The problem is with accessing my domoticz on a raspberry using https.
I have a self-signed certificate configured in HAPROXY according to instructions here: https://serversforhackers.com/c/using-s … th-haproxy
I checked that the host name are correct and it is not expired.
It should be noted that it is in the .ddns.net domain (don’t know if that has any influence on the problem)
Can you help with this?
In imperihome it will give a popup with the option to accept the self-signed certificate, would it be possible to do the same on HH?
Thanks
@frnandu correct self-signed certificates should be verified normally. What is the device model and Android OS version?
Samsung galaxy s8+
Android 9
What does it make a self signed certificate “correct”?
valid expiration, matching hostname and modern ciphers (that Android works with, Android 9 should be ok on that).
To confirm, certificate is matching .ddns.net
domain that use to connect?
Checked on another checker at https://www.digicert.com/help/ and got this:
maybe that’s the problem??
I’ll try to generate a stronger 2048 rsa cert and check
Not sure if that’s the reason, but the only difference between test instance I tested with and that certificate is that it has 1024 bits keys, while I tested with 2048 bits. I will check with lower key length.
Possibly, 1024 length is considered weak since few years ago. Will double check.
Tried 2048, but the same
Ok, thanks for trying. Will see what else could be the reason.
specifichost.somedomain.com
Is a popup to accept not an option? (like imperihome does)
Certificate check override creates a potential security issue when fraudulent certificate can be used unknowingly, so we decided not to allow that.
In your setup, you have local IP configured for local connection and then ddns.net
for remote?
Certificate issue is only for remote connection?
Yep. local has 192.168.1.* address.
Remote has haproxy with basic https login/password authentication
what kind of system did you have the test certificate on? raspberry/windows/linux? and what http server software?
nginx proxy on linux
did you test it on domoticz?
And did you test it remotely?
do you have a static domain or dynamic dns?
From what I see in most applications/software that I used, there is always an option to accept the risk yourself. Sometimes very big exclamation marks, but otherwise it’s the user responsibilty.
yes, for everything. Domain is static, but I don’t see why would ddns domain make a difference for certificate check.
Can you upload logs from support screen soon after failed certificate check?