Announcement

Collapse
No announcement yet.

We need native HTTPS support!

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Originally posted by langenet View Post
    Thanks for this as well... I didn't even know about a wild card certificate.
    I use a certificate for my e-mail server currently - though, it's specific to my email.
    So maybe a wild card certificate would help for both HS and my e-mail server since I can specify sub-domains...

    Robert
    Robert,

    Depending on the email software and the number of domains you have, you might be good with a wildcard. If you only have a single domain you would be golden with a wildcard. I use a wildcard for all my servers under a specific domain but since I have 4 domains on my email server, a wildcard will not work. I use a UCC or SAN cert so I can can have all FQDN for all domains covered. Running exchange can be tricky.

    If you only have a couple to 5 hosts that need the cert, look at the SAN cert to see if it is cheaper then the wildcard cert; although 129 for 3 years is not bad for a wildcard.
    HS3Pro & HS4Pro on Win2012R2
    Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
    BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

    Comment


      So far, so good on the SSL server uptime - 5 days, 9 hours.

      Have been running across some intermittent z-wave delays of 3-5 seconds. Have not yet ben able to isolate whether its the Z-wave network itself, the z-wave plugin, or the .398 build.

      Jason

      -----

      MESSAGE BOARD (copy/paste section below to message board posts)

      Current Date/Time: 12/29/2017 2:28:10 AM
      HomeSeer Version: HS3 Pro Edition 3.0.0.398
      Operating System: Microsoft Windows 10 Home - Work Station
      System Uptime: 5 Days 9 Hours 2 Minutes 37 Seconds
      IP Address: 192.168.1.23
      Number of Devices: 296
      Number of Events: 58
      Available Threads: 100
      HSTouch Enabled: True
      Event Threads: 1
      Event Trigger Eval Queue: 0
      Event Trigger Priority Eval Queue: 0
      Device Exec Queue: 0
      HSTouch Event Queue: 0
      Email Send Queue: 0
      Anti Virus Installed: Sophos Home Windows Defender

      Enabled Plug-Ins
      3.2.0.5: APCUPSD
      2.0.8.0: BLCpuAdvisor
      2.0.6.0: BLPlugins
      3.0.0.42: EasyTrigger
      2.0.1.6: JowiHue
      3.0.0.28: MediaController
      1.5.0.0: MQTT
      3.0.0.28: Nest
      1.0.0.6: Restart
      3.0.0.76: weatherXML
      3.0.1.173: Z-Wave

      Comment


        You will need to be cautious when using a wildcard certificate - within certain limitations, they are useful.

        Typically, when you get a wildcard certificate you can us it with any number of names at the same level.

        For example, all the following names below will be covered by the wildcard certificate *.fakedomain.com.
        • randommachine.fakedomain.com
        • mail.fakedomain.com
        • vpn.fakedomain.com


        However, these will typically NOT work for *.fakedomain.com as they are too many levels deep:
        • randombox.testlab.fakedomain.com
        • mail.devlab1.dev.fakedomain.com


        Ok - Here come the caveats:
        • Digicert has a method of requesting duplicates that somehow allows the to many levels deep to work. See the URL below. I have not tried this myself. YMMV: https://www.digicert.com/ssl-support...-san-names.htm
        • Some devices/apps, while they can use a wildcard certificate, will require that the FQDN be specified as a Subject Alternative Name (SAN) inside the Wildcard certificate. For example, the GlobalProtect VPN portal/gateways on Palo Alto Networks firewalls.
        • Some devices/apps will simply not accept wildcard certs at all.
        • The cheap wildcard certificates I found do not allow you to specify SANs. So, I ended up getting a wildcard certificate for general use and a FQDN certificate for my VPN. I.E. *.fakedomain.com and vpn.fakedomain.com.


        I have spent waaaay to much time with certificates in 2017. I hope this saves some frustration.

