SSL-Connection to InfluxDB PKIX path building failed

UlfK · August 31, 2019, 11:54am

Hi,

I want to persist my openhab data to influxdb. But I need a ssl-connection. But openhab2 can’t connect because

database connection error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Here the full log snippet:

2019-08-23 06:52:20.573 [ERROR] [xtext.validation.CompositeEValidator] - Error executing EValidator
java.util.ConcurrentModificationException: null
        at org.eclipse.emf.common.util.AbstractEList$EIterator.checkModCount(AbstractEList.java:758) ~[?:?]
        at org.eclipse.emf.common.util.AbstractEList$EIterator.doNext(AbstractEList.java:712) ~[?:?]
        at org.eclipse.emf.common.util.AbstractEList$EIterator.next(AbstractEList.java:692) ~[?:?]
        at com.google.common.collect.Iterators$7.computeNext(Iterators.java:651) ~[22:com.google.guava:18.0.0]
        at com.google.common.collect.AbstractIterator.tryToComputeNext(AbstractIterator.java:143) ~[22:com.google.guava:18.0.0]
        at com.google.common.collect.AbstractIterator.hasNext(AbstractIterator.java:138) ~[22:com.google.guava:18.0.0]
        at java.lang.Iterable.forEach(Iterable.java:74) ~[?:?]
        at org.eclipse.xtext.xbase.validation.UniqueClassNameValidator.checkUniqueName(UniqueClassNameValidator.java:76) ~[?:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:?]
        at org.eclipse.xtext.validation.AbstractDeclarativeValidator$MethodWrapper.invoke(AbstractDeclarativeValidator.java:118) ~[154:org.eclipse.xtext:2.14.0.v20180522-1821]
        at org.eclipse.xtext.validation.AbstractDeclarativeValidator.internalValidate(AbstractDeclarativeValidator.java:312) ~[154:org.eclipse.xtext:2.14.0.v20180522-1821]
        at org.eclipse.xtext.validation.AbstractInjectableValidator.validate(AbstractInjectableValidator.java:71) ~[154:org.eclipse.xtext:2.14.0.v20180522-1821]
        at org.eclipse.xtext.validation.CompositeEValidator.validate(CompositeEValidator.java:151) [154:org.eclipse.xtext:2.14.0.v20180522-1821]
        at org.eclipse.emf.ecore.util.Diagnostician.doValidate(Diagnostician.java:171) [66:org.eclipse.emf.ecore:2.12.0.v20160420-0247]
        at org.eclipse.emf.ecore.util.Diagnostician.validate(Diagnostician.java:158) [66:org.eclipse.emf.ecore:2.12.0.v20160420-0247]
        at org.eclipse.emf.ecore.util.Diagnostician.validate(Diagnostician.java:137) [66:org.eclipse.emf.ecore:2.12.0.v20160420-0247]
        at org.eclipse.emf.ecore.util.Diagnostician.validate(Diagnostician.java:108) [66:org.eclipse.emf.ecore:2.12.0.v20160420-0247]
        at org.eclipse.smarthome.model.core.internal.ModelRepositoryImpl.validateModel(ModelRepositoryImpl.java:280) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
        at org.eclipse.smarthome.model.core.internal.ModelRepositoryImpl.addOrRefreshModel(ModelRepositoryImpl.java:93) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
        at org.eclipse.smarthome.model.core.internal.folder.FolderObserver.checkFile(FolderObserver.java:227) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
        at org.eclipse.smarthome.model.core.internal.folder.FolderObserver.processIgnoredFiles(FolderObserver.java:137) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
        at org.eclipse.smarthome.model.core.internal.folder.FolderObserver.addModelParser(FolderObserver.java:85) [128:org.eclipse.smarthome.model.core:0.10.0.oh240]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:?]
        at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:228) [39:org.apache.felix.scr:2.1.2]
        at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41) [39:org.apache.felix.scr:2.1.2]
        at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:664) [39:org.apache.felix.scr:2.1.2]
...skipping...
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ~[?:?]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:?]
        at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:103) ~[?:?]
        at com.squareup.okhttp.Connection.connect(Connection.java:143) ~[?:?]
        at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:185) ~[?:?]
        at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128) ~[?:?]
        at com.squareup.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341) ~[?:?]
        at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330) ~[?:?]
        at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248) ~[?:?]
        at com.squareup.okhttp.Call.getResponse(Call.java:273) ~[?:?]
        at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:230) ~[?:?]
        at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:201) ~[?:?]
        at com.squareup.okhttp.Call.execute(Call.java:81) ~[?:?]
        at retrofit.client.OkClient.execute(OkClient.java:53) ~[?:?]
        at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:326) ~[?:?]
        ... 78 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:?]
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[?:?]
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[?:?]
        at sun.security.validator.Validator.validate(Validator.java:262) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:327) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:226) ~[?:?]
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[?:?]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621) ~[?:?]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379) ~[?:?]
        at com.squareup.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:103) ~[?:?]
        at com.squareup.okhttp.Connection.connect(Connection.java:143) ~[?:?]
        at com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java:185) ~[?:?]
        at com.squareup.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128) ~[?:?]
        at com.squareup.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:341) ~[?:?]
        at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:330) ~[?:?]
        at com.squareup.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:248) ~[?:?]
        at com.squareup.okhttp.Call.getResponse(Call.java:273) ~[?:?]
        at com.squareup.okhttp.Call$ApplicationInterceptorChain.proceed(Call.java:230) ~[?:?]
        at com.squareup.okhttp.Call.getResponseWithInterceptorChain(Call.java:201) ~[?:?]
        at com.squareup.okhttp.Call.execute(Call.java:81) ~[?:?]
        at retrofit.client.OkClient.execute(OkClient.java:53) ~[?:?]
        at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:326) ~[?:?]
        ... 78 more
2019-08-31 13:34:14.448 [ERROR] [.internal.InfluxDBPersistenceService] - database connection error sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2019-08-31 13:34:14.449 [ERROR] [.internal.InfluxDBPersistenceService] - database connection does not work for now, will retry to use the database.

