Skip to content

Fix "The remote certificate is invalid according to the validation procedure" bug. #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Fix "The remote certificate is invalid according to the validation procedure" bug. #305

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a7f714e
add IgnoreCertificateRevocationErrors to MqttClientOptions
moerchel Jul 19, 2020
4d20e38
update nuget packages
moerchel Jul 19, 2020
068abbb
update docker file
moerchel Jul 19, 2020
7d2f783
use https instead of http
moerchel Jul 19, 2020
3866e59
fix expose port in dockerfile
moerchel Jul 19, 2020
2e1ecf4
add create certs directory to dockerfile
moerchel Jul 19, 2020
d6d8d80
add docker-compose and .env file
moerchel Jul 20, 2020
47ee0de
add config settings for HTTPSPORT and HTTPSREDIRECT
moerchel Jul 21, 2020
3e69ec8
restore original dockerfile
moerchel Jul 21, 2020
ec3104b
Merge branch 'master' into master
moerchel Sep 3, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@

# This file should be run after compiling the solution with the following command:
# msbuild /r /p:Configuration=Release /p:OutputPath=app /t:Publish

Expand Down
4 changes: 4 additions & 0 deletions Zigbee2MqttAssistant/Services/AllowJoinTimerService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ public async Task StartAsync(CancellationToken ct)
{
_stateService.StateChanged += OnStateChanged;
}

await Task.CompletedTask;
}

private void OnStateChanged(object sender, Bridge e)
Expand Down Expand Up @@ -75,6 +77,8 @@ public async Task StopAsync(CancellationToken ct)

// Terminate any ongoing timer
_disposable.Disposable = null;

await Task.CompletedTask;
}

public void Dispose() => _disposable.Dispose();
Expand Down
1 change: 1 addition & 0 deletions Zigbee2MqttAssistant/Services/MqttConnectionService.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ private async Task Connect()
{
x.UseTls = settings.MqttSecure != TlsMode.False;
x.AllowUntrustedCertificates = settings.MqttSecure == TlsMode.Insecure;
x.IgnoreCertificateRevocationErrors = true;
Copy link
Member

@carldebilly carldebilly Jul 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice catch 👍

})
.WithCredentials(settings.MqttUsername, settings.MqttPassword)
.Build();
Expand Down
12 changes: 11 additions & 1 deletion Zigbee2MqttAssistant/Startup.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,12 @@ public void ConfigureServices(IServiceCollection services)
c.ReturnHttpNotAcceptable = true;
});

services.AddHttpsRedirection(options =>
{
options.RedirectStatusCode = StatusCodes.Status307TemporaryRedirect;
options.HttpsPort = Configuration.GetValue<int?>("SETTINGS:HTTPSPORT", 443);
});

services.AddSingleton<IBridgeStateService, BridgeStateService>();
services.AddSingleton<IBridgeOperationService, BrigeOperationService>();
services.AddSingleton<ISettingsService, SettingsService>();
Expand Down Expand Up @@ -65,11 +71,15 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
app.UseExceptionHandler("/Home/Error");
}

if (Configuration.GetValue("SETTINGS:HTTPSREDIRECT", false))
{
app.UseHttpsRedirection();
}
Comment on lines +74 to +77
Copy link
Member

@carldebilly carldebilly Aug 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please document this change... What this feature is doing? How to use it?

Copy link
Author

@moerchel moerchel Aug 3, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

HTTPS redirection can be enforced by setting the environment variable Z2MA_SETTINGS__HTTPSREDIRECT to true. If the variable is not set the value defaults to false. When set to true then all HTTP requests are redirected to HTTPS.
The HTTPS port to which the requests are redirected can be set via the environment variable Z2MA_SETTINGS__HTTPSPORT. If the variable is not set the value defaults to 443.

Setting the HTTPS port is essential when running Zigbee2MqttAssistant from docker and the outgoing port is not set 443.

Here is an example of a docker-compose with accompanying .env file which uses HTTPS and HTTPS redirection (assuming the PR will be merged).

docker-compose.yml file:

version: '3.7'

services:
  zigbee2mqttAssistant:
    image: carldebilly/zigbee2mqttassistant
    container_name: zigbee2mqttAssistant
    environment:
      - Z2MA_SETTINGS__MQTTSERVER=${MQTTSERVER}
      - Z2MA_SETTINGS__MQTTPORT=${MQTTPORT}
      - Z2MA_SETTINGS__MQTTSECURE=${MQTTSECURE}
      - Z2MA_SETTINGS__MQTTUSERNAME=${MQTTUSERNAME}
      - Z2MA_SETTINGS__MQTTPASSWORD=${MQTTPASSWORD}
      - Z2MA_SETTINGS__HTTPSPORT=${HTTPSPORT}
      - Z2MA_SETTINGS__HTTPSREDIRECT=${HTTPSREDIRECT}
      - TZ=Europe/Berlin
      - ASPNETCORE_URLS=https://+:443;http://+:80
      - ASPNETCORE_Kestrel__Certificates__Default__Password=${PFXPASSWORD}
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/app/certs/certificate.pfx
    networks:
      - zigbeenet
    ports:
      - 8880:80
      - ${HTTPSPORT}:443
    volumes:
      - ${CERTSPATH}:/app/certs:ro
    restart: unless-stopped

networks:
  zigbeenet:
    name: zigbeenet
    driver: bridge

.env file:

MQTTSERVER=mqttserver.example.net
MQTTPORT=8883
MQTTSECURE=Insecure
MQTTUSERNAME=username
MQTTPASSWORD=password
HTTPSPORT=4433
HTTPSREDIRECT=true
CERTSPATH=/tmp/certs
PFXPASSWORD=<cert_password, see below>

To generate a self-signed certificate replace 'XX' and webserver addresses and IPs in the following commands:

openssl req -x509 -newkey rsa:2048 -sha256 -keyout key.txt -out cert.txt -days 3650 -nodes -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN= webserver.example.com" -addext subjectAltName=DNS: webserver.example.com,IP:192.168.0.1
openssl pkcs12 -export -out certificate.pfx -inkey key.txt -in cert.txt

The entry 'cert_password' in the .env file has to be replaced by the password you just entered when creating the PFX cert file.
Copy the pfx file to the directory /tmp/certs/ or change the path of ‘CERTSPATH’ in .env and make sure the file has read permissions (i.e. chmod ugo+r certificate.pfx)


app.UseStaticFiles();

app.UseRouting();


app.UseEndpoints(endpoints =>
{
endpoints.MapControllerRoute(
Expand Down