        Jason

        Comment


          Originally posted by Jobee View Post
          Robert,

          Depending on the email software and the number of domains you have, you might be good with a wildcard. If you only have a single domain you would be golden with a wildcard. I use a wildcard for all my servers under a specific domain but since I have 4 domains on my email server, a wildcard will not work. I use a UCC or SAN cert so I can can have all FQDN for all domains covered. Running exchange can be tricky.

          If you only have a couple to 5 hosts that need the cert, look at the SAN cert to see if it is cheaper then the wildcard cert; although 129 for 3 years is not bad for a wildcard.
          I only have one domain. The problem that I see and perhaps a solution is that I would have multiple sub domains using certs while I only can forward port 443 as a single port. Saying that, my requirement would be mail.domain.com, homeseer.domain.com. I'm thinking on forwarding all SSL to IIS and having it redirect to the proper application - email or homeseer. Does this seem reasonable or what other alternatives are there?

          I too would like to have my HA using ssl as well...

          Robert
          HS3PRO 3.0.0.500 as a Fire Daemon service, Windows 2016 Server Std Intel Core i5 PC HTPC Slim SFF 4GB, 120GB SSD drive, WLG800, RFXCom, TI103,NetCam, UltraNetcam3, BLBackup, CurrentCost 3P Rain8Net, MCsSprinker, HSTouch, Ademco Security plugin/AD2USB, JowiHue, various Oregon Scientific temp/humidity sensors, Z-Net, Zsmoke, Aeron Labs micro switches, Amazon Echo Dots, WS+, WD+ ... on and on.

          Comment


            Originally posted by rjh View Post
            I removed the setting for the certificate file. The file is "server.pfx" and is in the HS root folder. There is one there already but you can replace as needed.
            Rich - 2 things. First, I have my pfx I put in the root but it is not called server.pfx. I set server.pfx to .old. I assume the code would look for *.pfx and then use the password supplied in Labs to open the backup file to get what it needs.

            I shut down and restarted HS3 thinking it would find my pfx file in the root, but it does not. When I try to go to the ssl site, it is still using the server.pfx file showing local from MA.

            Will only the file name server.pfx work? Maybe add file name in Lab along with password?

            Second - when you are on the machine running HS3 and use the button "Web Interface", where is it set to use either port 80 or 443? For me it defaults to IP address/deviceutility and uses port 80. Would be nice if this button would default to 443 if you are using ssl.

            Thanks,

            Michael
            Attached Files
            HS3Pro & HS4Pro on Win2012R2
            Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
            BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

            Comment


              The code looks for the file server.pfx. I did not see a reason to offer a setting for the filename, you have to put the file there anyway, so just give it that name. Is there an issue with the name?

              As for the link, if you are on the PC, then the connection is all internal to the PC, it does not go out to the network, so I don't see why you would need SSL in that case?

              Originally posted by Jobee View Post
              Rich - 2 things. First, I have my pfx I put in the root but it is not called server.pfx. I set server.pfx to .old. I assume the code would look for *.pfx and then use the password supplied in Labs to open the backup file to get what it needs.

              I shut down and restarted HS3 thinking it would find my pfx file in the root, but it does not. When I try to go to the ssl site, it is still using the server.pfx file showing local from MA.

              Will only the file name server.pfx work? Maybe add file name in Lab along with password?

              Second - when you are on the machine running HS3 and use the button "Web Interface", where is it set to use either port 80 or 443? For me it defaults to IP address/deviceutility and uses port 80. Would be nice if this button would default to 443 if you are using ssl.

              Thanks,

              Michael
              website | buy now | support | youtube

              Comment


                Originally posted by rjh View Post
                The code looks for the file server.pfx. I did not see a reason to offer a setting for the filename, you have to put the file there anyway, so just give it that name. Is there an issue with the name?

                As for the link, if you are on the PC, then the connection is all internal to the PC, it does not go out to the network, so I don't see why you would need SSL in that case?
                Thanks. I will rename the file "server".

