Install cert on-premise server


#1

Is there any documentation around switching out the SSL certificate on an on-premise deployment with your own SSL cert? Sorry if I have missed it…


#2

Hi, take a look to http://docs.thinger.io/deployment/#thingerio-configuration-config-file

You will notice that the config file defines an ssl configuration with some predefined certs. Just put your own certificates on /var/snap/thinger-maker-server/common/certificates.

Hope it helps!


#3

thanks for your reply.
I am a complete Linux newbie, but been in the windows server world for 25 years. excuse my ignorance, but is this a standard Linux way of doing certificates (that I can google to find how) or do these certificates need to be prepared in a certain way to work in this configuration. I have the public .CRT file from my cert provider that i have from a windows box (with the private key embedded). I am happy to document a process and post if you could maybe point me in the right direction… my windows experience is that you need to generate a CSR request and then send that to the authority and then they issue a matching cert… (private and public keys)

A friend of mine who knows linux helped me by pointing me to this:https://www.markbrilman.nl/2011/08/howto-convert-a-pfx-to-a-seperate-key-crt-file/

i used this process to extract the private key and public cert from my production PFX certificate (that had the private key embedded). I created a SERVER.KEY and a SERVER.CRT file from this process and put in to the folder on the server, but thinger doesn’t start. I get the errors below. If i put back the original CRT and KEY file it starts.

sysadmin@thinger:/var/snap/thinger-maker-server/common$ sudo service snap.thinger-maker-server.thingerd start
sysadmin@thinger:/var/snap/thinger-maker-server/common$ sudo service snap.thinger-maker-server.thingerd status
● snap.thinger-maker-server.thingerd.service - Service for snap application thinger-maker-server.thingerd
Loaded: loaded (/etc/systemd/system/snap.thinger-maker-server.thingerd.service; enabled; vendor preset: enabled)
Active: failed (Result: start-limit-hit) since Tue 2017-03-28 14:03:00 NZDT; 197ms ago
Process: 5787 ExecStart=/usr/bin/snap run thinger-maker-server.thingerd (code=exited, status=0/SUCCESS)
Main PID: 5815 (code=dumped, signal=ABRT)

Mar 28 14:03:00 thinger systemd[1]: snap.thinger-maker-server.thingerd.service: Unit entered failed state.
Mar 28 14:03:00 thinger systemd[1]: snap.thinger-maker-server.thingerd.service: Failed with result ‘core-dump’.
Mar 28 14:03:00 thinger systemd[1]: snap.thinger-maker-server.thingerd.service: Service hold-off time over, scheduling restart.
Mar 28 14:03:00 thinger systemd[1]: Stopped Service for snap application thinger-maker-server.thingerd.
Mar 28 14:03:00 thinger systemd[1]: snap.thinger-maker-server.thingerd.service: Start request repeated too quickly.
Mar 28 14:03:00 thinger systemd[1]: Failed to start Service for snap application thinger-maker-server.thingerd.
Mar 28 14:03:00 thinger systemd[1]: snap.thinger-maker-server.thingerd.service: Unit entered failed state.
Mar 28 14:03:00 thinger systemd[1]: snap.thinger-maker-server.thingerd.service: Failed with result ‘start-limit-hit’.

I also tried setting ssl_prefer_server_ciphers to false but not really sure what is needed here,

As long as i have a valid server.crt and server.key files, should i just be able to drop them in the folder and restart the service? I checked logs but don’t see anything as the service is not starting with my own certs.
Do i also need to set the ciphers and pem file thing as well?


#4

Hi,

the idea is that you can drop your crt and key in the certificates folder, and the server should start with such certificates. You do not need to change the prefer_server_ciphers, as this is a setting to handle the preferred cypher in the SSL handshake.

Check that you have your certificates in PEM format. For example…

server.crt

-----BEGIN CERTIFICATE-----
MIIFSzCCBDOgAwIBAgIQbka+JAgUtV86P0NHPtFSojANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
6ayQMLHrtbDt8blC9bOD...
-----END CERTIFICATE-----

server.key

-----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAnzXdb0d9L5TrascAd7Q65rAmcvU1yVsb8GFiyN2JjMHgDpK3
kQcZmOt31XQ/G44Xh+bpzXy21zMu6GlNxlKWfvYZ+3DTOAdorLizsBwKHzwMV1Uq
D02vCl6XxxbNMz+FT24nmanpyUrKqjlUKQKffL9Cmb861u...
-----END RSA PRIVATE KEY-----

You can chain multiple certificates in your server.crt file to build the proper SSL certificates chain (if needed).


#5

Awesome, thanks for clarifying.

I’ve got it!

For anyone else that has received an SSL cert from a certificate provider and/or used the certificate in the Windows world and wants to re-use the certificate on Thinger.

  1. If you don’t already have a public certificate, create a CSR Request for your certificate. I used IIS but you can also use a tool like https://www.digicert.com/util/

  2. Submit your request to your Certificate Authority

  3. Get your certificate back from your CA and import in to your Windows Server/PC (the same one you generated the CSR from).

  4. Check that the certificate is in your Windows Certificate store and that at the bottom of the General page on the certificate it says ‘You have a private key that corresponds to this certificate’.

  5. Export the certificate from the Windows box. Select, ‘Yes, export the private key’. On next screen, tick ‘Include all certificates in the certification path is possible’ and ‘Export all extended properties’. Specify a password. Save the PFX file that is created.

