[SOLVED] How can I use http binding with a https site and openhab docker?

theKBro · January 12, 2019, 11:09am

Hi guys,

I started using openhab docker and are now facing some problems with the http binding.

I get SSLHandshakeExceptions and I don’t know what to do. The cert of the site is valid and I already tried installing it inside the container via

docker exec openhab cp <path>httpsSite.cert /usr/local/share/ca-certificates/httpsSite.crt
docker exec openhab update-ca-certificates

but that had no effect.

Inside the docker is no keytool available and I don’t know in which keystore i had to import the cert either.

I also thought about importing it into the keystore located at userdata/etc/keystore which I can directly access on my host, but it’s password protected and I could not find the password anywhere.

The log shows the following error:

[ERROR] [org.openhab.io.net.http.HttpUtil    ] - Fatal transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[ERROR] [ab.binding.http.internal.HttpBinding] - No response received from 'https://httpsSite'

I hope someone who is not a bloody beginner like me can help me.

theKBro · January 14, 2019, 8:09pm

Ok so a short update on this:
I could find out that a cert in the certification chain is missing with the help of wget.
After I added the missing cert to /usr/local/share/ca-certificates/ and called update-ca-certificates wget has no longer an error accessing the site.

Unfortunately the http binding error is still occuring.
Does anybody know which certificates the binding is using?

theKBro · January 14, 2019, 8:37pm

Finally it’s working!

My solution:

Place the missing cert and a batch script in the config directory which is mounted inside the container.
The scrip is:
installCert

#!/bin/bash
$JAVA_HOME/bin/keytool -importcert -file /openhab/conf/services/<missingCertName>.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -alias <certName>

and finally call it on the container creation:

docker run \
    --name openhab \
    --restart unless-stopped \
    --detach \
    ...
    openhab/openhab

docker exec openhab /openhab/conf/services/installCert