[Solved] yun https certificate, android app problem

[5a2v0]

Hi, finally i completed the sketch for my yun and i started my work on the Android App that must connect the phone/tablet to the yun's webserver, read the json string to get some values and display it on the app...

The app already does it!
Only over HTTP and not over HTTPS..

The API REST  is password protected and i must send to yun an http header that contain

Code: [Select]

Authorization: Basic user:password where "user:password" is a base64 string, but my app will connect itself to yun via 3g network or various wifi. So i want to make the connection on the HTTPS protocol, but if i try to use https, the android app says to me that it can't establish a connection to the specified url...the 443 port is correctly forwarded...

So i tried with a pc's browser and i understood that the problem is the yun's auto-signed certificate... in the browser i can select the "CONTINUE" button and display the page but the android app stops the connection on the error...

with PUTTY i tried to run:

Code: [Select]

wget https/my.yun.ip/data/get and i got:

Code: [Select]

root@Arduino:~# wget https://my.yun.ip/data/get
--2014-06-07 13:07:59--  https://my.yun.ip/data/get
Resolving my.yun.ip... IP.IP.IP.IP
Connecting to my.yun.ip|IP.IP.IP.IP|:443... connected.
ERROR: cannot verify my.yun.ip's certificate, issued by `/C=IT/ST=Turin/L=Turin/CN=Arduino LLC':
 Self-signed certificate encountered.
   ERROR: certificate common name `Arduino LLC' doesn't match requested host name `my.yun.ip'.
To connect to my.yun.ip insecurely, use `--no-check-certificate'.

so i tried the command

Code: [Select]

wget --no-check-certificate https/my.yun.ip/data/get and it works...


is it possible to bypass the certificate check in my android app ? Or  there is another way to solve the problem ?

[federicofissore]

I don't know Android, but the "right thing" is to buy a trusted certificate and use that instead of yun's auto signed one. However, that costs money. You may want to look into things like startssl.com. I've never actually tried it though

[sonnyyu]

ERROR: cannot verify my.yun.ip's certificate, issued by `/C=IT/ST=Turin/L=Turin/CN=Arduino LLC':
Self-signed certificate encountered.
ERROR: certificate common name `Arduino LLC' doesn't match requested host name `my.yun.ip'.

2 errors here;-

• Self-signed certificate, No Root Certificate


• Wrong common name, should be 'my.yun.ip'

Plan B:
1.  generate new cert with commonname as '192.168.0.186'

My Yun ip is '192.168.0.186'.

Code: [Select]

nano /etc/config/uhttpd
#option commonname     'Arduino LLC'
option commonname       '192.168.0.186'
rm /etc/uhttpd.crt
rm /etc/uhttpd.key
/etc/init.d/uhttpd  restart

This will force px5g key generator re generate new cert with commonname as '192.168.0.186'.

2. Next import Self-Signed Certificate as a Trusted Root CA.

Installing a Self-Signed Certificate as a Trusted Root CA in Windows Vista

http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx

Do same thing at Mac or linux  or Android.

[sonnyyu]

I don't know Android, but the "right thing" is to buy a trusted certificate and use that instead of yun's auto signed one. However, that costs money. You may want to look into things like startssl.com. I've never actually tried it though

Most commerce certificate vendor only issue cert  to domain name not IP address, here we need have domain name first. If you do not have fix ip for standard dns. then ddns is way to go.

http://wiki.openwrt.org/doc/howto/ddns.client

[5a2v0]

I already have a noip account, infact my android app uses it to connect to my yun..

i set in the uhttpd config "my.noip.free.dns" as commonname.. then restarted the uhttpd and it did a new certificate...
going to https://my.noip.free.dns from Internet Explorer, it offer to me the possibility to install the certificate and I did it as in your posted link  and ok, it Works (on the pc browser, now i have no security advise)

But, how on android ? (if i  find a way, i will update this post)

[sonnyyu]

Big brother Google is friend;-

"android import root certificate" at Google.

http://wiki.cacert.org/FAQ/ImportRootCert

http://stackoverflow.com/questions/4461360/how-to-install-trusted-ca-certificate-on-android-device

To get root certificate, export it from IE.

[5a2v0]

Hi i already read this pages... I found this:

Code: [Select]

Android Phones & Tablets

Before Android version 4.0, with Android version Gingerbread & Froyo, there was a single read-only file ( /system/etc/security/cacerts.bks ) containing the trust store with all the CA ('system') certificates trusted by default on Android. Both system apps and all applications developed with the Android SDK use this. Use these instructions on installing CAcert certificates on Android Gingerbread, Froyo, ...

Starting from Android 4.0 (Android ICS/'Ice Cream Sandwich', Android 4.3 'Jelly Bean' & Android 4.4 'KitKat'), system trusted certificates are on the (read-only) system partition in the folder '/system/etc/security/' as individual files. However, users can now easily add their own 'user' certificates which will be stored in '/data/misc/keychain/certs-added'.

