SSL issue connecting to Habian server through self hosted cloud instance

markbell2410 · February 23, 2022, 7:27pm

I’m brand new to OpenHAB and have spent the majority of my experience trying to conquer two issues, one of which I am fully stuck

When I click through to my local Habian server via the cloud server’s dashboard, I get an SSL error.

Here is the beginning of my config.json

    "system": {
        "host": "mydomain.io",
        "proxyHost": "home.mydomain.io",
        "port": "443",
        "protocol": "https",
        "logger" : {
            "dir": "./logs",
            "maxFiles" : "7d",
            "level" : "debug",
            "morganOption" : "dev"
          },
          "subDomainCookies": true
    },

When I bind my local Habian instance to the myopenhab.org public server, I am able to manage my local Habian instance without issue. So clearly I have an issue with my cloud config.

Nginx config

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    server_name mydomain.io;

    ssl_certificate /etc/letsencrypt/live/mydomain.io/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mydomain.io/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    root /var/www/mydomain.io;
    index index.html index.htm;
    location ~ /.well-known {
        allow all;
    }

Cut short for brevity.

Can anyone advise where I am going wrong? The aim is to click through to my local instance without receiving the SSL error.

Thanks in advance

Wolfgang_S · February 23, 2022, 9:17pm

You need to create and use ssl certificates for both domains ( mydomain.io, home.mydomain.io ).

Enter your domains at SSL Server Test (Powered by Qualys SSL Labs) . An analysis of your ssl setup will be done and all known issues like outdated ciphers, known vulnerable implementations of TLS/SSL etc. will be detected and reported.
Based on the report you can take actions and redo the test.

Uploaded my configuration at

markbell2410 · February 24, 2022, 11:58pm

Thank you, Wolfgang. Your post was the one I had found and made an effort to return to, with no luck.

I have configured my Nginx and startup routines as per your attachments, editing them to fit my environment. I do now have a secure connection to the subdomain but I it gives a 502 response. The log tells me:

invalid port in upstream "undefined:undefined/remote/"

Which I assume ties in with:

if ($http_cookie ~ "CloudServer=(\S+)\%3A(\d+).*") {
        set $upstream_host $1;
        set $upstream_port $2;
        set $upstream_server "${upstream_host}:${upstream_port}";
}

Do you have any idea why these two values could be undefined? I have tried setting the ip address entries in the startup routines and upstream socketapp, proxyapp and webapp settings to both the IP on eth0 interface and a loopback address, but still no bueno!

Also, now the Hasbian displays as ‘Not Connected’ in my Cloud instance but happily shows as online in myopenhab.org if I test it on there!

If you have any theories, I’d love to hear them. It may be that my problem solving journey so far has left some destruction that could warrant a purge. But it would be nice to avoid that, if I can

Thanks again

Wolfgang_S · February 25, 2022, 6:50am

As far as I remember at the beginning I had the same error.
You started two instances of the openhab-cloud app.js file ?
What is the content of the http_cookie ? I think you can have a look at cookie content in your browser as well as add a debug/print statement in the app.js file

markbell2410 · February 25, 2022, 4:42pm

That’s reassuring

So my issue was very simple! All I had to do was edit my Nginx and add fullchain.pem instead of cert.pem. I notice above in this thread that my configuration was correct at some point. But initially I pasted your config in and had to do it in three stages as the buffer wouldn’t contain the full text. To rule out any error, I did a WGET on your file from this server and in the process it reverted it to cert.pem.

Wolfgang, I really appreciate your attention on this, have a great weekend.

markbell2410 · February 25, 2022, 4:45pm

For anyone future Openhab Cloud people that run into this issue in the future. Wolfgang’s config it great, you just need to edit it and change the ssl_certificate entry for both endpoints

# mydomain.com
ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem #change from cert.pem

# home.mydomain.com
ssl_certificate /etc/letsencrypt/live/home.mydomain.com/fullchain.pem #change from cert.pem

Then restart your Nginx server

service nginx restart