                I would like SSL internal for consistency sake. At some point it would be better to be able to turn off port 80 so the whole system is running secure.

                Michael
                HS3Pro & HS4Pro on Win2012R2
                Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
                BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

                Comment


                  Installed my cert and all was good. No issues accessing the site on 443 and the cert showed valid and everything was working.

                  This morning I needed to get in and run an event and I could not get in. All my scheduled events ran without issue, but the web server crashed. port 80 or 443 did not work. I could ping the box and do everything else, just no web. I ended up having to reboot the server and everything is back up. Have some intermittent errors showing in the log:


                  Dec-30 22:56:34 Error Authenticating SSL stream: The handshake failed due to an unexpected packet format.
                  Dec-30 22:56:34 Error Authenticating SSL stream: The handshake failed due to an unexpected packet format.


                  I don't see any direct error of the web server shutting down. Not sure if it is logged anyway.

                  Rich - Is there a specific log item to see when the web server stops?

                  Michael
                  HS3Pro & HS4Pro on Win2012R2
                  Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
                  BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

                  Comment


                    I just came across this and (probably like others) didn't realize this was an option finally!

                    I'm getting an error when starting HS3 build 3.0.0.435.

                    Authenticating SSL stream: The client and server cannot communicate, because they do not possess a common algorithm

                    Some Googleing says it has to do with which SSL protocol is enabled on the sever. Any ideas?

                    Comment


                      Ok, I am going to chime in. I mostly agree with waynehead99, especially his posts https://forums.homeseer.com/showpost...9&postcount=84 and https://forums.homeseer.com/showpost...&postcount=108

                      Basically:

                      * VPN is non-sense for this kind of application. My wife also wouldn't deal with this unless there is a serious emergency. Actually, count me in, too.

                      * Setting up SSL? You must be kidding. Even a self signed certificate isn't trivial to setup. Besides maybe 1% of power users the other 99% would just be frustrated by this process.

                      MyHS is the way to go if it actually would work. The problem is:

                      * If you switch from WAN to LAN or visa-versa HSTouch doesn't know. So you have to shut down the app and restart it. Not 'wife-approved' and it annoys me as well.

                      * It doesn't allow me to access other resources on the same server. As an example, I have BlueIris running on the same server. However, as far as I know there isn't a way to pass this traffic from the server through MyHS to HSTouch so everything is encrypted (including the username/pwd I need to include in the URL to access the BlueIris stream)

                      * Even accessing .aspx pages seems to require credentials which probably are not encrypted either. I might be completely wrong with this as I just started out with this (out of frustration of all the HSTouch limitations).

                      I did hear about a new client but it seems that this client is targeted to an audience that just wants everything easy and it has rather limited customization. If that is correct, I doubt anybody who contributed here will be interested in it. But let's see what HS is coming up with.

                      Comment


                        It is possible to make SSL nice and trivial via UI (only requirement is you have a domain name).

                        Synology has an awesome example of this in their UI where they obtain the cert for you - no self cert (self certs are IMO useless).

                        I hear you on clients that cant transition between LAN and WAN. It is why in the end I ONLY ever connect to my external endpoints even if I am in the LAN - one host name, addressable internally and externally.

                        For consumergrade (which IMO homeseer most defintely is not - it is designed from ground up for tinkers). I agree a webservice is best and have all clients connect to that always. Of course that needs reliability. And not everyone wants to use a service based infrastructure.

                        I don't think these are mutually exclusive options. I do think, given the price, it is incumbent on HS to finish their features.

                        Comment


                          Originally posted by jjason View Post
                          From Krumpy talking about the HomeSeer Web Interface with SSL support enabled: "Can anyone else perform the same sort of test using a trusted certificate authority (such as GoDaddy, Verisign, etc)?"

                          Absolutely!

