ISYhbsh01 Posted August 7, 2013 Posted August 7, 2013 Hi, I would appreciate any help here. I am currently on a ISY-99. While I am planning to upgrade to a 994 sometime in the near future I am currently still working with my 99. My knowledge about SSL certificates is close to nothing. From so much trial & error and research, I did manage to learn a thing or two about them but I still consider myself to be completely ignorant about this subject. So don’t assume that because you might see me write below a SSL term or two that I am anything short of knowing really nothing about it. My end goal is to be able to send HTTPS REST commands using Tasker on my Android. Yes Tasker currently integrates with Mobilinc but there are still some situations where I would rather prefer REST commands. Currently this cannot be done & you would get an error message that the SSL certificate is not trusted. So I would like to get a SSL certificate which should be trusted on my Android. I did try countless times in many different ways to export the self signed certificate using the browser on my computer & then import it onto my Android. But even though that the phone showed that the process was completed successfully, the certificate never showed up in the list of trusted certificates & I was still getting the untrusted certificate error message in the Android browser & in Tasker. BTW, the same is true on my computer as well. Even though I followed the instructions to so-called install the self-signed certificate onto my computer, I would still get the untrusted certificate message. But on my computer I didn’t care, it’s on my Android that I want it to work so that Tasker REST commands would work. So I guess obviously the only option would be to buy a certificate from a CA authority. I saw an ad that GoDaddy has certificates for $5.99 so I decided to go ahead with it. I won’t go into all the research I did until I figured out what the best & cheapest route to go is in terms of a domain name & dynamic DNS service so I can get a certificate, since I learned that you cannot get a certificate with a dyndns.org etc. domain name. If someone would like me to elaborate further on the exact steps I took about this please let me know & I will try to write it up later. So anyway I bought a SSL certificate from Godaddy, I selected Starfield as the certification authority, and SHA-1 as the algorithm (whatever those things mean). I then downloaded the certificate using server type “other†which consisted of a zip file that contained two files: mydomainname.crt & sf_bundle.crt.. I didn’t know which one is the one I am supposed to use or maybe both. Since I am writing this from my office computer I don’t remember exactly off hand the options presented in the ISY. But I tried to use the “import certificate†option which didn’t work. Then there is the option which brings up another window where it seems that something needs to be pasted there but I had no clue what. After several minutes of not knowing what to do next, I still don’t know what made me think that instead of just double clicking on the certificate file which opened up a nice window with various info about the certificate but nothing to copy & paste, I tried to right click on the mydomainname.crt file and selected “open with notepad†option. That’s when I saw the text which begins with the words ---begin certificate--- which I have seen mentioned somewhere on the forum. So I copied & pasted that into the ISY-99 dialog box and viola! It worked. So a side note: It should be made clear in the wiki as well as in the new Network security configuration guide PDF this simple step, that the certificate file needs to be opened in notepad & its text copied & pasted into the ISY dialog box, something that I have not seen mentioned anywhere, perhaps because it’s obvious to a SSL certificate expert which a lot of people are not. Back to my story, I tried the various browsers on my computer & sure enough I did not get the untrusted certificate errors anymore. Then I tried it on my android which was the whole point of it, but unfortunately, I am still getting the untrusted certificate error on the android browser as well as in Tasker. According to Godaddy’s website, their certificates are trusted by all android devices. What I did next was that I opened up the sf_bundle.crt file in notepad & copied its contents & pasted it into the ISY dialog box after the previous text. But now I cannot log in using https at all from anywhere, so obviously this was not the right thing to do. This is where I am up to now. So here are my questions: Has anyone managed to install & get an android to trust the ISY self-signed certificate? Which file was I supposed to copy & paste into the ISY, the mydomainname.crt or the sf_bundle.crt? If the mydomainname.crt which seemed to work with my windows browsers, why didn’t it work with my android? When upgrading to the ISY-994 what will I have to do to use the godaddy certificate. Will I need to get a new one from Godaddy or will I be able to use the same certificate? In my research I bumped into the fact that there are free CA authorities out there but which would also not be trusted by default. Has anyone had better success on an android with a free CA vs. a self-signed certificate? Any other help & suggestions? Thank you very much.
