tome Posted January 6, 2010 Posted January 6, 2010 I generated a self-signed cert and installed it today as I was getting the warning about the default cert when off my local network. However, after I did this I realized that now I cannot access the ISY though iLinc Pro application on my iPhone. I keep getting "Failed to Connect" errors and I assume it is due to the new cert that is in the ISY but not in my phone. I don't think iLinc allows me to install a cert (I don't see that as an option anywhere). So my question is...How can I remove my self-signed cert from the ISY and go back to the default? Thanks, Tome Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 I was talking with the iLinc developer and he says iLinc Pro should be able to handle any cert the ISY gives them. I wonder if 2.7.8 has a bug in it in regards to SSL certs...? Basically I cannot connect at all to the ISY from iLinc if off my local network... Quote
Michel Kohanim Posted January 6, 2010 Posted January 6, 2010 Hi Tome, Before removing the self signed certificate, please do ensure that you can get to ISY remotely via a browser. If so, then then next step would be to remove the previous certificates from your iPhone. If neither works, then we have to figure out WHY! With kind regards, Michel Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 Hi Tome, Before removing the self signed certificate, please do ensure that you can get to ISY remotely via a browser. If so, then then next step would be to remove the previous certificates from your iPhone. If neither works, then we have to figure out WHY! With kind regards, Michel How does one remove previous certs from the iphone? Quote
InsteonNut Posted January 6, 2010 Posted January 6, 2010 Hi Tome, Just to be clear, the iPhone and iLinc does not store any certs. iLinc is configured to accept all certs from the ISY self-signed or otherwise. It will not store the cert on your device. I went through the process of requesting and installing a new self-signed cert on my ISY running 2.7.8 for both a 512 bit cert and a 1024 bit cert. I entered in my DynDNS domain name for my router and saved off the cert for backup purposes. After my ISY rebooted to start using the new cert iLinc connected to my ISY without problems over 3G and local LAN using HTTPS (SSL). One thing to check is that the external IP address that the ISY is entering into the host field for the SSL Cert generation is correct and is the same IP address iLinc is using to connect to your ISY for the SSL IP field. Wes Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 Hi Tome, Just to be clear, the iPhone and iLinc does not store any certs. iLinc is configured to accept all certs from the ISY self-signed or otherwise. It will not store the cert on your device. I went through the process of requesting and installing a new self-signed cert on my ISY running 2.7.8 for both a 512 bit cert and a 1024 bit cert. I entered in my DynDNS domain name for my router and saved off the cert for backup purposes. After my ISY rebooted to start using the new cert iLinc connected to my ISY without problems over 3G and local LAN using HTTPS (SSL). 1. From the Admin console on my Mac, I select 'Request/Manage SSL Certificates' from the Help Menu. 2. A window opens and I have to log in again. 3. I select 'Generate & Install New Self-Signed Certificate' 4. In dialog I enter: myhostname.dyndns.org (not really myhostname, but the one I have registered) select 512, or 1024 (did both) checked save ISY reboots after each cert creation. Same result. If I connect via wifi (local ip address and port 80) iLinc works fine If I turn off wifi, using myhostname.dyndns.org and port 443, I get the failure to connect error. I looked at the logs on my router and I see the requests coming in and being directed to the correct ip address and port, and I see the packets going out from the ISY (local ip address) and port which are the refusal (I assume - since I cannot look into the packet). One thing to check is that the external IP address that the ISY is entering into the host field for the SSL Cert generation is correct and is the same IP address iLinc is using to connect to your ISY for the SSL IP field. Wes How do I check this? When I look at the saved cert files in a text editor they are gibberish, there is nothing readable in them... I do know that after I created