Fix "The remote certificate is invalid according to the validation procedure" bug. #305
Conversation
| "ASPNETCORE_ENVIRONMENT": "Production" | ||
| }, | ||
| "applicationUrl": "https://localhost:5001;http://localhost:5000" | ||
| "applicationUrl": "https://localhost:443" |
There was a problem hiding this comment.
You should not change that for development environments.
There was a problem hiding this comment.
Yes you're right. Was a leftover I forgot to rollback.
| @@ -105,6 +105,7 @@ private async Task Connect() | |||
| { | |||
| x.UseTls = settings.MqttSecure != TlsMode.False; | |||
| x.AllowUntrustedCertificates = settings.MqttSecure == TlsMode.Insecure; | |||
| x.IgnoreCertificateRevocationErrors = true; | |||
Zigbee2MqttAssistant/Startup.cs
Outdated
| app.UseHttpsRedirection(); | ||
|
|
There was a problem hiding this comment.
You are forcing the app to work with https... which could break the HASS.IO integration and force the developer to create a self-sign certificate.
I think this should be configureable in the config. What do you think?
There was a problem hiding this comment.
Making this selectable via configuration is a good idea.
| if (Configuration.GetValue("SETTINGS:HTTPSREDIRECT", false)) | ||
| { | ||
| app.UseHttpsRedirection(); | ||
| } |
There was a problem hiding this comment.
Please document this change... What this feature is doing? How to use it?
There was a problem hiding this comment.
HTTPS redirection can be enforced by setting the environment variable Z2MA_SETTINGS__HTTPSREDIRECT to true. If the variable is not set the value defaults to false. When set to true then all HTTP requests are redirected to HTTPS.
The HTTPS port to which the requests are redirected can be set via the environment variable Z2MA_SETTINGS__HTTPSPORT. If the variable is not set the value defaults to 443.
Setting the HTTPS port is essential when running Zigbee2MqttAssistant from docker and the outgoing port is not set 443.
Here is an example of a docker-compose with accompanying .env file which uses HTTPS and HTTPS redirection (assuming the PR will be merged).
docker-compose.yml file:
version: '3.7'
services:
zigbee2mqttAssistant:
image: carldebilly/zigbee2mqttassistant
container_name: zigbee2mqttAssistant
environment:
- Z2MA_SETTINGS__MQTTSERVER=${MQTTSERVER}
- Z2MA_SETTINGS__MQTTPORT=${MQTTPORT}
- Z2MA_SETTINGS__MQTTSECURE=${MQTTSECURE}
- Z2MA_SETTINGS__MQTTUSERNAME=${MQTTUSERNAME}
- Z2MA_SETTINGS__MQTTPASSWORD=${MQTTPASSWORD}
- Z2MA_SETTINGS__HTTPSPORT=${HTTPSPORT}
- Z2MA_SETTINGS__HTTPSREDIRECT=${HTTPSREDIRECT}
- TZ=Europe/Berlin
- ASPNETCORE_URLS=https://+:443;http://+:80
- ASPNETCORE_Kestrel__Certificates__Default__Password=${PFXPASSWORD}
- ASPNETCORE_Kestrel__Certificates__Default__Path=/app/certs/certificate.pfx
networks:
- zigbeenet
ports:
- 8880:80
- ${HTTPSPORT}:443
volumes:
- ${CERTSPATH}:/app/certs:ro
restart: unless-stopped
networks:
zigbeenet:
name: zigbeenet
driver: bridge
.env file:
MQTTSERVER=mqttserver.example.net
MQTTPORT=8883
MQTTSECURE=Insecure
MQTTUSERNAME=username
MQTTPASSWORD=password
HTTPSPORT=4433
HTTPSREDIRECT=true
CERTSPATH=/tmp/certs
PFXPASSWORD=<cert_password, see below>
To generate a self-signed certificate replace 'XX' and webserver addresses and IPs in the following commands:
openssl req -x509 -newkey rsa:2048 -sha256 -keyout key.txt -out cert.txt -days 3650 -nodes -subj "/C=XX/ST=XX/L=XX/O=XX/OU=XX/CN= webserver.example.com" -addext subjectAltName=DNS: webserver.example.com,IP:192.168.0.1
openssl pkcs12 -export -out certificate.pfx -inkey key.txt -in cert.txt
The entry 'cert_password' in the .env file has to be replaced by the password you just entered when creating the PFX cert file.
Copy the pfx file to the directory /tmp/certs/ or change the path of ‘CERTSPATH’ in .env and make sure the file has read permissions (i.e. chmod ugo+r certificate.pfx)
Add IgnoreCertificateRevocationErrors=true to MqttClientOptions.
(see dotnet/MQTTnet#819)
This fixes the connection to MQTT Brokers with Self Signed Certificates bug (#81, #260)