FHEM Forum

I've followed; http://www.fhemwiki.de/wiki/Raspberry_Pi_%26_HTTPS

And... It's not working, I get a 'illegal seek' in the log, when I try to open the page.

I've found a few topics, but they are all in german, can someone explain how to solve this?, thanks...

I expect that you left out something important. Could you please document _exactly_ what you've done (step by step), and append this document here? And can you please attach en excerpt from the fhem log?

I've followed this;

http://forum.fhem.de/index.php/topic,43339.msg358729.html#msg358729

Because I've bough a 'real' certificate...

I've did the CSR, pasted the request at the control panel of my SSL provider/

I've got the certificate, put in the file next to server-key, changed the rights on the files...

Sorry, cannot help: I dont see a step-by-step description, neither a FHEM-Log excerpt. I need both.

Okey, problems started, because I'm replacing my old Raspi with a model 2. So new installation, new wheezy etc; (I still have my working old one, I've only copied the config file)

I've tried to follow this; http://forum.fhem.de/index.php/topic,43339.msg353537.html#msg353537

This is what I do;

I go to \opt\fhem\certs folder and I do:

openssl genrsa -out server-key.pem 4096
openssl req -new -sha256 -key server-key.pem -out cert_request.csr

I fill in the the details.

Then with the request I go to my SSL provider which is rapidssl/xolphin. (other than the manual). I request an new certificate, paste the CSR, I get a email on my domian, I reply: Yes I want. I get the certificate.

I put the certificate in a file called;

/opt/fhem/certs/server-cert.pem

I check the rights;

chown fhem:root /opt/fhem/certs/server-cert.pem
chmod 600 /opt/fhem/certs/server-cert.pem

chown fhem:root /opt/fhem/certs/server-key.pem
chmod 600 /opt/fhem/certs/server-key.pem

In my fhem.cfg I've specified;

define WEB FHEMWEB 8083 global
attr WEB HTTPS
attr WEB basicAuth [somecode]
attr WEB redirectCmds 0
attr WEB stylesheetPrefix dark


I've check;
-to see if fhem.pl is running under the FHEM account; yes
-I've put every intermediete files in the certs folder
-Done this proces over, to see if I missed a step
-I've check the cert with;
openssl x509 -in server-cert.pem -text -noout

-Just to be sure I've also tried;
/opt/fhem/certs/chmod 666 *
/opt/fhem/certs/chown fhem:root *
-check the MD5 hash like;
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
openssl req -noout -modulus -in CSR.csr | openssl md5
-tried log level 5, no messaged concerning the error...
-checked;
root@fhem:~# cpan -i IO::Socket::SSL
Going to read '/root/.cpan/Metadata'
  Database was generated on Mon, 16 Nov 2015 10:53:36 GMT
IO::Socket::SSL is up to date (2.020).

-Tried with a self signed certificate, same problem.
-treid several browsers, doubled checked firewalls/proxies/etc.
-tried apt-get update upgrade

My logfile;