the 512 byte cert and went to create the 1024 byte cert the ip address in the dialog box was automatically filled in correctly (though I changed it back the dydns hostname before saying OK). PS: I also removed and reinstalled the iLinc app on the iphone but that didn't help... PPS: Just for grins I used the external ip address rather then the dyndns hostname when generating the certs, but that didn't help either... Tome Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 So, it turns out I cannot access the ISY at all remotely. This isn't just iLinc, even from my laptop I am getting no response. Something is wrong with the ISY related to SSL Certs. What can I do to resolve this? Tome Quote
MikeB Posted January 6, 2010 Posted January 6, 2010 Hi Tom - Are you certain your router is still forwarding port 443 (or whatever port you've assigned to HTTPS if you've changed it) to your ISY? Quote
Sub-Routine Posted January 6, 2010 Posted January 6, 2010 So, it turns out I cannot access the ISY at all remotely. This isn't just iLinc, even from my laptop I am getting no response. Something is wrong with the ISY related to SSL Certs. What can I do to resolve this? Tome Hello tome, When you configured external access did you assign a static IP address to the ISY? If not then the port forwarding rule in your router may be directing access to the wrong IP address. If you used the ISY to Enable Internet Access then use Disable Internet Access and then enable it again. Rand Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 Hi Tom - Are you certain your router is still forwarding port 443 (or whatever port you've assigned to HTTPS if you've changed it) to your ISY? Yes. In fact, I turned on logging and watch the packets come in to the ISY and port 443 and go out from the ISY to my iPhone (or computer)... Tome Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 Hello tome, When you configured external access did you assign a static IP address to the ISY? If not then the port forwarding rule in your router may be directing access to the wrong IP address. If you used the ISY to Enable Internet Access then use Disable Internet Access and then enable it again. Rand I have a static address on the ISY, and as I said I can see the ISY responding to the connection request. Remote access has worked fine for weeks. It was only after installing the SSL Cert that it broke. This has to be a problem with the ISY rejecting the connection for some reason or other. Tome Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 Can someone look at their ssl certificate that was saved and see if there is any readable information in it? Other certs I have on my mac have clear text info in them showing the host they are for and a few other bits of info, the rest is jibberish. The cert that the UDI app created is pure jibberish. Is that normal? Tome Quote
Michel Kohanim Posted January 6, 2010 Posted January 6, 2010 Hi Tome, SSL certificate should not be pure gibrish. Would you mind creating another certificate? With kind regards, Michel Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 Hi Tome, SSL certificate should not be pure gibrish. Would you mind creating another certificate? With kind regards, Michel Mine are jibberish. Below is one partial example. Yes, I know I shouldn't post a cert, but I have created new ones since this one and this is only partial but goes on like this... No matter how many times I create certs they look similar to this and I still cannot get access to the ISY remotely... MTI5OjM6MTI5OjY1OjY1OjY0OjY1OjY1OjYwMwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAI6cpGkuOS+SlA1jDDgo9g2vVhknerAIbc3SzjBvUlR0Wmyi/FRTfZUgiJsp/8m5LuZ7wettP7FH a8VukANscbiTdGEBHJRv0nyPv2cHzt7tHiMpU/jlE5bht8dz01jmauWbbkgX2ClZQ/eA1VrIMwuN eBWhajjOBEsyOw5UMmeVAQABAIwWcSZk4oXJradsyV8NVY5h0uiIsGrlDL+nOSW45J3TYdPfUpCfJvhraeVJn1sPjnOX1AioW22Q Y9wf3FWQnC+kz44Ysmn98+N3BYcPMymfy/9odYo7Vcj61ueWgH25jWXUBaQcCXG43SCsTjdhlfko 1R7+6Z1P49IW6QHIYeVhAMh28Cw9WojlBqFCF+7HMdEXpnLJRTGWq2QNZnOe+Id+GgAcgRBZUHq9u+eqwNzEIkutbB8Ig3qK /erk6E6MkW0=ALYewcIAR9zDkNdo00e86tN6a1+VDuV8Qi6FLSUHAb10pURScObjrJa+aGJ/NEJhMWefqP8GZrkb S7N2lCbafck=Nz+AZdDq+LuWHi9nBSnk8ul/uDb8WPRbfBGtYMQ5Xq5EYC966pSS96D+/pQy3yU3BoBfQhZIlidk X66Cz9Mx6Q==AIiV0pzr1vlz1monXOWdgsQuON8LjIuBwKThDnWJpr1vAQ+XgMM5F1RK40CTxB7Qg9wCex0gsOO8 JPQ1bAbb6qs=MIICVzCCAcCgAwIBAgIEYq1XcjANBgkqhkiG9w0BAQUFADBwMRowGAYDVQQDExFlYm91bmQuZHlu ZG5zLm9yZzEMMAoGA1UECxMDSVNZMQwwCgYDVQQKEwNVREkxFDASBgNVBAcTC0xvcyBBbmdlbGVz MRMwEQYDVQQIEwpDYWxpZm9ybmlhMQswCQYDVQQGEwJVUzAeFw0xMDAxMDUyMDMxNTVaFw0xNTAx MDUyMDMxNTVaMHAxGjAYBgNVBAMTEWVib3VuZC5keW5kbnMub3JnMQwwCgYDVQQLEwNJU1kxDDAK BgNVBAoTA1VESTEUMBIGA1UEBxMLTG9zIEFuZ2VsZXMxEzARBgNVBAgTCkNhbGlmb3JuaWExCzAJ Quote
