[SOLVED] Synology, Sophos HTTPS proxy and Openhab 2.4

Hi,

installed openhab 2.4 on current Synology RS815 with DSM 6.2.1 with regular pkg-manager behind a Sophos UTM (firewall, etc.) and a Fritzbox.

The Fritzbox NATs all traffic to Sophos UTM in a nother IP address range, and the Sophos UTM is a transparent proxy to all clients/servers in the internal network for HTTP+HTTPS. For the Synology server, HTTPS traffic is not proxied. For other clients, I needed to install a self-certified SSL certificate by Sophos.

My problem is that

  • no add-ons are downloaded after installation
  • no myopenhab cloud connection

I remember that there is an issue with iCloud binding, solved after installing the Apple certificate.

Does someone have an idea how to detect the issue?

Best regards,
Jens

Errors in the logs?

Restart of openhab and log file openhab.log showed this

2019-01-15 16:51:06.396 [INFO ] [egram.internal.TelegramActionService] - Bot bot2 loaded from config file
2019-01-15 16:51:07.535 [ERROR] [org.apache.felix.scr                ] - bundle org.apache.felix.scr:2.1.2 (39)Circular reference detected trying to get service {org.eclipse.smarthome.io.net.http.TlsCertificateProvider}={service.id=124, service.bundleid=214, service.scope=bundle, component.name=org.openhab.binding.icloud.internal.ICloudTlsCertificateProvider, component.id=17}
 stack of references: ServiceReference: {org.eclipse.smarthome.io.net.http.TlsCertificateProvider}={service.id=124, service.bundleid=214, service.scope=bundle, component.name=org.openhab.binding.icloud.internal.ICloudTlsCertificateProvider, component.id=17}
ServiceReference: {org.eclipse.smarthome.io.net.http.internal.ExtensibleTrustManager}={service.id=132, service.bundleid=118, service.scope=bundle, component.name=org.eclipse.smarthome.io.net.http.internal.ExtensibleTrustManager, component.id=23}

java.lang.Exception: stack trace
        at org.apache.felix.scr.impl.ComponentRegistry.enterCreate(ComponentRegistry.java:481) [39:org.apache.felix.scr:2.1.2]
        at org.apache.felix.scr.impl.BundleComponentActivator.enterCreate(BundleComponentActivator.java:735) [39:org.apache.felix.scr:2.1.2]
        at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:845) [39:org.apache.felix.scr:2.1.2]
        at org.eclipse.osgi.internal.serviceregistry.ServiceFactoryUse$1.run(ServiceFactoryUse.java:212) [?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:?]
        at org.eclipse.osgi.internal.serviceregistry.ServiceFactoryUse.factoryGetService(ServiceFactoryUse.java:210) [?:?]
        at org.eclipse.osgi.internal.serviceregistry.ServiceFactoryUse.getService(ServiceFactoryUse.java:111) [?:?]
        at org.eclipse.osgi.internal.serviceregistry.ServiceConsumer$2.getService(ServiceConsumer.java:45) [?:?]
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:508) [?:?]
        at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.getService(ServiceRegistry.java:461) [?:?]
        at org.eclipse.osgi.internal.framework.BundleContextImpl.getService(BundleContextImpl.java:624) [?:?]
        at org.apache.felix.scr.impl.manager.SingleRefPair.getServiceObject(SingleRefPair.java:73) [39:org.apache.felix.scr:2.1.2]
        at org.apache.felix.scr.impl.inject.BindParameters.getServiceObject(BindParameters.java:47) [39:org.apache.felix.scr:2.1.2]
        at org.apache.felix.scr.impl.inject.methods.BindMethod.getServiceObject(BindMethod.java:662) [39:org.apache.felix.scr:2.1.2]
...

and this

2019-01-15 16:51:07.669 [WARN ] [org.openhab.binding.icloud          ] - FrameworkEvent WARNING - org.openhab.binding.icloud
org.osgi.framework.ServiceException: org.apache.felix.scr.impl.manager.SingleComponentManager.getService() returned a null service object
    at org.eclipse.osgi.internal.serviceregistry.ServiceFactoryUse.factoryGetService(ServiceFactoryUse.java:232) ~[?:?]
    at org.eclipse.osgi.internal.serviceregistry.ServiceFactoryUse.getService(ServiceFactoryUse.java:111) ~[?:?]
    at org.eclipse.osgi.internal.serviceregistry.ServiceConsumer$2.getService(ServiceConsumer.java:45) ~[?:?]
    at org.eclipse.osgi.internal.serviceregistry.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:508) ~[?:?]
    at org.eclipse.osgi.internal.serviceregistry.ServiceRegistry.getService(ServiceRegistry.java:461) ~[?:?]
    at org.eclipse.osgi.internal.framework.BundleContextImpl.getService(BundleContextImpl.java:624) ~[?:?]
    at org.apache.felix.scr.impl.manager.SingleRefPair.getServiceObject(SingleRefPair.java:73) ~[?:?]
    at org.apache.felix.scr.impl.inject.BindParameters.getServiceObject(BindParameters.java:47) ~[?:?]
    at org.apache.felix.scr.impl.inject.methods.BindMethod.getServiceObject(BindMethod.java:662) ~[?:?]
    at org.apache.felix.scr.impl.manager.DependencyManager.getServiceObject(DependencyManager.java:2304) ~[?:?]
    at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.prebind(DependencyManager.java:419) ~[?:?]
    at org.apache.felix.scr.impl.manager.DependencyManager.prebind(DependencyManager.java:1576) ~[?:?]
    at org.apache.felix.scr.impl.manager.AbstractComponentManager.collectDependencies(AbstractComponentManager.java:1014) ~[?:?]
    at org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:899) ~[?:?]
    at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:863) ~[?:?]

All other log messages are fine. No logs in Sophos

I’ve nothing to offer. I know nothing of Synology, Fritzbox and it sounds like you have a far more involved network set than the average user.

Thanks for taking care, Rich. It’s just that everything was fine with openhab 2.3, so I’m looking for an advice about a potential change.

Started a little debugging.

[WARN ] [hab.action.telegram.internal.Telegram] - Transport error: {}
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:?]
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946) ~[?:?]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316) ~[?:?]
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310) ~[?:?]
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639) ~[?:?]
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:965) ~[?:?]

Found the known SSL issue and here. Apple certificate installed, not luck. Mails/telegrams are also not sent out, but iCloud binding is working.

How can I test/verify the way SSL handshake is set up and where the bottleneck may be? In my realization the issue is primary a SSL subject with java/Synology than Sophos.

Installed Java again (v201 as of today), added certificated like in linked post, restarted and works.