The influxdb use a domain intern ssl certificate from my univention server, who is the CA. So I imported the ca- and the server-certificate to /var/lib/openhab2/etc/keystore and restarted openhab2.service after each import.

root@sv020:/var/lib/openhab2/etc# keytool -list -keystore keystore
Keystore-Kennwort eingeben:  
Keystore-Typ: jks
Keystore-Provider: SUN

Keystore enthält 3 Einträge

ucs-root-ca, 31.08.2019, trustedCertEntry,
Zertifikat-Fingerprint (SHA1): B6:14:E9:52:B9:14:5F:34:13:64:B4:4B:A9:47:66:1A:2F:B1:4B:AB
graphing.mgmt.mydomain.com, 31.08.2019, trustedCertEntry,
Zertifikat-Fingerprint (SHA1): F8:1A:C1:01:D1:21:86:95:1A:EE:68:4A:66:D2:6E:B6:A3:87:97:00
mykey, 26.07.2019, PrivateKeyEntry,
Zertifikat-Fingerprint (SHA1): D3:AF:CE:8A:56:67:4C:D7:03:1C:2B:9A:9A:E2:FC:5D:33:7D:93:0D

Warning:
Der JKS-Keystore verwendet ein proprietäres Format. Es wird empfohlen, auf PKCS12 zu migrieren, das ein Industriestandardformat mit "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12" ist.

The certificate is OK:

root@sv020:~# openssl s_client -connect graphing.mgmt.mydomain.com:8086 -CAfile /usr/local/share/ca-certificates/ucs-root-ca.crt
CONNECTED(00000003)
depth=1 C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=ee4KkQBj), emailAddress = ssl@intra.mydomain.com
verify return:1
depth=0 C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = graphing.mgmt.mydomain.com, emailAddress = ssl@intra.mydomain.com
verify return:1
---
Certificate chain
 0 s:C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = graphing.mgmt.mydomain.com, emailAddress = ssl@intra.mydomain.com
   i:C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=ee4KkQBj), emailAddress = ssl@intra.mydomain.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF1DCCBLygAwIBAgIBJTANBgkqhkiG9w0BAQsFADCB4jELMAkGA1UEBhMCREUx
CzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEvMC0GA1UEChMmRURWLSB1bmQgTmV0
endlcmstQmV0cmV1dW5nIFVsZiBLb3NhY2sxJDAiBgNVBAsTG1VuaXZlbnRpb24g
Q29ycG9yYXRlIFNlcnZlcjE6MDgGA1UEAxMxVW5pdmVudGlvbiBDb3Jwb3JhdGUg
U2VydmVyIFJvb3QgQ0EgKElEPWVlNEtrUUJqKTEmMCQGCSqGSIb3DQEJARYXc3Ns
QGludHJhLmVkdm5ldC11ay5jb20wHhcNMTkwMjI4MDQ0NzUwWhcNMjQwMjI3MDQ0
NzUwWjCBzDELMAkGA1UEBhMCREUxCzAJBgNVBAgTAkRFMQswCQYDVQQHEwJERTEv
MC0GA1UEChMmRURWLSB1bmQgTmV0endlcmstQmV0cmV1dW5nIFVsZiBLb3NhY2sx
JDAiBgNVBAsTG1VuaXZlbnRpb24gQ29ycG9yYXRlIFNlcnZlcjEkMCIGA1UEAxMb
Z3JhcGhpbmcubWdtdC5lZHZuZXQtdWsuY29tMSYwJAYJKoZIhvcNAQkBFhdzc2xA
aW50cmEuZWR2bmV0LXVrLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAN4lm7BC4qLViqr/nfJEvRUpQ/fS+VoWHA/FBGuCw1h+Z/2XYL75Dkth9kpi
JDuSCth+eKK9mJnKKAdskkT9kIVCl9uTrEtpcZFlHFv0LivcyVcLFsLaLQVpxewy
fVtAI1q1g5Mh+6AenzN9Lb1z7CDJ88p4u6TGzsgPrphh0IPTPzY+q/S/48QhmbEF
EVZyc8E+XkvK+dDzqGC+T3KLMeKFBvfvK6MdnQ08OXy9ExTBcy2TvLQy+QCEIx+U
fj1anBW5dS5+#######################+1uhJJpgq05wRt5Zo8VdYRmPLpSee
m67UYM/270f+wlVTY0Yw1WilmuMCAwEAAaOCAacwggGjMAkGA1UdEwQCMAAwHQYD
VR0OBBYEFOkRcEtjiQnY1SXz24WAeirgTX1CMIIBGQYDVR0jBIIBEDCCAQyAFCrP
Qjir9w6nWrbPBuB4c2UoFO11oYHopIHlMIHiMQswCQYDVQQGEwJERTELMAkGA1UE
CBMCREUxCzAJBgNVBAcTAkRFMS8wLQYDVQQKEyZFRFYtIHVuZCBOZXR6d2Vyay1C
ZXRyZXV1bmcgVWxmIEtvc2FjazEkMCIGA1UECxMbVW5pdmVudGlvbiBDb3Jwb3Jh
dGUgU2VydmVyMTowOAYDVQQDEzFVbml2ZW50aW9uIENvcnBvcmF0ZSBTZXJ2ZXIg
Um9vdCBDQSAoSUQ9ZWU0S2tRQmopMSYwJAYJKoZIhvcNAQkBFhdzc2xAaW50cmEu
ZWR2bmV0LXVrLmNvbYIJAMvMHvDDkbM/ME0GA1UdEQRGMESCG2dyYXBoaW5nLm1n
bXQuZWR2bmV0LXVrLmNvbYIbZ3JhcGhpbmcubWdtdC5lZHZuZXQtdWsuY29tgghn
cmFwaGluZzALBgNVHQ8EBAMCBeAwDQYJKoZIhvcNAQELBQADggEBAJmCMIL+mXsX
jgZZEBP3AeophAZH2Zu1rU0VOYahLUXIj2cMME5d1OhvMZbK9h/jmyRP6O1Gm2JX
5SLU610PaHmFtQM79rsmjT1xH74hoD6BWQdR4eMffOoq55akpr//2hhKAO2SiyNp
4hfWzjKfvdPPJ0fOpvk2FW1SmB7ZHXpMBrqhOD+hDrv42sh+b65Sh5BCBP5WD6k6
5yboysIaS+HRo/iImz92QrkgDvdgswl4mKZycKMZxJwH1I0a8wrIi/ISBSQrnXpV
qBhuwtCyaPtdAOBAQvYevjPAramr6VZiAp9uJpODvrTr+qYWp6vHZbZqjjBpa8dH
qCZIgbK/Kj0=
-----END CERTIFICATE-----
subject=C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = graphing.mgmt.mydomain.com, emailAddress = ssl@intra.mydomain.com

issuer=C = DE, ST = DE, L = DE, O = EDVNet UK, OU = Univention Corporate Server, CN = Univention Corporate Server Root CA (ID=ee4KkQBj), emailAddress = ssl@intra.mydomain.com

