illegal seek (https)

Lectere · 14 November 2015, 09:25:50

I've followed; http://www.fhemwiki.de/wiki/Raspberry_Pi_%26_HTTPS

And... It's not working, I get a 'illegal seek' in the log, when I try to open the page.

I've found a few topics, but they are all in german, can someone explain how to solve this?, thanks...

rudolfkoenig · 15 November 2015, 19:46:23

I expect that you left out something important. Could you please document _exactly_ what you've done (step by step), and append this document here? And can you please attach en excerpt from the fhem log?

Lectere · 16 November 2015, 10:44:26

I've followed this;

http://forum.fhem.de/index.php/topic,43339.msg358729.html#msg358729

Because I've bough a 'real' certificate...

I've did the CSR, pasted the request at the control panel of my SSL provider/

I've got the certificate, put in the file next to server-key, changed the rights on the files...

rudolfkoenig · 16 November 2015, 11:15:22

Sorry, cannot help: I dont see a step-by-step description, neither a FHEM-Log excerpt. I need both.

Lectere · 16 November 2015, 13:47:17

Okey, problems started, because I'm replacing my old Raspi with a model 2. So new installation, new wheezy etc; (I still have my working old one, I've only copied the config file)

I've tried to follow this; http://forum.fhem.de/index.php/topic,43339.msg353537.html#msg353537

This is what I do;

I go to \opt\fhem\certs folder and I do:

Code Auswählen

openssl genrsa -out server-key.pem 4096
openssl req -new -sha256 -key server-key.pem -out cert_request.csr

I fill in the the details.

Then with the request I go to my SSL provider which is rapidssl/xolphin. (other than the manual). I request an new certificate, paste the CSR, I get a email on my domian, I reply: Yes I want. I get the certificate.

I put the certificate in a file called;

Code Auswählen

/opt/fhem/certs/server-cert.pem

I check the rights;

Code Auswählen

chown fhem:root /opt/fhem/certs/server-cert.pem
chmod 600 /opt/fhem/certs/server-cert.pem

chown fhem:root /opt/fhem/certs/server-key.pem
chmod 600 /opt/fhem/certs/server-key.pem

In my fhem.cfg I've specified;

Code Auswählen

define WEB FHEMWEB 8083 global
attr WEB HTTPS
attr WEB basicAuth [somecode]
attr WEB redirectCmds 0
attr WEB stylesheetPrefix dark

I've check;
-to see if fhem.pl is running under the FHEM account; yes
-I've put every intermediete files in the certs folder
-Done this proces over, to see if I missed a step
-I've check the cert with;

Code Auswählen

 openssl x509 -in server-cert.pem -text -noout

-Just to be sure I've also tried;

Code Auswählen

/opt/fhem/certs/chmod 666 * 
/opt/fhem/certs/chown fhem:root *

-check the MD5 hash like;

Code Auswählen

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5

-tried log level 5, no messaged concerning the error...
-checked;

Code Auswählen

root@fhem:~# cpan -i IO::Socket::SSL
Going to read '/root/.cpan/Metadata'
  Database was generated on Mon, 16 Nov 2015 10:53:36 GMT
IO::Socket::SSL is up to date (2.020).

-Tried with a self signed certificate, same problem.
-treid several browsers, doubled checked firewalls/proxies/etc.
-tried apt-get update upgrade

My logfile;

