install.sh: both certificate generation methods fail
Jokeronomy opened this issue · 6 comments
Issue does not already exist?
I have searched and found no existing issue
Select Environment
Install Script
Home Assistant related?
No
Description
Both the primary and fallback certificate generation methods fail, for different reasons.
Primary method command is this: faketime '2017-01-01 00:00:00' openssl req -new -config openssl.conf -nodes -x509 -newkey ec -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve -subj "/C=NL/O=Philips Hue/CN=$serial" -keyout private.key -out public.crt -set_serial $dec_serial -days 7670
The above command fails because -config openssl.conf
is not a valid config file. On my RPI where I have this installed, it was resolved by specifying the full path of the openssl config file. /etc/ssl/openssl.cnf
I'm not sure, however, if this solution is portable to other platforms. It was NOT resolved by changing openssl.conf to openssl.cnf in the short manner.
Secondary method is this: curl -k "https://certgen.lightningdark.com/gencert?mac=$mac" > /opt/hue-emulator/cert.pem
This method fails because there is no longer a certificate generation service at certgen.lightningdark.com. The domain MAY be parked. The generated 'certificate' is the response page for a 404 error.
Errorlog:
Error output for primary method is below. Secondary method only produces an incorrect file, not an error.
Can't open openssl.conf for reading, No such file or directory
1995925888:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:69:fopen('openssl.conf','r')
1995925888:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:76:
ERROR!! Local certificate generation failed! Attempting remote server generation
Steps to reproduce
Because I was diagnosing specifically an issue with the certificate not generating, and in an upgraded installation, I manually pulled the certificate generation portion out of the full script and put it into a shortened script. This is my best guess on how the issue would be reproduced in a clean environment:
- download install.sh
- run install.sh
- specify network connection per the script
- Observe both certificate generation methods fail
(I'm not sure if the certificate not generating appropriately is fatal to the main script)
Please enter your operating system details here
Linux 5.10.103-v7+ armv7l
What DiyHue version(branch) are you using?
master (latest)
i fix my local certificate generation service, see #942
This is not that. If I'm following the automatic setup instructions in the Diyhue documentation, the downloaded script has this line for the failback certificate generation method:
curl "https://certgen.lightningdark.com/gencert?mac=$mac" > /opt/hue-emulator/cert.pem
So it is not set up to use your certificate generation service. Further, per the original report, the primary cert generation method wont ever succeed (at least on my system)
will update this today
I'll test this soon, based on what I'm reading and seeing it might fix the primary method - the backup method is still set up to use a discontinued service. I can try making a PR for that, seems like that would be a simple change.
On second glance, I dont think #971 has any bearing on this one. This issue was not with python, it was specifically with the openssl certificate generation.
I was able to change the backup method to a working service, I don't know if changing -config openssl.conf
to -config /etc/ssl/openssl.cnf
is an acceptable and / or portable solution to that issue. if it is I can make that PR too.