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2102 bytes and written 445 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: FC2F5C452AAA916B697810A92B2D55A5265952D5100455CDE6066121FF22E4EE
    Session-ID-ctx:
    Master-Key: F4DB63CE90BFF4F1442371F6B649D6A810712A17E83D07B2F121721D985027B56E03921A6A150FA8B5D7F05660272D7C
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 6d 36 a7 8d 7a 6e 18 b6-4a ec 48 27 84 8a ff 69   m6..zn..J.H'...i
    0010 - 3d 70 1a 2a c8 72 fc 5a-7a 28 32 c6 73 d1 0b d3   =p.*.r.Zz(2.s...
    0020 - 51 73 b7 07 a2 d5 03 1c-23 f8 c1 06 00 7e 4d eb   Qs......#....~M.
    0030 - e8 33 af 08 ac 67 3c 10-f8 3b e9 39 b7 e6 4f 62   .3...g<..;.9..Ob
    0040 - d2 fb cb 45 8f 5f a0 2b-42 d7 a1 c7 34 98 6f 85   ...E._.+B...4.o.
    0050 - 4b 77 a3 4c cd 80 29 39-59 ab de de 76 31 c3 14   Kw.L..)9Y...v1..
    0060 - ee 63 2a d2 52 67 ff 6f-50 2e 32 68 a7 e6 1a 6d   .c*.Rg.oP.2h...m
    0070 - ce 17 fb e0 15 a6 b2 ed-                          ........

    Start Time: 1567252054
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

HTTP/1.1 400 Bad Request
Content-Type: text/plain
Connection: close

400 Bad Requestclosed
root@sv020:~#

Where I have to import my ca-certificate, so openhab can check the pki path from the used server certificates?

root@sv020:~# openhab-cli info

Version:     2.4.0 (Build)

User:        openhab (Active Process 13874)
User Groups: openhab

Directories: Folder Name      | Path                        | User:Group
             -----------      | ----                        | ----------
             OPENHAB_HOME     | /usr/share/openhab2         | openhab:openhab
             OPENHAB_RUNTIME  | /usr/share/openhab2/runtime | openhab:openhab
             OPENHAB_USERDATA | /var/lib/openhab2           | openhab:openhab
             OPENHAB_CONF     | /etc/openhab2               | openhab:openhab
             OPENHAB_LOGDIR   | /var/log/openhab2           | openhab:openhab
             OPENHAB_BACKUPS  | /var/lib/openhab2/backups   | root:root

URLs:        http://192.168.1.10:8080
             https://192.168.1.10:8443

Thanks
Ulf

UlfK · September 8, 2019, 6:17am

Does anyone have any hint for me?

Confectrician · November 25, 2019, 8:44pm

Hey Ulf,

Did you find a solution already?
I am facing the same problem, with a valid LetsEncrypt Certificate currently.

UlfK · November 26, 2019, 4:23pm

Hi Jerome,

unfortunally not.

TNissen · December 20, 2019, 11:09pm

Hi Ulf,

I have SSL up-und running in my InfluxDB Docker Container and OpenHab 2.5 is able to persist the values.
It caused me a little bit of headache to get this up and running, but in the end it works.

So you have your own CA Certificate, but may be there are some other users who dont, so here are some hints how to get one.

There are 2 gists which explain and automate the process of creation.

Explanation

Automation

After setting up SSL on InfluxDB (see InfluxDB documentation) you have to set EXTRA_JAVA_OPTS for the path of your truststore, so OpenHab (Java) will use it.
In my case i had to add it to the environment variable of my docker container
Value of EXTRA_JAVA_OPTS

-Djavax.net.ssl.trustStore=/openhab/userdata/etc/truststore

I added the RootCA.crt to a seperated Truststore. But it should also work if your path for key- and truststore are the same. (untested).
Create a new Truststore and add the CA:

/usr/lib/java-8/jre/bin/keytool -import -v -noprompt -trustcacerts -alias myca -file /openhab/certs/root/rootCA.crt -keystore /openhab/userdata/etc/truststore -storepass openhab

Short story Thats all the magic.

UlfK · January 5, 2020, 12:33pm

Hi TNissen,

thanks for the detailled explanations. With this hints the SSL-connection to influxdb is working.

The keystore, I found on {OPENHAB_USERDATA}/etc/keystore wasn’t used in standard package installation and I was not so firm with java, that I’ve could find that. Thanks a lot.