Code Auswählen

2015.11.16 13:17:50 1: Including fhem.cfg
2015.11.16 13:17:50 3: telnetPort: port 7072 opened
2015.11.16 13:17:51 3: WEB: port 8083 opened
2015.11.16 13:17:51 3: WEB2: port 8888 opened
2015.11.16 13:17:51 3: Opening CUL_0 device /dev/ttyAMA0
2015.11.16 13:17:51 3: Setting CUL_0 serial parameters to 38400,8,N,1
2015.11.16 13:17:51 3: CUL_0 device opened
2015.11.16 13:17:55 3: CUL_0: Possible commands: mBCFiAZGMRTVWXefltux
2015.11.16 13:17:55 0: MSGMail: SSL is available, provided by Net::SMTP::SSL
2015.11.16 13:17:57 1: Including ./log/fhem.save
2015.11.16 13:17:58 3: hub.zolder: connected
2015.11.16 13:17:58 2: SecurityCheck:  WEB2 has no basicAuth attribute.  Restart FHEM for a new check if the problem is fixed, or set the global attribute motd to none to supress this message. 
2015.11.16 13:17:58 0: Featurelevel: 5.7
2015.11.16 13:17:58 0: Server started with 104 defined entities (version $Id: fhem.pl 9893 2015-11-15 08:43:05Z rudolfkoenig $, os linux, user fhem, pid 2195)
2015.11.16 13:17:58 2: hub.zolder: disconnect
2015.11.16 13:17:58 3: hub.zolder: connected
2015.11.16 13:18:00 3: hub.zolder: new config 
2015.11.16 13:18:18 3: telnetForBlockingFn: port 46918 opened
2015.11.16 13:18:18 3: JSONMETER YouLess: ParseJsonFile.515 Analyse JSON pathString for known readings
2015.11.16 13:18:18 3: JSONMETER YouLess: ParseJsonFile.550 Store results of JSON analysis for next device readings
2015.11.16 13:19:36 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:42 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:42 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:42 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:42 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:20:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:20:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:20:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:20:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:21:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:21:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:21:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:21:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:10 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:10 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:10 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:10 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:39:16 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:39:16 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:39:16 1: FHEMWEB SSL/HTTPS error: Illegal seek

Lectere · 16 November 2015, 19:17:56

-I've also copied an old version of 01_FHEMWEB.pm in place to see if it makes a difference...
-changed the port to something else...

Lectere · 16 November 2015, 19:55:15

commented the SSL_cipher_list in tcpserverutils.pm, no luck

Lectere · 17 November 2015, 07:39:13

I've also tried;

Code Auswählen

sudo rpi-update

No luck...

dev0 · 17 November 2015, 09:51:40

Zitat von: Lectere am 16 November 2015, 13:47:17
-Tried with a self signed certificate, same problem.

I'm not a SSL or certificate expert... But from my point of view it might be worth to try a less strong certificate with 2048 bits.
Just an idea.

Lectere · 17 November 2015, 10:05:25

Thanks for your help Dev0, I've tried that.

I've (also) followed this guide; http://www.fhemwiki.de/wiki/Raspberry_Pi_%26_HTTPS

And this command;

Code Auswählen

sudo openssl req -new -x509 -nodes -out server-cert.pem -days 3650 -keyout server-key.pem

Generates a;

Code Auswählen

Generating a 2048 bit RSA private key
......................................................+++
......................+++
writing new private key to 'server-key.pem'
-----

fruit · 17 November 2015, 10:29:36

Is this thread http://forum.fhem.de/index.php/topic,35248.0.html any help?

dev0 · 17 November 2015, 10:39:46

But the code from TcpServerUtils.pm has been changed a little bit. You can try to set global attribute sslVersion to SSLv23:!SSLv3:!SSLv2

Lectere · 17 November 2015, 11:30:34

Thanks dev0, that solved my problem!

I've added;

Code Auswählen

attr global sslVersion SSLv23:!SSLv3:!SSLv2

To my config file, and now https/SSL works.

This joke cost me 16 hours.

Might be nice to update the documentation (and this; http://www.fhemwiki.de/wiki/Raspberry_Pi_%26_HTTPS) , you can only find this in german parts of the forum.

Thanks for the help thou dev0!

fruit · 17 November 2015, 11:47:57

ZitatMight be nice to update the documentation

That is very ungracious!
fhem is not a paid for product and the forum is not paid for support.

I believe you can request editing rights to the wiki and alter it yourself for others following

Try searching the wiki for SSL or HTTPS.
If you are really having trouble using the forum search use google but enclose fhem in quotes ie. "fhem"

Lectere · 17 November 2015, 11:58:29

I don't think my remark shows ungratefulness, I only recommend to update the documation because this might save others a lot of time...

As it stand now, there is no way to get a HTTPS server going with the regular documentation.

And I only said it might be in the interest of FHEM to get that documenteted properly.

And I be happy to update the documentation, but I'm afraid I cannot do this properly, because I have detailed information to get it properly documented.