certificate from homematic can not be deleted or replaced with a new file

[antoniobeermann]

Describe the issue you are experiencing

I am running 3.69.7.20230506

I tried to replace the original certificate which I generated via GUI about 2022.

I was not able to delete the old one with the GUI button
I was not able to replace it from the GUI with a certificate generated on another system with internet access.

None of the actions produced an error.
The webserver seemed to restart.
Even a manual restart of raspimatic did not solved the problem

Describe the behavior you expected

I thought delete would remove the once uploaded fille instantly.
I thought uploading a new one would replace the original one.

Steps to reproduce the issue

1. Generate a Certificate via the GUI
2. Try to delete it via GUI
3. Or try to upload your own
4. reboot or check the file via ssh

still the old one

What is the version this bug report is based on?

3.69.7.20230506

Which base platform are you running?

rpi3 (RaspberryPi3)

Which HomeMatic/homematicIP radio module are you using?

RPI-RF-MOD

Anything in the logs that might be useful for us?

- I created a pem file on my firewall with a aceme plugin with the correct CN and DNS entry

my solution:
 - ssh into raspimatic
 - saved the original /usr/local/etc/config/server.pem to server-old.pem
 - copied my own pem file over it
 - needed to restart the raspimatic to take effect

worked - no browserwarning anymore

Additional information

No response

[SteffnVo]

thank you for your work around.
now working the own certificate pem.

[HausOe]

Hello, I have the same issue like antoniobeermann.

Error message on manual restart of webserver:

root@raspberrymatic:/usr/local/etc/config# /etc/init.d/S50lighttpd reload
Reloading lighttpd: creating new SSL cert... _OK

OK, I check the commands for reloading the webserver. The cert check failed with this result (with my let's encrypt cert converted to server.pem) :

root@raspberrymatic:/usr/local/etc/config# /usr/bin/openssl x509 -checkend 86400 -noout -in /etc/config/server.pem
unable to load certificate
547605513408:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1149:
547605513408:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:309:Type=X509_CINF
547605513408:error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error:crypto/asn1/tasn_dec.c:646:Field=cert_info, Type=X509
547605513408:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:crypto/pem/pem_oth.c:33:

In the past I copied the key-file and the crt-file in one server.pem-file and SSL was working. If I use key-file and the cer-file with my LANCOM-devices, I have a working SSL connection.

RBM-Version 3.69.7.20230626
Hardware Raspberry 3B+
RF-Interface HM-MOD-RPI-PCB & HB-RF-USB-2

My first not working (!) "solution":

• Get the cert generated by the command root@raspberrymatic:/usr/local/etc/config# /etc/init.d/S50lighttpd reload
• Delete all data except the headlines and footer for the key and cert.
• Copy and paste the data (no headlines or footers, they are different) from the let's encrypt key-file to the key section Do the same for the cer-file and cert section

Result: SSL-check is passed and no new cert is generated but the webserver is now not starting anymore.

Regards,

Henning

[ZTHawk]

I have the same issue with 3.69.7.20230626.

• I select my own certificate
• I press upload
• The web server restarts (at least it says it is doing so)
• Certificate was no updated

Then tried this:

• Delete certificate
• Now a self signed sertificate exists
• Do steps from above
• Certificate is still the self signed one

Edit:
SSH into raspberrymatic and replacing '/usr/local/etc/config/server.pem' followed by a restart did help.

[jens-maus]

@ZTHawk can you please share the principle structure of the server.pem file you tried to upload via the WebUI? There are actually some structure checks which may fail resulting in the behaviour you explained here. Obviously your server.pem files looks different to what the WebUI expects when uploading it.

[ZTHawk]

The structure of the file I tried to upload is the same that I have inserted in the server.pem:

• Private key - unexcrypted
• Cert
• Cert CA

[jens-maus]

The structure of the file I tried to upload is the same that I have inserted in the server.pem:

• Private key - unexcrypted
• Cert
• Cert CA

Sure, but please show it here as an example file. Especially interesting would be which delimiter -----START PRIVATE KEY.... it contains, etc. If you can share your whole / or an older server.pem which also does not work please do so.

[ZTHawk]

Content (I hope this is what you requested):

-----BEGIN RSA PRIVATE KEY-----
private key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
my cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
my CA cert
-----END CERTIFICATE-----
<empty line>

[jens-maus]

Ok, I think I have found and fixed the issue. Thus, with the next nightly snapshot or official release version it should be fixed.

[raldone01]

Content (I hope this is what you requested):

-----BEGIN RSA PRIVATE KEY-----
private key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
my cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
my CA cert
-----END CERTIFICATE-----
<empty line>

Thanks that worked.

I converted my .p12 file to .pem with: openssl pkcs12 -in ccu.localdomain.p12 -out ccu.pem -nodes

Then I had to delete all the other stuff and manually reorder the blocks so the private key comes first.

-----BEGIN RSA PRIVATE KEY-----
priv key unencrypted
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
cert1
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
cert2
-----END CERTIFICATE-----