I’ve gone your way and use a separate truststore file with separate password to be secure for the next package update

Solution:

create a keystore file and import your certs like TNissen wrote (on my system {OPENHAB_USERDATA}/etc/truststore)
add a JAVA_EXTRA_OPT “javax.net.ssl.trustStore” in /etc/default/openhab2 (Debian)
add a JAVA_EXTRA_OPT “javax.net.ssl.trustStorePassword” if you use a password on the store

EXTRA_JAVA_OPTS=“-Duser.country=DE -Duser.language=de -Djavax.net.ssl.trustStore=/var/lib/openhab2/etc/keystore -Djavax.net.ssl.trustStorePassword=XXXXXXXXXXXXXXXXXX”

Thanks for your help
Ulf

UlfK · January 7, 2020, 4:31pm

The bad point on this configuration is, that no other ssl-connection (telegram, openhab-cloud) work anymore. Where is the default truststore of openhab2?

UlfK · January 7, 2020, 5:00pm

At the end I’ve learned a litte bit of Java .
The certificates have to be imported in the default truststore of the java installation, used by openhab2.

In my case:
root@sv020:~# dirname $(dirname $(readlink -f $(which javac)))
/usr/lib/jvm/zulu-8-amd64

Thanks to https://www.baeldung.com/find-java-home

There is cacerts file in the subfolders
./lib/security/cacerts

There are alle default ca certificates in there and after import of my own ca certificate influxdb works AND all official ssl connections.

thecrater · October 26, 2020, 8:19pm

hi @UlfK
I’ve added my self-signed rootca.crt by executing the command below within the container and was prompted if I wanted to add the cert and I entered [yes]

$JAVA_HOME/bin/keytool -importcert -file /certs/rootca.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -alias influxdb

I got
Trust this certificate? [no]: yes
Certificate was added to keystore
root@openhab:/# exit

I subsequently restarted the container and I’m still getting
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

UlfK · October 28, 2020, 6:52am

Hi @thecrater

seems to be the right way. I’m doing it in the same way.

possible errors:

$JAVA_HOME of your ssh session is not the same like $JAVA_HOME for openHAB
you have a sub ca between the root ca and your cert
after cert import you’ve updated zulu-java, so you have to import the cert again

thecrater · October 28, 2020, 7:13pm

Thank you.
It was my mistake in the end. I had added one cert but not another self-signed one. Eventually I found that out by running a curl command to retrieve the cert the application uses. It’s working fine now. Thank you so much.

thecrater · February 2, 2021, 10:03pm

Hi guys,
This doesn’t seem to work for OpenHAB v3. Is there a solution?

I tried

$JAVA_HOME/bin/keytool -importcert -noprompt -file /certs/influxdb.crt -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias influxdb

This doesn’t work but complains that the hostname is not verified

Caused by: javax.net.ssl.SSLPeerUnverifiedException: Hostname influx.host.lan not verified:

UlfK · February 13, 2021, 7:05am

Hi thecrater,

what contains influxdb.crt? The host-certificate of your influxdb instance or the ca-certificate, with which you created the host-certificate?

In

$JAVA_HOME/lib/security/cacerts

you have to import ca-certifcates.

What does openHAB (like every other SSL-Client)

an SSL certificate is delivered with a call
who do I ask if I can trust the certificate? The one who issued it: The certificate authority specified in the host certificate.
Does openHAB trust this certificate authority? Only if you are in $JAVA_HOME/lib/security/cacerts has been imported.

romain · February 13, 2021, 4:55pm

Hi,

I don’t know why, but I confirm that, in my case, migrating from a working openhab2 (with the java keystore containing the trusted CA) to openhab 3 (by debian aptitude) breaks the openhab SSL connection to influxdb (javax.net.ssl.SSLPeerUnverifiedException)

It could be that in openhab2 the peer was not verified so I thought I correctly imported the CA, or it could be a regression.

The curious thing is that the MQTT connection with TLS, using the same CA, still works without a flaw (seems that each binding reimplements the TLS connection ?)

The problem is still there with the 3.1.0 M1 milestone.

I opened an issue there.

chacha · March 14, 2021, 10:35pm

Hello everyone,

I have a working configuration with openhab 3.01 and InfluxDB 1.8.4-1, with https self signed certificate.
Openhab was migrated from openhab2, but the InfluxDB was installed and configured after the migration. I’ve documented every steps for myself. If you wish I can share it with you.
You can check connection with influx -ssl -unsafeSsl. Log in with auth and try a simple query. For example: SHOW DATABASES.
Maybe you can try to import certificates again or try to recreate certificates with subjectAltName option to include localhost:
-addext "subjectAltName=DNS:localhost,DNS:127.0.0.1,DNS:<FQDN>"

UlfK · March 15, 2021, 5:42am

Hello chacha,

yes, please share your notes with us. What is the difference, that your config is connecting to influx without errors?

