Announcement

Collapse
No announcement yet.

HS3 SSL Certificates

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    HS3 SSL Certificates

    Hi all,

    I currently connect to HS3 remotely using SSL, but when I do I always get a warning that the certificate is not trusted. While I can click through the warnings and eventually connect, this gives me issues in other ways, such as using a text element in HStouch with Ishtml true and also accessing from my work computer.

    Does anyone know how to get rid of this message? I'm trying to read up on certificates but it's all a bit confusing at the moment.

    Cheers.
    Matt.

    #2
    Did you create you own certificate for you hs3 server? Check the following post with instructions and related discussions http://forums.homeseer.com/showthread.php?t=108130

    Comment


      #3
      In browsers you can add your own certificate to trusted root certificates.

      (How depends on the browser. :-) )

      Regards
      Morten

      Comment


        #4
        Originally posted by pcp View Post
        Did you create you own certificate for you hs3 server? Check the following post with instructions and related discussions http://forums.homeseer.com/showthread.php?t=108130
        Ahh, thats the link I was searching for.

        So far I've managed to follow some instructions on the net and I've got myself a free certificate registered to a domain name i purchesed for $10 but i've still got the issue of domain name not matching machine name and homeseer wants a .pfx file instead of the .crt file that my NAS wanted.

        So I've got my NAS using my new certificate (with the minor error still) but not homeseer. I will follow those instructions later - it's too late for me to think now.

        Comment


          #5
          I think Microsoft/Google has got a bit too smart to acdept the certificate as generated by above. I give up and am just going to accept I have to click past the warning each time.

          On this note, does anyone know how HSTouch communicates using port 10200? Does it send my username and password as free unencryted text for all to see?

          Comment


            #6
            Here I do not anymore open / close ports on my firewall. I lost track after a bit.

            I got tired of multiple firewall port configurations for this and for that.

            I went to utilizing IP Sec VPN and it works fine with whatever I want to use.

            Its a little bit of a pain to configure; once configured though it's very plug n play.

            You don't have to reconfigure your cell phone then for two set ups nor do you have to configure your firewall for specific port entries per device.
            Last edited by Pete; October 13, 2014, 04:00 PM.
            - Pete

            Auto mator
            Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
            Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
            HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

            HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
            HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

            X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

            Comment


              #7
              Yeah I gave up on setting up a CA certified certificate and went instead to using the makecert script and setting it up that way. At least I've learned a lot about SSL over the last few days.

              I also ended up setting up an IPSec VPN (didnt realise it was a built in feature of my NAS) and like you said this seems to reduce the need to open ports and set up SSL and gives me full access to other stuff in my WAN. The downside is having to connect/disconnect the VPN every time you use HSTouch so for this reason I haven't closed my ports off yet - just trialling both approaches. The wife can only just work out how to use HSTouch, so having her have to VPN in first is a no go (shes 29 years old but has the technilogical understanding of a 92 year old).

              If I'm correct you can't keep the VPN always connected because it routes all cell phone data traffic through my local LAN doesn't it?

              My main question is about HSTouch if anyone can help. Is this encrypted in any format or is my password free text? Wondering if I can close off all ports except the VPN and HSTouch?

              Comment


                #8
                Use an on demand VPN IP sec tunnel when starting HSTouch or any remote access via a phone or tablet. You wife doesn't need to know how it connects; make it plug n play and on demand. "automate" the IPSec tunnel for only HSTouch. Easy to do.

                If I'm correct you can't keep the VPN always connected because it routes all cell phone data traffic through my local LAN doesn't it?
                In a way it would be better as your home network out to the internet connection is more robust. IE: my PFSense firewall does things that I cannot do or will not do with my cell phone. I am though only mentioning remote connectivity to stuff you want to look at like HSTouch. You could also run a split tunnel if you want to play. Last out of town trip while using the Hotel internet; only used my VPN tunnel back home to surf the web. It worked fine and I felt much better surfing.

                Pushing here the use of a software based BSD easy to build firewall with many features and way better than an off the shelf product (tiny CPUs and cheap junk stuff). Now too though if you replace the OS with DD-WRT or Open-WRT it will do more and be a bit better that what you get.

                The graphical interface on my FIOS combo router while colorful and cartoon like is junk but easy to figure out the limited functionality.

                I do not utilize it.

                New trending here in the US is to purchase the combination modem, firewall, switch, access point then rent it by the month and then pay for any changes or support to it. Its a win win for the internet service providers.

                Old house I had broadband and DSL as a backup to my internet. Here it was only broadband that you could get. Recently though fiber / catXX was introduced.