Michel Kohanim Posted August 7, 2013 Posted August 7, 2013 Hi hbsh01, So I would like to get a SSL certificate which should be trusted on my Android. For this you need a Certificate that is signed by a CA (Certificate Authority) such as Verisign, CheapSSL, DigiCert, etc. Nothing else would work. I did try countless times in many different ways to export the self signed certificate using the browser on my computer & then import it onto my Android. But even though that the phone showed that the process was completed successfully, the certificate never showed up in the list of trusted certificates & I was still getting the untrusted certificate error message in the Android browser & in Tasker. Well, the certificate is NOT trusted because it's signed by YOU and not a CA ... see above please. BTW, the same is true on my computer as well. Even though I followed the instructions to so-called install the self-signed certificate onto my computer, I would still get the untrusted certificate message. But on my computer I didn’t care, it’s on my Android that I want it to work so that Tasker REST commands would work. It should work in IE if you follow http://wiki.universal-devices.com/index ... te_Install So I guess obviously the only option would be to buy a certificate from a CA authority. I saw an ad that GoDaddy has certificates for $5.99 so I decided to go ahead with it. I won’t go into all the research I did until I figured out what the best & cheapest route to go is in terms of a domain name & dynamic DNS service so I can get a certificate, since I learned that you cannot get a certificate with a dyndns.org etc. domain name. If someone would like me to elaborate further on the exact steps I took about this please let me know & I will try to write it up later. We use Network Solutions for all our domain activities. Once in a while they have good deals on domain names. But, there are a lot of other domain name resellers (including GoDaddy). Once you have that, then you can use dyndns. So anyway I bought a SSL certificate from Godaddy, I selected Starfield as the certification authority, and SHA-1 as the algorithm (whatever those things mean). I then downloaded the certificate using server type “other†which consisted of a zip file that contained two files: mydomainname.crt & sf_bundle.crt.. I didn’t know which one is the one I am supposed to use or maybe both. Since I am writing this from my office computer I don’t remember exactly off hand the options presented in the ISY. But I tried to use the “import certificate†option which didn’t work. Then there is the option which brings up another window where it seems that something needs to be pasted there but I had no clue what. After several minutes of not knowing what to do next, I still don’t know what made me think that instead of just double clicking on the certificate file which opened up a nice window with various info about the certificate but nothing to copy & paste, I tried to right click on the mydomainname.crt file and selected “open with notepad†option. That’s when I saw the text which begins with the words ---begin certificate--- which I have seen mentioned somewhere on the forum. So I copied & pasted that into the ISY-99 dialog box and viola! It worked. YOU ARE LUCKY! Unfortunately, GoDaddy recently moved most of their certificate signatures to SHA-2 which neither 99 nor current 994 firmware support. Our next firmware release for 994 will support SHA-2 as signature algorithm for certificates but I do not yet have a release date. Back to my story, I tried the various browsers on my computer & sure enough I did not get the untrusted certificate errors anymore. Then I tried it on my android which was the whole point of it, but unfortunately, I am still getting the untrusted certificate error on the android browser as well as in Tasker. According to Godaddy’s website, their certificates are trusted by all android devices. This I cannot explain! What I did next was that I opened up the sf_bundle.crt file in notepad & copied its contents & pasted it into the ISY dialog box after the previous text. But now I cannot log in using https at all from anywhere, so obviously this was not the right thing to do. Which dialog box? Receive Certificate? If so, you can try and redo the original step that made it work. Which file was I supposed to copy & paste into the ISY, the mydomainname.crt or the sf_bundle.crt? mydomainname.crt If the mydomainname.crt which seemed to work with my windows browsers, why didn’t it work with my android? Try rebooting your android When upgrading to the ISY-994 what will I have to do to use the godaddy certificate. Will I need to get a new one from Godaddy or will I be able to use the same certificate? You might have to but it's free. I've used it many times With kind regards, Michel
ISYhbsh01 Posted August 7, 2013 Author Posted August 7, 2013 Update: After several hours of working with my ISY & having to reboot the ISY several times for not being able to access the ISY, the last thing I did was that I generated again a self-signed certificate. It seems that I am now safely back to square one & everything is working again the way it worked before I started this whole thing. So the questions remaining are: Would a godaddy certifcate be trusted on android? According to them it should. If yes what are the exact steps to install it. Perhaps should I first upgrade to the 994? Will I have a better chance to get it to work? Will I need to buy a new certificate from godaddy for the 994? Thank you. Sent from my SPH-D710 using Tapatalk 2
ISYhbsh01 Posted August 7, 2013 Author Posted August 7, 2013 Hi Micheal, I see that you replied to my earlier post just as I was writing my 2nd post. I will follow your instruction & report back. Thanks. Sent from my SPH-D710 using Tapatalk 2
MWareman Posted August 7, 2013 Posted August 7, 2013 What version of Android? It matters, because all versions before 4.2 (I think) did not share the root cert store between processes - each client had to implement its own list - and there was no way to import your own root cents and have them be trusted. 4.2 and later provides the ability to import user supplied root certificates into the root store - and this is now used by (some) applications - mainly the browser, email and vpn clients. If your device is older than that, you cannot import new root certs into the OS without rooting your phone. Unfortunately, Tasker does not seem to be one of the applications that uses the new root store anyway, so it cannot seem to use any new roots you import.
