of context, which then links to the discussion thread.

mueller-ma · October 22, 2019, 6:38pm

That’s a good idea

elwyngoossen · October 23, 2019, 2:53am

elwyngoossen · October 23, 2019, 2:57am

mueller-ma · October 23, 2019, 5:58pm

Did you change something? Or does it still show “Insecurely connected to myopenHAB” on the main settings page?

elwyngoossen · October 27, 2019, 12:19am

No.

Still the same. It says “Insecurely connected” but it’s not connected like I explain in the next post.

elwyngoossen · October 27, 2019, 12:28am

I am adding this info in hopes it will shed more light on it. On my phone I can login fine to myopenHAB.org using a browser but not with the app. This is what I get when trying to connect remotely.

mueller-ma · October 31, 2019, 3:33pm

There’s a bug that causes all connections shown as insecure: https://github.com/openhab/openhab-android/pull/1649

mueller-ma · November 6, 2019, 6:23pm

@elwyngoossen Your connections shouldn’t be shown as insecure anymore with the latest beta.

Morgano · November 24, 2019, 12:38am

@elwyngoossen I’m having the same problem as you. I have a reverse proxy (Nginx) set up on openhabian. I can connect fine from a browser, but not the OpenHab app. I get the same message as you. Have tried the Beta version, but is the same.
Did you manage to fix yours?

mueller-ma · November 24, 2019, 9:53am

Does openhabian come with an nginx reverse proxy? Can you post the config here?

Morgano · November 24, 2019, 11:50am

@mueller-ma The Nginx remote proxy can be installed using one of the options in openhabian-config. There is a guide here:

It’s not exactly plug and play though. I’m using DuckDns so I had to use the troubleshooting guide near the end to get the certificates accepted. Also, for some reason the secure certificate location entries in my /etc/nginx/sites-enabled folder entry were hashed out, so I had to unhash them to get it working.

As I mentioned above, I can connect remotely with a Web browser, but not with the OpenHAB Android app.

mueller-ma · November 24, 2019, 4:28pm

Please post the files in /etc/nginx/sites-enabled/ (redact any personal information, like url).

Morgano · November 24, 2019, 5:48pm

I have one file in /etc/nginx/sites-enabled named openhab. Contents as below (I have replaced my Internet URL with <your_internet_url>):

#################################
# openHABian NGINX Confiuration #
#################################

## Redirection
server {
   listen                          80;
   server_name                    <your_internet_url>;
   return 301                      https://$server_name$request_uri;
}

## Reverse Proxy to openHAB
server {
#    listen                          80;
   listen                          443 ssl;
    server_name                     <your_internet_url>;
   add_header                      Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # Cross-Origin Resource Sharing.
 add_header 'Access-Control-Allow-Origin' 'http://localhost:8080/rest';
    add_header 'Access-Control-Allow_Credentials' 'true';
    add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range';
    add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH';

## Secure Certificate Locations
   ssl_certificate                 /etc/letsencrypt/live/<your_internet_url>/fullchain.pem;
   ssl_certificate_key             /etc/letsencrypt/live/<your_internet_url>/privkey.pem;

    location / {
        proxy_pass                              http://localhost:8080/;
#        proxy_buffering                         off;  # openHAB supports non-buffering specifically for SSEs now
        proxy_set_header Host                   $http_host;
        proxy_set_header X-Real-IP              $remote_addr;
        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto      $scheme;

# Password Protection
       auth_basic                              "Username and Password Required";
       auth_basic_user_file                    /etc/nginx/.htpasswd;
    }

## Let's Encrypt webroot location
#   location /.well-known/acme-challenge/ {
#       root                                    /var/www/<your_internet_url>;
#   }
}

# vim: filetype=conf