                Priced out a good deal except I rejected it because of a $100 installation fee for a rental modem with a monthly rental charge really making it a garbage deal not worth taking. Kind of funny that I had to pay attention as a quickie view without a granular look actually "appeared" to be a really good deal and I could see very easily how folks would go to the deal without a granular look at the fine print.
                Last edited by Pete; October 14, 2014, 07:56 AM.
                - Pete

                Auto mator
                Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                Comment


                  #9
                  Use an on demand VPN IP sec tunnel when starting HSTouch or any remote access via a phone or tablet. You wife doesn't need to know how it connects; make it plug n play and on demand. "automate" the IPSec tunnel for only HSTouch. Easy to do.
                  Sounds interesting but I have no idea how to do this? I'd be looking to do it on android phones. Do you mind giving me enough info to get started?

                  Also my phone gets internet over a 4G connection whereas my house is ADSL with a limited upload speed of about 1mbps so running all my internet traffic through the home VPN would severely slow down my phone internet speed.

                  Cheers.

                  Comment


                    #10
                    Yup; started to write about it here:

                    http://board.homeseer.com/showthread.php?t=169935

                    1 Mbs isn't really that much for HSTouch. I tested it with my phone / tablet to work fine.

                    I also tried a site to site VPN and used the firewall on the other side of the VPN tunnel and it worked fine for me.

                    I have to get back to that post. I am doing pictures of the set up in PFSense. Its really the same with other firewalls.

                    Here is a quickie primer for Android. Note this is a quickie google search. My DIY will have pictures and stuff.

                    The native Android VPN client supports IPsec, L2TP, and PPTP VPNs. Follow the steps in this article to configure an Android device to connect to a client-to-site IPsec VPN with X.509 certificates and XAUTH authentication.

                    Set Up Certificates on the Android Device
                    - Copy the certificates to the Android device's internal storage.
                    - Tap Settings > Security > Install from Storage.
                    - Tap the root certificate.
                    - Enter a Certificate Name and select VPN and apps.
                    - Click OK.
                    - If prompted, enter your PIN or unlock pattern. A message stating, "Root CA installed" appears briefly at the bottom of the screen.
                    - Enter a Certificate Name and select VPN and apps.
                    - Click OK to install the certificate.
                    - The certificate appears under the User tab at Settings > Security > Trusted Credentials.

                    Set Up the Android VPN Client
                    - Tap Settings.
                    - In the Wireless & Networks section, tap More.
                    - Tap VPN.
                    - Add the VPN by tapping the plus sign (+) next to VPN.
                    - On the Edit VPN profile page, configure these settings:
                    - Name – Enter a name for the VPN connection (e.g., WorkVPNConnection).
                    - Type – Select IPsec Xauth RSA.
                    - Server address – Enter the network address for the VPN service (e.g., 123.45.6.7).
                    - IPsec user certificate – Select the previously installed user certificate (e.g., AndroidCert).
                    - IPsec CA certificate – Select the previously install root certificate (e.g., RootCert).
                    Last edited by Pete; October 14, 2014, 10:51 PM.
                    - Pete

                    Auto mator
                    Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                    Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                    HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                    HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                    HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                    X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                    Comment


                      #11
                      Thanks Pete.

                      No I've already got that far - I have a VPN setup and I can use it, the bit I was wondering about was the
                      make it plug n play and on demand. "automate" the IPSec tunnel for only HSTouch. Easy to do.
                      part.

                      I've currently got VPN set up but still have port 10200 open for HSTouch as I can't be bothered connecting to VPN each time I want to use HSTouch and then disconnecting after. I also wouldn't expect the wife to have to do this either.

                      Cheers.

                      Comment


                        #12
                        Yup; here its because there are numerous devices these days and I like to tinker.

                        Interesting news article came up this morning.

                        Google reveals major flaw in outdated, but widely-used SSL protocolhttp://www.zdnet.com/google-reveals-...ol-7000034677/

                        Wondering now what sparks the imagination to create these names. Chicken and Egg thing?
                        Last edited by Pete; October 15, 2014, 12:53 PM.
                        - Pete

                        Auto mator
                        Homeseer 3 Pro - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e 64 bit Intel Haswell CPU 16Gb
                        Homeseer Zee2 (Lite) - 3.0.0.548 (Linux) - Ubuntu 18.04/W7e - CherryTrail x5-Z8350 BeeLink 4Gb BT3 Pro
                        HS4 Lite - Ubuntu 22.04 / Lenovo Tiny M900 / 32Gb Ram

                        HS4 Pro - V4.1.18.1 - Ubuntu 22.04 / Lenova Tiny M900 / 32Gb Ram
                        HSTouch on Intel tabletop tablets (Jogglers) - Asus AIO - Windows 11

                        X10, UPB, Zigbee, ZWave and Wifi MQTT automation-Tasmota-Espurna. OmniPro 2, Russound zoned audio, Alexa, Cheaper RFID, W800 and Home Assistant

                        Comment

                        Working...
                        X