Web request to endpoint with self-signed SSL cert

pswired · 2023-03-22 14:15:01 UTC

I have a piston that performs an HTTP GET against a web server that uses a self-signed SSL certificate. Hubitat records a 408 response when querying this endpoint using https, but the query works properly when using http. I suspect that the connection is aborted when the SSL certificate validation fails due to CN mismatch or no root CA for the self-signed cert.

Is there a way to get webcore/hubitat to ignore SSL errors? I don’t really care about certificate chain validation here, but I do care about sending my API tokens in the clear. The device that’s being queried is an embedded device where it’s not easy/practical to maintain a commercial SSL cert.

This is running on a Hubitat C7 hub.

E_Sch · 2023-03-22 14:42:49 UTC

are you up to date with HE firmware and webCoRE?

are you going to a local site (ie 10., or 192.168. ) address, or a public site.

webCoRE is set to ignoreSSL issues for ‘local sites’ where one might have self-signed.

pswired · 2023-03-22 15:30:30 UTC

I’m up to date as of last week on HE firmware, and I believe that makes me up to date on webCoRE too, since I’m using the built-in version.

This is indeed an external IP address. Is there a way to instruct webCoRE to ignore SSL for requests from a certain piston, or for all requests?

E_Sch · 2023-03-23 00:15:00 UTC

I’m discussing with @ipaterson about a new piston option to allow you to set this per piston.

pswired · 2023-03-23 14:00:43 UTC

Excellent, thank you.

FWIW, last night I confirmed that I was on the most recent public version of the HE firmware as well as webCoRE.

I also did some DNS hacking to ensure that the cert on the device I’m connecting to passes validation from the network that the HE hub is on, according to Google Chrome from that same network. Unfortunately, still getting a 408 when submitting a request from webCoRE. I guess the root CA is not trusted by webCoRE.

pswired · 2023-04-13 20:11:18 UTC

Thanks to @E_Sch and @ipaterson for getting the per-piston SSL trust setting rolled out. I am now running webCoRE 0.3.114 April 3 release, and was able to enable this setting on my problem piston:

Capture

Unfortunately I am still seeing HTTP 408 errors whenever I use https:// instead of http:// in my API calls:

Capture2

I am able to successfully make the same API calls from a browser (on the same LAN as the HE hub running webCoRE) or reqbin using https, so I believe the endpoint is working properly. The calls work fine through webCoRE with http instead of https. Is there any additional webCoRE logging I can use here to see what’s going on?

E_Sch · 2023-04-13 20:58:58 UTC

are there any more logs in the HE logs?

I would not try to parse anything from the response if you do not have good status code, as it would likely not be filled in.

Also note 408 is saying timeout error (if proper code).

pswired · 2023-04-14 19:37:19 UTC

Good call. This is in the HE logs:

I assume protocol version refers to the TLS version. Here’s what my API endpoint apparently supports:

Does the hub not support TLS 1.3?