ISYhbsh01 Posted August 7, 2013 Author Posted August 7, 2013 What version of Android? It matters, because all versions before 4.2 (I think) did not share the root cert store between processes - each client had to implement its own list - and there was no way to import your own root cents and have them be trusted. 4.2 and later provides the ability to import user supplied root certificates into the root store - and this is now used by (some) applications - mainly the browser, email and vpn clients. If your device is older than that, you cannot import new root certs into the OS without rooting your phone. Unfortunately, Tasker does not seem to be one of the applications that uses the new root store anyway, so it cannot seem to use any new roots you import. Thanks MWareman, My Android version is 4.1.2 and this would probably be the last version avaialble for my Samsung Galaxy SII. So this explains then why installing the self-signed certificate didn't work. The question remaining is why Godaddy's certificate comes up as untrusted in Android. Thank you
ISYhbsh01 Posted August 7, 2013 Author Posted August 7, 2013 Hi Michel, So I would like to get a SSL certificate which should be trusted on my Android. For this you need a Certificate that is signed by a CA (Certificate Authority) such as Verisign, CheapSSL, DigiCert, etc. Nothing else would work. I did try countless times in many different ways to export the self signed certificate using the browser on my computer & then import it onto my Android. But even though that the phone showed that the process was completed successfully, the certificate never showed up in the list of trusted certificates & I was still getting the untrusted certificate error message in the Android browser & in Tasker. Well, the certificate is NOT trusted because it's signed by YOU and not a CA ... see above please. BTW, the same is true on my computer as well. Even though I followed the instructions to so-called install the self-signed certificate onto my computer, I would still get the untrusted certificate message. But on my computer I didn’t care, it’s on my Android that I want it to work so that Tasker REST commands would work. It should work in IE if you follow http://wiki.universal-devices.com/index ... te_Install What I tried to do on Android was the same thing that's supposed to work in IE if I understend this correctly. I am supposed to be able to get IE to trust my self-signed certificate by installing it to the Trusted Root Certification Authorities store (even though I wasn't actually succesful myself in doing it but it should work according to the wiki that you linked to). Android also has an option to install certificates. So I thought that I should be able to get Android to trust my self-signed certificate by installing it. MWareman though wrote here that for some reason it would not work in Android versions below 4.2 even though the option to install a certificate is there in older versions. YOU ARE LUCKY! Unfortunately, GoDaddy recently moved most of their certificate signatures to SHA-2 which neither 99 nor current 994 firmware support. Our next firmware release for 994 will support SHA-2 as signature algorithm for certificates but I do not yet have a release date. Godaddy gave me a choice between SHA-1 & SHA-2. The Network Security Configuration Guide for the ISY-994 though does mention "TLS_RSA_WITH_AES_128_SHA2", I don't know if it has anything to do with this. Back to my story, I tried the various browsers on my computer & sure enough I did not get the untrusted certificate errors anymore. Then I tried it on my android which was the whole point of it, but unfortunately, I am still getting the untrusted certificate error on the android browser as well as in Tasker. According to Godaddy’s website, their certificates are trusted by all android devices. This I cannot explain! This is obviously my main issue that I am trying to resolve. While doing some additional research I came across somethng being mentioned on Godaddy's website about an Intermediate Certificate that might also need to be installed & "chained". Could the problem be something related to this? Then I found another tread http://forum.universal-devices.com/viewtopic.php?f=27&t=8976&hilit=godaddy where someone also had an issue with a Godaddy certificate & Android. You mentioned there something to the extent that the ISY-994 does not support this. But I found in the PDF guide on page 7 mentioned there "Please note that if you would like to support a certificate that goes through a chain to reach the root signing certificate, then you must import all