                          Finally got to the weekend, have the time, and happen to have a wildcard certificate from AlphaSSL for my domain, bigfastnet.com. The certificate is for *.bigfastnet.com and is a SHA-256 certificate. It chains thru AlphaSSL up to the GlobalSign root. (See attached screen capture of the certificate info.)

                          Setup:
                          • I have DNS for bigfastnet.com running internally to my home network - homeseer.bigfastnet.com is properly defined in DNS.
                          • HS3 Pro installed and running on Windows 10.


                          Changes:
                          • Went into C:\Program Files (x86)\HomeSeer HS3 and replaced the self-signed certificate included with the .398 beta with my *.bigfastnet.com certificate.
                          • In HS3 Tools -> Setup -> Labs, put in the SSL Server Certificate Password, checked the Enable SSL Secure Server.
                          • Restarted HS3 Pro to "reset all the marbles."


                          Results:
                          • https://homeseer.bigfastnet.com does exactly what you would expect. Every page I hit is encrypted. Not seeing any operational issues.
                          • Both Safari and Chrome see Homeseer properly secured.
                          • Been working on Homeseer for several hours and the SSL support appears to "just work".


                          Other:
                          I purchased my wildcard certificate from SSL2BUY.com because they were inexpensive and quick.
                          If you are looking for certificates for your company, Digicert.com has done well by me over the years. Recommended!


                          I'll keep using it and report back any abnormalities.
                          Have you had any issues yet? I am on .449 and my ssl goes down after about a week in use. still can't track down what is causing it, but at some point, I cannot hit the SLL site. I get the "unable to load this page".

                          If I shut down HS3 and restart it, I get the SSL site back. Something is causing the custom web service within HS3 to bomb out but not take down the whole application. The non SSL works so it is my back door in until there is a fix.

                          Michael
                          HS3Pro & HS4Pro on Win2012R2
                          Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
                          BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

                          Comment


                            Anyone seen this, any ideas why i can't connect (my suspicion is this a TLS negotiation issue)

                            Authenticating SSL stream: One or more errors occurred.

                            --edit--
                            hmm seems to now be connecting despite the error!?
                            ok my bad, was because i was connecting to IP and bypassing browser cert warning, connecting on DNS name was aok
                            Last edited by scyto; June 25, 2018, 10:06 PM.

                            Comment


                              Originally posted by Jobee View Post
                              Have you had any issues yet? I am on .449 and my ssl goes down after about a week in use. still can't track down what is causing it, but at some point, I cannot hit the SLL site. I get the "unable to load this page".

                              If I shut down HS3 and restart it, I get the SSL site back. Something is causing the custom web service within HS3 to bomb out but not take down the whole application. The non SSL works so it is my back door in until there is a fix.

                              Michael
                              hi michale, when you say about a week do you mean like 5 days or 9 days (just so i know how long to leave it up to see if i have same issues!)

                              Comment


                                Originally posted by scyto View Post
                                hi michale, when you say about a week do you mean like 5 days or 9 days (just so i know how long to leave it up to see if i have same issues!)
                                This time it took about 6 days. There are always a set of errors in the log when it goes down. Of course it is not until the next time I try to get in, that it just hangs and I know it is. I made the mistake of trying to turn it off in Labs and that just made it unable to get in either with or without SSL, so I don't do that anymore. I have to shut down HS3 and then restart it to get SSL back.

                                Michael
                                HS3Pro & HS4Pro on Win2012R2
                                Aeotec, Cooper, Cree, GE/Jasco, Intermatic, LIFX, Fortrezz, OSRAM, RCS, Trane, Zooz
                                BLBackup, BLGData, BLRussound, BLSpeech, HSTouch, InvisaLink, HSBuddy, IFTTT, JowiHue, NetCAM, PHLocation, Pushover 3P, Random, rnbWeather, UltraLighting3, weatherXML, ZigBee, Z-Wave

                                Comment

                                Working...
                                X