System-installed certificates can be managed on the Android device in the Settings -> Security -> Certificates -> 'System'-section, whereas the user trusted certificates are manged in the 'User'-section there. When using user trusted certificates, Android will force the user of the Android device to implement additional safety measures: the use of a PIN-code, a pattern-lock or a password to unlock the device are mandatory when user-supplied certificates are used.

Installing CAcert certificates as 'user trusted'-certificates is very easy. Installing new certificates as 'system trusted'-certificates requires more work (and requires root access), but it has the advantage of avoiding the Android lockscreen requirement.

CAcert user trusted certificates

Download the certificate files ('root.crt' and 'class3.crt') onto the internal flash storage (the '/sdcard' or any subfolder). Browse to this folder with the file manager and open 'root.crt'. Although there might not be an icon for certificates and the files will have a '?'-icon, files will be opened with the certificate manager, asking you for a name to describe the to-be-imported certificate. If it is the first user certificate you install, the Android Security Model forces you to use a lock-screen to unlock your device (see "CAcert system trusted certificates" if you really need to avoid this) Repeat with the 'class3.crt' file. Check if both certificate files are installed correctly, Settings -> Security -> Certificates -> 'User'-section should now list the certificates you have just installed.

But i tried to export the certificate in all file format ... My android tells always torneo me that it cant open che file when i try to install...

[sonnyyu]

Certificate types that are supported by different mobile platforms

According to the above page, IOs and Android do not allow the installation of [self-signed] certificates onto the device's truststore, but they do allow self-signed CAs.

Work around;-

Code: [Select]

opkg update
opkg install openssl-util

Use openssl to create self-signed CAs to use at uhttp server.  also comment out  px5g key generator config code at config file.

[5a2v0]

Thanks sonnyyu !! You put me on the right way... your post tells to me that there was a hope!  XD

I installed openssl-util and I created my root CA and then I created and signed my server certificate with it...
Now I can install the root CA as a "User trusted CA" in every android device (with android 4.x+) and my app will works on https protocol

I put a forwarding rule for the 443 port on my router and deleted the 80's rule...

compiled again the app with https, installed, tried and it works !!!

[sonnyyu]

I found startssl.com exiting at Android system certificate CA, The Federico's Plan A should do the job. Now you could save the step import CA into every Android if you follow his path.

http://www.startssl.com/?app=1

StartSSL™  (Class 1) certificates is Free

[federicofissore]

5a2v0 do you mind adding a brief entry on the playground page? http://playground.arduino.cc/Hardware/Yun

[sonnyyu]

Plan A and Plan B will do the trick most the time, but It would not work at enterprise world well, can you image HP will allow monitor its sensor at Domain noip.org?

Here is Plan C:  SSL Reverse Proxy server.

• SSL Reverse Proxy server will sit on much powerful box, say ~2000%  faster SSL then Yun, Yun is no loner need SSL


• Support wildcard certificate, one certificate for sensor1.hp.com, sensor2.hp.com ...


• Support Load balancing, say one server fired. system is still work


• Support URLrewrite  yun.hp.com/sensor1 for first Yun1, yun.hp.com/sensor2 for Yun2.

[5a2v0]

One new problem:

if I power off and then power on the yun, when it is ready, it is accessible only via HTTP because my .crt and .key files was deleted by system startup !!!

I tried to put in the original self.signed path: /etc/uhttpd.crt and /etc/uhttpd.key
I tried to put the  2 files in /etc/ssl/ and it deleted...
I tried changing their names, but  when yun start the files are deleted !

I setted always the right path In /etc/config/uhttpd.conf but it deleted my files !! Someone can explain me why ?

Code: [Select]

config cert px5g was commented..

if I cp my backup files from sd to a directory, set the path in the config and do /etc/init.d/uhtttpd restart it works !! No file deleted and https works..

EDIT:
ok, i found the reason! there is a file in /etc/init.d its name is  "delete_uhttpd_cert" that contain:

Code: [Select]

#!/bin/sh /etc/rc.common

START=49

start() {
       CERT=`uci get uhttpd.main.cert`
       KEY=`uci get uhttpd.main.key`
       rm -f $CERT $KEY
}

i think that it is usefull when uhttpd must generate for every yun's boot a new self-signed certificate without overwrite question..but in my case it is a problem...
I removed the file from /etc/init.d and think the problem be finished. Later i will try and will tell you

EDIT  2 :  it works

[federicofissore]

good catch. that's indeed the reason: regenerating certificates makes the yun a little hard to crack. Disable that script

This looks really like a good entry in the playground page

[5a2v0]

Added the entry to the playground: http://playground.arduino.cc/Hardware/Yun#Yun_https_self_signed_certificate

I hope it can help someone and that my english is understandable