the certificates in the chain and all the way up to the root." Since I don't really understand what all of this means, can you explain if any of this could help my issue & perhaps I would be able to get this to work on Android at least when I upgrade to the ISY-994? Which file was I supposed to copy & paste into the ISY, the mydomainname.crt or the sf_bundle.crt? mydomainname.crt What is the sf_bundle.crt, does this have something to do with an inetrmeidae certificate that also needs to be installed? Try rebooting your android I tried & it didn't work. When upgrading to the ISY-994 what will I have to do to use the godaddy certificate. Will I need to get a new one from Godaddy or will I be able to use the same certificate? You might have to but it's free. I've used it many times At first I didn't understand since Godaddy charges for each certificate. THen I saw an option in the Godaddy control panel called "Re-Key" which it seems that I can generate again a CSR and a certifcate again. Was this what you were reffering to? Michel, I know my questions have a lot more to do with Godaddy & Android than with the ISY so I really appreciate your helping me in resolving this as well as anyone else who has knowledge about this stuff. Thanks.
Michel Kohanim Posted August 8, 2013 Posted August 8, 2013 Hi hbsh01, Yes, you can regenerate the CSR and get it signed. The bundle.crt has all the certificates in the chain. The process is something like this: For a Android to trust ISY, then the certificate in ISY must be signed by an authority that is known to Android. So, it seems that GoDaddy is not trusted by Android and, therefore, you will have to get all the intermediate certificates that go up to the root authority and install in it Android. Here's a list of all chains for GoDaddy: https://certs.godaddy.com/anonymous/repository.pki This said, I am not entirely sure which ones you need. I am hoping that someone else with GoDaddy certificates can help. With kind regards, Michel
ISYhbsh01 Posted August 9, 2013 Author Posted August 9, 2013 I am copying & pasting here my question to MWareman & his reply from another thread. http://forum.universal-devices.com/viewtopic.php?f=3&t=12074&start=0#p93004 It's easy enough to add your custom root cert to IOS, Android these days. Is it?... http://forum.universal-devices.com/viewtopic.php?f=27&t=12098 Or - get a signed cert from cacert.org. You'll have to install their root (instead of having to manage your own) - but it's a little less involved than running OpenSSL yourself. Still free as well. Would this solve my problem? Thank you
ISYhbsh01 Posted August 9, 2013 Author Posted August 9, 2013 For cacert, visit http://www.cacert.org from your android device. Click 'Root Certificate' and download the Class 1 PKI key in DER format. If your Android is new enough (I'm doing this on 4.2.2), you will get prompted to name the certificate (and info that the package contains a CA certificate). Name it and click OK. You get a message that the root certificate is installed. That's what I mean by it being easy. Confirm, go to Settings / Security / Trusted Credentials and look under the 'User' tab. You can see root certs you have installed, and can revoke them if you want. Any certificate issued by CACert will now be trusted (test by visiting https://www.cacert.org) - and they are free. Generate a CSR on the ISY, send it to them, get the cert, install and you are good to go. Less chance of man in the middle attacks then. Now, a self signed certificate is very much like a root certificate. In fact, if you separate the public key of your self signed certificate into a DER formatted .cer file, email it to your Android device (don't email the private key!), that can also be installed as a CA cert on your Android device to establish the certificate as trusted. Any attempt to inject a new self signed certificate at a proxy will lead to you being told the certificate is not trusted. .cer fles can also be installed as root authorities on IOS - just email them to yourself (or download them) and click on it to install. You'll go thru confirmation dialogs, but you can trust cacert (or your own self signed) as you desire. All that being said - you cannot do this without rooting your Android phone and messing around with adb if your phone is not up to date. As I said, I think this is not possible until at least 4.2. After all that - Once you have either the cacert root (or your self signed cert installed in the root), it looks at first blush that Tasker connects just fine with its HTTP-GET function. At least, it just did for me. Time to get coding I think.