2015.11.16 13:17:50 1: Including fhem.cfg
2015.11.16 13:17:50 3: telnetPort: port 7072 opened
2015.11.16 13:17:51 3: WEB: port 8083 opened
2015.11.16 13:17:51 3: WEB2: port 8888 opened
2015.11.16 13:17:51 3: Opening CUL_0 device /dev/ttyAMA0
2015.11.16 13:17:51 3: Setting CUL_0 serial parameters to 38400,8,N,1
2015.11.16 13:17:51 3: CUL_0 device opened
2015.11.16 13:17:55 3: CUL_0: Possible commands: mBCFiAZGMRTVWXefltux
2015.11.16 13:17:55 0: MSGMail: SSL is available, provided by Net::SMTP::SSL
2015.11.16 13:17:57 1: Including ./log/fhem.save
2015.11.16 13:17:58 3: hub.zolder: connected
2015.11.16 13:17:58 2: SecurityCheck:  WEB2 has no basicAuth attribute.  Restart FHEM for a new check if the problem is fixed, or set the global attribute motd to none to supress this message.
2015.11.16 13:17:58 0: Featurelevel: 5.7
2015.11.16 13:17:58 0: Server started with 104 defined entities (version $Id: fhem.pl 9893 2015-11-15 08:43:05Z rudolfkoenig $, os linux, user fhem, pid 2195)
2015.11.16 13:17:58 2: hub.zolder: disconnect
2015.11.16 13:17:58 3: hub.zolder: connected
2015.11.16 13:18:00 3: hub.zolder: new config
2015.11.16 13:18:18 3: telnetForBlockingFn: port 46918 opened
2015.11.16 13:18:18 3: JSONMETER YouLess: ParseJsonFile.515 Analyse JSON pathString for known readings
2015.11.16 13:18:18 3: JSONMETER YouLess: ParseJsonFile.550 Store results of JSON analysis for next device readings
2015.11.16 13:19:36 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:37 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:42 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:42 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:42 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:19:42 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:20:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:20:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:20:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:20:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:21:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:21:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:21:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:21:12 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:05 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:10 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:10 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:10 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:25:10 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:39:16 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:39:16 1: FHEMWEB SSL/HTTPS error: Illegal seek
2015.11.16 13:39:16 1: FHEMWEB SSL/HTTPS error: Illegal seek


-I've also copied an old version of 01_FHEMWEB.pm in place to see if it makes a difference...
-changed the port to something else...

commented the SSL_cipher_list in tcpserverutils.pm, no luck

I've also tried;

sudo rpi-update

No luck...

Zitat von: Lectere am 16 November 2015, 13:47:17
-Tried with a self signed certificate, same problem.

I'm not a SSL or certificate expert... But from my point of view it might be worth to try a less strong certificate with 2048 bits.
Just an idea.

Thanks for your help Dev0, I've tried that.

I've (also) followed this guide; http://www.fhemwiki.de/wiki/Raspberry_Pi_%26_HTTPS

And this command;

sudo openssl req -new -x509 -nodes -out server-cert.pem -days 3650 -keyout server-key.pem

Generates a;

Generating a 2048 bit RSA private key
......................................................+++
......................+++
writing new private key to 'server-key.pem'
-----


Is this thread http://forum.fhem.de/index.php/topic,35248.0.html (http://forum.fhem.de/index.php/topic,35248.0.html) any help?

But the code from TcpServerUtils.pm has been changed a little bit. You can try to set global attribute sslVersion to SSLv23:!SSLv3:!SSLv2

Thanks dev0, that solved my problem!

I've added;

attr global sslVersion SSLv23:!SSLv3:!SSLv2

To my config file, and now https/SSL works.

This joke cost me 16 hours.  >:( Might be nice to update the documentation (and this; http://www.fhemwiki.de/wiki/Raspberry_Pi_%26_HTTPS) , you can only find this in german parts of the forum.

Thanks for the help thou dev0!  :D

ZitatMight be nice to update the documentation

That is very ungracious!
fhem is not a paid for product and the forum is not paid for support.

I believe you can request editing rights to the wiki and alter it yourself for others following

Try searching the wiki for SSL or HTTPS.
If you are really having trouble using the forum search use google but enclose fhem in quotes ie. "fhem"

I don't think my remark shows ungratefulness, I only recommend to update the documation because this might save others a lot of time...

As it stand now, there is no way to get a HTTPS server going with the regular documentation.

And I only said it might be in the interest of FHEM to get that documenteted properly.

And I be happy to update the documentation, but I'm afraid I cannot do this properly, because I have detailed information to get it properly documented.

Zitat von: Lectere am 17 November 2015, 11:30:34
Might be nice to update the documentation (and this; http://www.fhemwiki.de/wiki/Raspberry_Pi_%26_HTTPS)

I do not think that documentation is problem in this case. Lecture treid several browsers as he wrote... I assume a bug in TcpServerUtils.pm or libraries behind. Perhaps rudolfkoenig has an idea what was going wrong.

I believe these TLS/SSL2/SSL3 problems affect many mail apps following updates to servers as a result of security warnings. Unfortunately not all of the core files and apps, let alone third party documentation, have been updated