Make HA use 1.2 TLS

pergola.fabio · June 27, 2022, 5:53pm

Hi,
I have an old android 5.1 device, the only possible to acces HA on it, is to install an chrome .apk app, but i need to use an older 95.x version, because new chrome versions need android 6.0

Now, the issue, in order to make an “add to home screen” from chrome, it needs a valid ssl connection
I have one, i use cloudflare dns, and lets encrypt + nginx, but when i access the page on the android 5.1 device, it still gives me below warning, i think its because of 1.3 , can i setup somewhere that the connection will use tls 1.2 ? Not sure where i need to look, is it in chrome ? in HA? or ?

all other devices are working as expected

SNoof85 · June 27, 2022, 8:05pm

Hi,

I don’t think this a a TLS version problem because if it was TLS1.3 not compatible with android 5.1 you would not have any connection at all
I think the problem is the cert chain from let’s encrypt & older android versions : Production Chain Changes - API Announcements - Let's Encrypt Community Support

And for your information, TLS version config has to be done in nginx.

pergola.fabio · June 27, 2022, 8:41pm

Hi thnx for feedback! But it’s still unclear for me how to resolve? According to that compatibility , it should still work?

SNoof85 · June 28, 2022, 8:58am

Check the certificate chain you have on your end. To see if you have the default chain (compatible) or the alternate shorter one wich won’t be compatible.

pergola.fabio · June 28, 2022, 9:17am

seems i have the alternative one, is there a way to change it? i use the lets encrypt addon
sorry, this is a bit new to me

pergola.fabio · June 28, 2022, 9:19am

i dont see an configuration option on the addon itself to change that chain type

SNoof85 · June 28, 2022, 10:04pm

Mhh I don’t know this addon. Maybe you should try to post an issue on the addon github repo ?

We can see here : https://github.com/home-assistant/addons/blob/dc81626fadedd3a89ed1b8e2ede1fb3ffd453d74/letsencrypt/rootfs/etc/services.d/lets-encrypt/run#L131
that certbot has parameter --preferred-chain "ISRG Root X1" wich is the short one. Maybe with an issue asking to make this variable with some configuration option could help !
You should use : --preferred-chain "DST Root CA X3" to get a more compatible cert I think.

Refs :

pergola.fabio · June 29, 2022, 4:52am

Ok interesting , will have a look , thnx for info , appreciated!!!

CentralCommand · June 30, 2022, 5:44pm

DST Root CA X3 expired on 9/29/21. I’m not understanding why switching would change anything. Let’s Encrypt’s current guidance on certificate compatibility can be found here. Under “Platforms that trust ISRG Root X1” it lists this:

Android >= 7.1.1 (but Android >= 2.3.6 will work by default due to our special cross-sign)

There is no guidance to use an alternate chain anymore because its expired and no longer trusted by any devices.

[EDIT] Ok I’m confused now. I see the special “just for android” article which mentions this:

IdenTrust has agreed to issue a 3-year cross-sign for our ISRG Root X1 from their DST Root CA X3. The new cross-sign will be somewhat novel because it extends beyond the expiration of DST Root CA X3. This solution works because Android intentionally does not enforce the expiration dates of certificates used as trust anchors.

So what you’re saying is by adding --preferred-chain "ISRG Root X1" we’re forcing it to use the shorter chain that doesn’t include the cross-sign? I guess that makes sense. @pergola.fabio can you try running certbot manually with this option and show that your certificate works after that? I can add it but I want to know that it actually fixes the issue.

SNoof85 · June 30, 2022, 5:56pm

I have also found some confusing information! Maybe @pergola.fabio you should check on your android device Wich certificate in the chain is not valid.

pergola.fabio · June 30, 2022, 5:58pm

ok, those command are new to me, never dont that before
do you have an example command i can run from the ssh addon?

CentralCommand · June 30, 2022, 6:00pm

What’s your current config in the Let’s Encrypt addon?

pergola.fabio · June 30, 2022, 6:02pm

i use cloudflare with dns challenge, and below config:


provider: dns-cloudflare
cloudflare_api_token: '!secret cloudflare_api_token'

with wildcard *.domain.com

CentralCommand · June 30, 2022, 6:19pm

Mostly copying from what the addon would do with that config I believe its this:

echo "dns_cloudflare_api_token = ${API_KEY}" > /config/cfapikey && \
certbot certonly --non-interactive --keep-until-expiring --expand \
        -d "$DOMAIN" \
        --email "$EMAIL" --agree-tos \
        --config-dir /ssl/letsencrypt \
        --preferred-challenges --dns-cloudflare \
        --dns-cloudflare-credentials /config/cfapikey \
        --dns-cloudflare-propagation-seconds 60 \
        --preferred-chain "DST Root CA X3"

You’ll need to fill in API_KEY, DOMAIN and EMAIL in the above based on your config. Also if you don’t like any of the file/folder locations I picked feel free to change them.

Afterwards you should find your certificate and key in /ssl/letsencrypt/live/$DOMAIN. Move them from there to where your config expects them to be and restart whatever is serving them up to see if it works.

pergola.fabio · June 30, 2022, 6:26pm

hmm, i get error below:

➜  ~ echo "dns_cloudflare_api_token = xxx" > /config/cfapikey && \
certbot certonly --non-interactive --keep-until-expiring --expand \
        -d "*.xxx" \
        --email "[email protected]" --agree-tos \
        --config-dir /ssl/letsencrypt \
        --preferred-challenges --dns-cloudflare \
        --dns-cloudflare-credentials /config/cfapikey \
        --dns-cloudflare-propagation-seconds 60 \
        --preferred-chain "DST Root CA X3"

usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument --preferred-challenges: expected one argument

CentralCommand · June 30, 2022, 6:44pm

Oh whoops, missed the value for that arg. Take 2:

echo "dns_cloudflare_api_token = ${API_KEY}" > /config/cfapikey && \
certbot certonly --non-interactive --keep-until-expiring --expand \
        -d "$DOMAIN" \
        --email "$EMAIL" --agree-tos \
        --config-dir /ssl/letsencrypt \
        --preferred-challenges dns --dns-cloudflare \
        --dns-cloudflare-credentials /config/cfapikey \
        --dns-cloudflare-propagation-seconds 60 \
        --preferred-chain "DST Root CA X3"

pergola.fabio · June 30, 2022, 6:51pm

hmm, still something wrong

➜  ~ echo "dns_cloudflare_api_token = aaa" > /config/cfapikey && \
certbot certonly --non-interactive --keep-until-expiring --expand \
        -d "*.aaa" \
        --email "aaa" --agree-tos \
        --config-dir /ssl/letsencrypt \
        --preferred-challenges dns --dns-cloudflare \
        --dns-cloudflare-credentials /config/cfapikey \
        --dns-cloudflare-propagation-seconds 60 \
        --preferred-chain "DST Root CA X3"
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --dns-cloudflare-credentials /config/cfapikey --dns-cloudflare-propagation-seconds 60

CentralCommand · June 30, 2022, 8:30pm

Oh right its a plugin, the Let’s Encrypt addon installs it in the image, the ssh addon obviously doesn’t have it by default. Run this first then try again:

pip3 install certbot-dns-cloudflare

pergola.fabio · June 30, 2022, 8:41pm

Ah, ok, I’ll try it tomorrow, thnx in advance!

pergola.fabio · June 30, 2022, 9:15pm

ok, did a quick test already
command worked now, copy pasted those 2 files in ssl folder, overwriting those other 2 already present
restarted nginx addon, cleared cached from browser
didnt yet tested on android 5 , but in my browser i saw the new certificate active (new date)
but its still X1 ?