ISYhbsh01 Posted August 9, 2013 Author Posted August 9, 2013 Thank you MWareman & Michel, I just went the cacert.org route & followed MWareman’s instructions to install it onto my Android and it now works with Tasker! I did try several more times to get the Godaddy certificate to work just out of curiosity, but after a while I just gave up. One thing I learned is that Android seems to be very finicky & unpredictable with certificates in general. Just one example: the latest thing that I tried with the Godaddy certificate was that I copied & pasted into the ISY window the contents of the mydomainname.crt file & right below that I copied & pasted the contents of the sf_bundle.crt file. After doing that the certificate was trusted by my browsers on my computer, by my non-stock android browser (which did not trust it when I only copied & pasted the mydomainname.crt file), but not by Tasker. Now with the cacert.org certificate that I ended up using, it is trusted by Tasker but not by my non-stock Android browser. So it seems that Android is very unpredictable on how the system & various apps will work with certificates. Both Godaddy & Starfield root certificates are actually in Android’s default trusted credentials list. I would like to share some more things that I learned along the way in the many hours I spent trying to get this to work and also explain & give detailed instructions on how I got it to work with DynDNS’ grandfathered free dyndns service without having to use my own domain and DynDNS’ paid Standard DNS service. I just don’t have the time right now. So in the meantime if anyone would like to get more info on this topic please post your question & I will try to help as much as I can. Thanks again Michel & MWareman.
MWareman Posted August 9, 2013 Posted August 9, 2013 You are welcome! Any time I can (hopefully) help. I will add is that user administered certificate support is still very new to android - and many apps are still doing things the old way. As apps get updated, more and more will be able to take advantage of the new APIs and work with the new certificate stores. I do think that Tasker with ISY is a killer feature now that I can all the REST API over SSL. Adding autovoice and autolocation to Tasker - well lets just say I can now talk to my ISY and have it do stuff - based on where I am.
ISYhbsh01 Posted August 18, 2013 Author Posted August 18, 2013 MWareman, Do you have an ISY-99 or ISY-994? If you got the 994, what is supposed to happen after you paste the Cacert.org certificate in the "receive cert." window? I just upgraded to the 994 & I can't get this to work. See here: http://forum.universal-devices.com/viewtopic.php?t=12150 Any help will be appreciated. Thanks. Sent from my SPH-D710 using Tapatalk 2
Michel Kohanim Posted August 18, 2013 Posted August 18, 2013 Hi hbsh01, please contact us! With kind regards, Michel
johnnyt Posted September 10, 2013 Posted September 10, 2013 I need help with this. It's not working for me. Am on 4.0.11. All is there in ISY (minus cert stuff, I presume) and on router for ISY to answer from the internet on port 443. Have followed this thread and: - got a godaddy credit for a cert for $6 - got a Dyn DNS Standard account for $30 - changed my domain name's nameserver to DynDNS nameservers - did a whois to see my domain pointing to DynDNS nameserver - checked my DynDNS account to see that my IP address is correct for isy.mydomain.com - opened up http/80 on my router, tried it with isy.mydomain.com and it worked followed the UDI instructions and: - created a Cert Request (CSR) under "Client Certificate" (TLS 1.2, High, no verify, SHA-2, 2048 bit) - copy/pasted CSR data and provided it to godaddy - did what was needed to get the cert approved for my - received two .crt file from godaddy, one for my subdomain and one called gt_bundled-g2.crt - imported them both under "CA Certificates" in the ISY dashboard - did nothing with "Server Certificate" - do I need to? if so, can I use the same cert credit (didn't see anything anywhere about needing two certs) - couldn't do anything with "receive cert" as UDI instructions seems to suggest because I don't have anything to copy/paste into it. Or at least I can't find what to copy/paste info to paste in. - ISY didn't reboot, as suggested in instructions, so I manually rebooted it. I get unable to connect message. help, what am I missing?
