Similar to other posts… but not the same configuration
Followed this tutorial and have everything running, except I cannot get the mobile app to connect to my OpenHAB Cloud remotely. I keep getting “SSL Handshake failed - maybe you need a valid client certificate”.
I’ve tried quite a few things, found a few similar posts but nothing i’ve done has worked. I can access the server on a mobile device remotely using chrome, and the app works locally.
My Setup
-OpenHab 2.1 on windows machine at home (no authentication or SSL via server IP:port)
-OpenHab Cloud running an Amazon Lightsail instance (Ubuntu) (https://sub.domain.com)
-letsencrypt cert “sub.domain.com”
-Both linked and communicating great
-working on https in chrome browser
server config:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name SUB.DOMAIN.COM;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name SUB.DOMAIN.COM ;
location /css {
alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/css;
}
location /js {
alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/js;
}
location /img {
alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/img;
}
location /bootstrap {
alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/bootstrap;
}
location /font-icons {
alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/font-icons;
}
location /fonts {
alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/fonts;
}
location /js-plugin {
alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/js-plugin;
}
location /downloads {
alias /usr/share/nginx/SUB.DOMAIN.COM/openhab-cloud/public/downloads;
}
location / {
proxy_pass http://localhost:3000;
proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr ;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Proto https;
}
ssl_certificate /etc/letsencrypt/live/SUB.DOMAIN.COM/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/SUB.DOMAIN.COM/privkey.pem; # managed by Certbot
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:AES256+EECDH:!ADH:!AECDH:!MD5";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
root /usr/share/nginx/SUB.DOMAIN.COM;
index index.html index.htm;
location ~ /.well-known {
allow all;
}
}
I’ve tried enabling “Ignore” boxes in the android app
I’ve used “openssl pkcs12” to generate a .pfx key and imported it into the app. No Luck
I’ve ran a SSL Lab test and removed the ciphers that caused a B result. Everything is now an A
Tried creating new DH parameters
I’ve tried everything I can think of and every solution I could find.
Tried:
https://community.openhab.org/t/ssl-handshake-failed-after-habdroid-upgrade-to-2-0-0/37667/3
and
https://community.openhab.org/t/ssl-handshake-failed-after-habdroid-upgrade/31856
which seems like maybe it is a bug?
I also don’t see anything in the nginx error.log
I’m not sure if this in a app issue or server setup so I though I would post this here. I also asked this question on tutorial but decided better to make thread Seems a few people are having the same issue and haven’t been able to solve, or haven’t posted a solution. Maybe I’m missing something simple…
Any help would be greatly appreciated, I at a loss of what to try next…