SSL certs, how can I use mine.
I have been trying for a while to use my own ssl certs, I have a wildcard I use on this domain, for various things, from LetsEncrypt. I have tried replacing the certificates in .signalk and then the server refuses to restart. They are pem certificates, and I rename them to the proper names, what could I be doing wrong? I use these on several devices without problems...
Thanks!
25 Replies
check the error log
make sure the permissions on the on cert files are so that only the user running SK can read them
In my ~/.signalk/signalk-server script, I run the following shell script:
Where would I look at the logs, I know, silly question, I normally just look in the UI on the web... I have tried this with my certificates, and just made new ones with certbot, and the server simply does not listen on 80 or 443 when I reboot. It does for some reason show listening on IPv6, but where I am right now does not have IPv6(The server is elsewhere)
And am I missing where to look for documentation on this, I can find nothing that really covers it at all.
One the reasons for that is this stuff can run on so many different systems…
Check in /var/log/syslog
-rw------- 1 pi pi 2122 Aug 1 14:12 ssl-cert.pem
-rw------- 1 pi pi 738 Jul 7 11:56 ssl-cert.pem.bak
-rw------- 1 pi pi 3596 Aug 1 10:01 ssl-cert.pem.bak2
-rw------- 1 pi pi 3272 Aug 1 14:12 ssl-key.pem
-rw------- 1 pi pi 902 Jul 7 11:56 ssl-key.pem.bak
-rw------- 1 pi pi 902 Aug 1 10:07 ssl-key.pem.bak2
For example, the permissions are as seen here, my key backups are there as well, this seems right, I think, I will look at the logs
Yeah, that looks good
The reason I asked about the logs is that openplotter does not have a syslog, here are my options there...
-rw------- 1 root root 10057 Aug 1 14:16 boot.log
-rw-rw---- 1 root utmp 0 Aug 1 14:16 btmp
drwxr-x--- 2 root lp 4096 Aug 1 14:16 cups
-rw-rw-r-- 1 root utmp 296296 Aug 1 14:16 lastlog
drwx--x--x 2 root root 4096 Aug 1 14:16 lightdm
drwx------ 2 root root 4096 Aug 1 14:16 private
lrwxrwxrwx 1 root root 39 Aug 1 14:16 README -> ../../usr/share/doc/systemd/README.logs
-rw-r--r-- 1 root root 8926 Aug 1 14:16 vncserver-x11.log
-rw-rw-r-- 1 root utmp 2800 Aug 1 14:16 wtmp
-rw-r--r-- 1 root root 14478 Aug 1 14:16 Xorg.0.log
Thus the problem…
I have no idea where the logs would be on openplotter
Ok, fair enough
Good question for the openplotter forum
It uses journalctl, and I will look into how to grep some info out of that
Thanks
I do appreciate the quick responses!
you’re welcome!
I did get this, which is SignalK,
Aug 01 14:17:06 openplotter signalk-server[564]: Error: error:05800074:x509 certificate routines::key values mismatch
Aug 01 14:17:06 openplotter signalk-server[564]: library: 'x509 certificate routines',
And I do understand that is says key values mismatch, but I am familiar enough with certificates that I think the files match
Location of sk logs for different systems would be a great FAQ entry!
Any thoughts? Could it be mismatching with something other than my two files(I am not using a chain, as it was not there by default)
I do have a chain, but frankly don’t recall all the details…
Also, how would someone contribute to the documentation?
OK, no problem, I do have one. I will ask over there, see if I get traction
My problem is I am not familiar with the webserver you use, and have not really wrapped my head around whether it is YOUR implementation or an openplotter implementation, but I will do some digging, and figure it out. Thanks again!
I bet an AI could help…
Just as a side note, I just decided to go to Openplotter discord, the link is broken, which was faintly familiar, so I went to their forums, and did a search for ssl certificates, and immediately found the exact question, I clicked it, and it was FROM ME, more than a year ago, still unanswered... lol
So you can see, I have been doing this search for a while!
You at least answered fast, and have pointed me at things I can do. I appreciate it!
I have mixed luck with AI, so far it has given generic SSL instructions that are for typical web servers. I shall try again!
Now that you know the error, I would start there
That is what I am trying, it is a pretty generic error. It kind of tells me me certificates are wrong. I tried adding my chain, and then my full chain, to follow your setup, made no difference, is there a way to increase the SK logging? A debug mode? My knowledge of node.js is not great.
Off the top of my head, I know what logging would help here.
I can check on that when I have some time…
you could set up nginx reverse proxy, cert management there should be really straightforward and there’s plenty ofdocumentation
i think very few people use the server’s built in ssl, other than self generated certs. this is just a hunch though
I am in the process, but killed my SignalK.... of course, so I am working on that. I tried SSL since it exists, and really is the best option.
Sorry I could not have been more help. Specially since I have it working... But I did that maybe 5 years ago...
You have been very helpful!