ISYhbsh01 Posted September 10, 2013 Author Posted September 10, 2013 You need the server certificate only. Go into the godaddy control panel & revoke the certificate which will give you back the credit to generate a new certificate. Then generate a CSR in the ISY dashboard under server certificates & follow all the steps again. Edit: Once you download the new certificates from Go Daddy you should open your domain .crt file with Notepad or any text editor program. The file should start with -----Begin certificate----- and end with ------End certificate-------Copy & paste its contents into the receive certificate window. Sent from my SPH-D710 using Tapatalk 2
johnnyt Posted September 10, 2013 Posted September 10, 2013 oops. just realize I meant to post here viewtopic.php?f=3&t=12074&p=94138#p94138, not this thread. thanks. will cancel/revoke current cert and request server cert then open it in notepad. wish the instructions were clearer.
johnnyt Posted September 11, 2013 Posted September 11, 2013 Tried to "rekey" cert instead of revoke, which allowed me to immediately copy in an ISY server cert request and also immediately created a new cert that I downloaded, opened using notepad and copied into "Receive Cert" in ISY Server Certificate. Problem is I still get a message that I can't connect after that. So I went the "revoke" route but now I have to wait (up to 24 hours) for that cert to get revoked, then I guess I'll have to go through the whole cert approval process - another up to 24 hours. sigh.
ISYhbsh01 Posted September 11, 2013 Author Posted September 11, 2013 I am sorry for the mix-up. I was quoting the terminology out of my memory and I mentioned the wrong term as used by Go Daddy. What I actually meant was to use the re-key option which allows you to generate a new certificate right away not “Revokeâ€. I apologize. What error message were you getting?
Michel Kohanim Posted September 12, 2013 Posted September 12, 2013 Hi johnnyt, Are you on 4.0.11 alpha? With kind regards, Michel
johnnyt Posted September 12, 2013 Posted September 12, 2013 hbsh01, Firefox is giving me a "cannot connect" message. Michel, yes, I'm running 4.0.11 as part of trying to get to the bottom of this viewtopic.php?f=27&t=11873 For the benefit of all, Revoking a cert is NOT the way to go if you can avoid it. Here's an excerpt from an email I got from godaddy about it: When you revoke, the SSL credit is canceled and HTTPS is immediately removed from the website. A revoked certificate cannot be re-keyed or renewed, and the process cannot be undone. If you need HTTPS for the website, you must repurchase and submit a new request. Consider revoking your certificate if: • The certificate contains the wrong common name. • The certificate contains incorrect information. • The secured site is no longer operational. They offered to give me an "in store credit" so I could buy another one. At least I hope so. I paid $18 for 3 years but now the price for an SSL cert is $65 per year. If all they give me back is $18 I won't be able to buy a new cert with that. Just waiting to see what happens now.
Michel Kohanim Posted September 12, 2013 Posted September 12, 2013 Hi johnnyt, Do you still have the existing certs that you created? If so - and since you are on 4.0.11, you can use an updated dashboard that supports SHA2 certificate thumbprint/signatures. Please send an email to support@universal-devices.com and we'll help you with the process. With kind regards, Michel
johnnyt Posted September 13, 2013 Posted September 13, 2013 No, my cert is gone and all they're going to do is give me my $18 back (I think - not even sure I'll get it all back) which isn't going to help me now that price for 1 yr has gone up to $65. I might try to fight with a free cert I read about or wait until/if there's another $6/yr sale again. I don't know what I'll do at this point. Are there better instructions somewhere (or coming) or is the current method of having to guess at what actually applies in the current doc + read through forum + try to fill in the gaps with trial and error as good as it gets? Sorry. I'm a little ticked off right now. Sent from my iPad using Tapatalk
Michel Kohanim Posted September 13, 2013 Posted September 13, 2013 Hi johnnyt, I empathize with you and your dilemma. As far as instructions: 1. They are already in http://wiki.universal-devices.com/index ... r_ISY-994i page 9 2. We cannot have instructions for each CA 3. There are some CAs that have signatures that were not supported by 4.0.5, those are fixed but we are in Alpha and I cannot give them out unless it's asked explicitly 4. I would assume for something as novel/sophisticated as certificates and their application, our tech support would have been a better choice With kind regards, Michel
Recommended Posts