Michel Kohanim Posted January 6, 2010 Posted January 6, 2010 Ah, you are trying to actually read it with a text file? If so, yes, it should be gibrish. What you need to do is to go to your browser, hit the HTTPS url for your ISY, and then use the browser's utility to read your cert. Can you access your ISY LOCALLY using HTTPS and a browser? With kind regards, Michel Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 Can you access your ISY LOCALLY using HTTPS and a browser?l No, if I try https://192.168.X.X:443 on a local machine I do not get anything either. I can get to http://192.168.X.X:80 though.... Tome Quote
Michel Kohanim Posted January 6, 2010 Posted January 6, 2010 If you do NOT get ANYTHING at all, then perhaps you have changed the HTTPS port on your ISY. Would you be kind enough to go to Configuration/System tab and make sure HTTPS port is still 443? With kind regards, Michel Can you access your ISY LOCALLY using HTTPS and a browser?l No, if I try https://192.168.X.X:443 on a local machine I do not get anything either. I can get to http://192.168.X.X:80 though.... Tome Quote
tome Posted January 6, 2010 Author Posted January 6, 2010 If you do NOT get ANYTHING at all, then perhaps you have changed the HTTPS port on your ISY. Would you be kind enough to go to Configuration/System tab and make sure HTTPS port is still 443? Yes, it is set for 443. PS: I just set it again to be sure and it rebooted the ISY. I am sure the port is right as I can see packets in and packets out to/from the isy local ip address and port 443. Tome Quote
Michel Kohanim Posted January 6, 2010 Posted January 6, 2010 Hi Tome, Please reinstall the certificate and let me know if it works. If it does not, then I would like to know why rather than just removing the default certificate: please send an email to support@universal-devices.com and we'll figure it out. Thanks and with kind regards, Michel Quote
tome Posted January 7, 2010 Author Posted January 7, 2010 Hi Tome, Please reinstall the certificate and let me know if it works. If it does not, then I would like to know why rather than just removing the default certificate: please send an email to support@universal-devices.com and we'll figure it out. I installed the existing certs and that didn't change anything. I will send email. Tome Quote
tome Posted January 19, 2010 Author Posted January 19, 2010 Michel, Any word on getting SSL certs to work from MacOS X? Thanks, Tome Quote
rlebel Posted January 19, 2010 Posted January 19, 2010 Michel,Any word on getting SSL certs to work from MacOS X? Thanks, Tome They don't work for me either, I just haven't complained. I also have a problem on the Mac opening the Log file in excel, it gets an empty file; I can download the log to text just fine. Quote
Michel Kohanim Posted January 19, 2010 Posted January 19, 2010 Hi rlebel, Known issue with our cryptography library and JRE 1.6 on MAC. Still trying to figure out how to fix it without having to rewrite the whole engine. On the Excel sheet, are you given the option of disabling security for Macros. In Windows, you are given the option of disabling security otherwise you will get a blank sheet. With kind regards, Michel Quote
Carl314 Posted January 20, 2010 Posted January 20, 2010 Dumb question - I'm using SSL, and it's working, but too slow. How can I get rid of SSL altogether, and go back to standard http? Is it as simple as just deleting the SSL certificate, and changing the port forwarding on my router? Thanks, Carl. Quote
Michel Kohanim Posted January 20, 2010 Posted January 20, 2010 Hi Carl, I personally do not recommend disabling SSL because your credentials will be in cleartext and thus anyone, by the virtue of knowing your IP address, can turn on/off your devices and change all your programs. Now, if you so choose to use HTTP, all you have to do is to change the port forwarding port from 443 to 80. And, from then on, you can use http://your.external.ip.address . With kind regards, Michel Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.