  6. Copy the PFX file (this is your public cert and the private key combined) to your Thinger Server. (I just copied to /home/myuser).

  7. From command prompt on Thinger Server:

openssl pkcs12 -in [yourfile.pfx] -nocerts -out servernonpem.key

openssl rsa -in servernonpem.key -outform PEM -out server.key

openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out server.crt

  1. You can delete the servernonpem.key file, as we create a PEM format key from this file to use with Thinger (where I was initially going wrong). You may have been able to combine the commands to export a PEM format key in the one command looking back at this now… didn’t try personally.

  2. Backup the server.crt and server.key files in the folder var/snap/thinger-maker-server/common/certificates (original files) to somewhere you can get them if you need to put them back later.

  3. Overwrite the files in this /var/snap/thinger-maker-server/common/certificates directory with the new server.crt and server.key files you created in your home directory using the OPENSSL commands.

  4. Restart thinger server - sudo service snap.thinger-maker-server.thingerd restart

  5. Check thinger is running OK - sudo service snap.thinger-maker-server.thingerd status

I initially couldn’t make this work as I thought maybe i also had to change the PEM file and the other settings in the config.json file, but can confirm no settings need to change, just need to replace your .KEY and .CRT files with your generated PEM format version and restart server.


#6

Nice! Glad it worked! :slight_smile:


#7

Thanks! Sorry, I hope you’re not getting sick of me :slight_smile: with all my questions. You’ve built an awesome system, just trying to work through getting it all going.

I have the new SSL certificate in place now and can browse the URL of the thinger server now with no cert error (and the console too).

In my original config on ESP8266, I had this (DISABLE_TLS) which I found in another article, as I thought with my SSL certificate not right, this was why I couldn’t get devices connected on TLS.

#define THINGER_SERVER “mythingsererurl”
#define DISABLE_TLS
#define DEBUG

Now I have my proper cert in place, I am still not able to remove the DISABLE_TLS option…

Debug output from my device. Checked in logs but couldn’t see anything, maybe I need to make logging more verbose?

[_CONFIG] Updating Device Info…
[_CONFIG] Done!
[NETWORK] Connected!
[_SOCKET] Connecting to mythingsererurl:25202…
[_SOCKET] Using secure TLS/SSL connection: yes
[_SOCKET] Error while connecting!
[THINGER] Writing bytes: 2 [OK]
[_SOCKET] Connecting to mythingsererurl:25202…
[_SOCKET] Using secure TLS/SSL connection: yes
[_SOCKET] Error while connecting!
[_SOCKET] Timeout!
[_SOCKET] Is now closed!

I have confirmed from a remote machine on a different network that I can get a response on Port 25202 via Telnet, so I am sure ports are open etc…

TELNET mythingsererurl 25202

Any ideas where to look as to why device wont connect on TLS?

I have been working and connecting fine with the DISABLE_TLS option on port 25200 OK.


#8

The ESP8266 uses to connect quite easily to SSL/TLS. Just check you have the latest board version (2.3.0) in your Arduino IDE, and also the latest Thinger.io client libraries. If the device can connect to the 25200 port, the 25202 with SSL should go fine, even with the default SSL certificates (but showing a host verification warning in the debug).


#9

Yes, have board manager 2.3.0 and thinger libraries 2.7.1

is there anyway to turn on more verbose logging? server side or client? I have log enabled true but unsure what to set level to other than INFO

I have found when I run CURL from command line to test API. I was initially using -k option to ignore SSL error.
Now I remove -k option as I am using a proper certificate setup… but I am getting a new SSL message from CURL below:

Maybe I don’t have the entire certificate chain in my CRT file… will look into some more,… does below error make any sense to you?

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.


#10

did a bit of googling… I think the cert message in CURL on the Linux box itself a bit of a red herring…

I can browse and connect fine from remote machines with no SSL errors, anyways, they are using port 443 as opposed to the device <> server comms channel on 25200 and 25202.

can you think of any other thing I can check, log to look at etc re this? this is the last thing for me to sort in my deployment.
I put the server log level to debug but don’t see anything else around connection that may help…

is there a way to get the client to be more verbose in debug?


#11

Hi, if you have you server exposed to the internet, you can test your certificate installation in:

https://www.ssllabs.com/ssltest/


#12

it seems this will only test on port 443. Can I confirm the TLS comms between the ESP8266 and Thinger Server is on 25202? Does the ESP8266 also connect on 443 to thinger server or just 25202?


#13

Yes, this page will only scan on 443. But if your certificate chain is ok on the web, it should be also fine in the connection with devices (the certificate is the same for both). The ESP8266 can only connect to SSL over 25202, as the 443 is reserved for the API and does not provide connection for devices.


#14

ok thanks for confirmation. if cert chain is all ok and console and tests all confirm ok, any other ideas I can do to debug why the ESP8266 (wemos boards) just wont connect on 25202? I have everything else running great now except SSL between devices and thinger server


Type of Thingerio Webserver?
#15

Hello.
I already have a thingerio server on my own vps, but it looks like the site still using http. Is the default certificate from thingerio (/var/snap/thinger-maker-server/common/certificates) can be used for https connection for our server? or do i have to replace using my own certificate?
Cheers.