Thanks
Ulf

chacha · March 15, 2021, 9:52am

References:
Installing InfluxDB to the Raspberry Pi - PiMyLifeUp
Authentication and authorization in InfluxDB - InfluxDB Docs
Enable HTTPS with InfluxDB - InfluxDB Docs

Installing InfluxDB to the Raspberry Pi

Note: Only 1.* versions of InfluxDB exist for armhf.

Install the InfluxDB repository key

wget -qO- https://repos.influxdata.com/influxdb.key | sudo apt-key add -

Add the InfluxDB repository to the sources list

Raspbian Buster:

echo "deb https://repos.influxdata.com/debian buster stable" | sudo tee /etc/apt/sources.list.d/influxdb.list

Refresh the package list, and install influxdb

sudo apt update
sudo apt install influxdb

Set up authentication

Run InfluxDB CLI tool:

	influx

Create admin user:

	CREATE USER admin WITH PASSWORD '<password>' WITH ALL PRIVILEGES

Type "exit" + [ENTER] to quit.

In the /etc/influxdb/influxdb.conf file edit the [HTTP] section to uncomment, and set these lines:

	auth-enabled = true
	pprof-auth-enabled = true
	ping-auth-enabled = true

Restart InfluxDB

	sudo systemctl restart influxdb

Set up HTTPS

Generate a self-signed certificate:

sudo openssl req -x509 -nodes -newkey rsa:2048 -addext "subjectAltName=DNS:localhost,DNS:127.0.0.1,DNS:<FQDN>" -keyout /etc/ssl/influxdb-selfsigned.key -out /etc/ssl/influxdb-selfsigned.crt -days <NUMBER_OF_DAYS>

Change owner of files:

chown influxdb:influxdb /etc/ssl/influxdb-selfsigned.*

Enable HTTPS in the configuration file

Enable HTTPS in the [http] section of the configuration file (/etc/influxdb/influxdb.conf) by setting:

https-enabled = true
https-certificate = /etc/ssl/influxdb-selfsigned.crt
https-private-key = /etc/ssl/influxdb-selfsigned.key

Restart InfluxDB and check connection

sudo systemctl restart influxdb
influx -ssl -unsafeSsl

Log in with auth and run a query to check connection. For example: SHOW DATABASES

Set up database for openhab

• Run the influx CLI tool: influx
• Login as admin: auth
• Create database: CREATE DATABASE openhab
• Create user: CREATE USER openhab WITH PASSWORD '<password>'
• Grant ALL permission to openhab on the database: GRANT ALL ON openhab TO openhab
• Edit InfluxDB config in openHAB (/etc/openhab/services/influxdb.cfg)

	url=https://<FQDN>:8086
	user=openhab
	password=<PASSWORD>
	db=openhab

Import https key to java keystore

In the java main directory (usually /usr/lib/jvm/zulu11*) run keystore command:

sudo bin/keytool -importcert -alias openHAB_InfluxDB_cert -file /etc/ssl/influxdb-selfsigned.crt -keystore lib/security/openhab -storepass <PASSWORD>

Note: avoid special characters in password (especially escape characters) this cause errors in EXTRA_JAVA_OPTS

Add keystore path and password to the EXTRA_JAVA_OPTS in /etc/default/openhab:

EXTRA_JAVA_OPTS="-Djavax.net.ssl.trustStore=/usr/lib/jvm/zulu11.45.27-ca-jdk11.0.10-linux_aarch32hf/lib/security/openhab -Djavax.net.ssl.trustStorePassword=<PASSWORD>"

Restart openhab:

sudo systemctl restart openhab

Note: Set default persistence to InfluxDB in openHab to show persisted data

chacha · March 15, 2021, 9:57am

Phew!
Hope I didn’t miss anything!

romain · March 15, 2021, 4:22pm

Hello Csaba,

Thank you for sharing !

But actually in my case the influxd version I cannot connect to is influxd 2, which will be the only supported version soon. The connection to influxd 1 was and is still working well with openhab3.

For the moment I reverted back to openHAB3 default local persistance, temporiraly I hope !

romain · April 5, 2021, 11:46am

I finally figured it out about my problem of SSL connection from openhab3 to influxdb 2 : my certificate was missing

subjectAltName = DNS: HOSTNAME

entry. With the older version of the SSL library (openhab2 and / or influxdb 1), it was working with only CN = HOSTNAME