0

I'm currently configuring two rapsberry pi's on my home network. One which serves data from sensors on a node server to the second pi (a webserver, also running on node). Both of them are behind a nginx proxy. After a lot of configuring and searching i found a working solution. The Webserver is using dataplicity to make it accessible for www. I don't use dataplicity on the second pi (the server of sensordata) :

server {
  listen 80;
  server:name *ip-address*

  location / {
      proxy_set_header X-forwarded-For $remote_addr;
      proxy_set_header Host $http_host;
      proxy_pass "http://127.0.0.1:3000";
  }
 }

server {
 listen 443 ssl;
 server_name *ip-address*

 ssl on;
 ssl_certificate /var/www/cert.pem
 ssl_certificate_key /var/www/key.pem
 location /{
    add_header "Access-control-allow-origin" *;
    proxy_pass http://127.0.0.1:3000;
 }
}

This config works. however, ONLY on my computer. From other computers i get ERR_INSECURE_RESPONSE when trying to access the api with ajax-request. the certificates is self-signed.. Help is much appriciated.

EDIT: Still no fix for this problem. I signed up for dataplicity for my second device as well. This fixed my problem but it now runs through a third party. Will look into this in the future. So if anyone has an answer to this, please do tell.

Improve this question

3 Answers 3

Reset to default
1

It seems that your certificate aren't correct, root certificate missing ? (it can work on your computer if you have already accept insecure certificate on your browser).

Check if your certificates are good, the following command must give the same result :

openssl x509 -noout -modulus -in mycert.crt | openssl md5
openssl rsa -noout -modulus -in mycert.key | openssl md5
openssl x509 -noout -modulus -in mycert.pem | openssl md5

If one ouput differs from the other, the certificate has been bad generated.

You can also check it directly on your computer with curl : curl -v -i https://yourwebsite

If the top of the ouput show an insecure warning the certificate has been bad generated.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

I have only two certs. cert.pem and key.pem. Both of them give the same result using your command
Rebuilt URL to: 192.***.*.***/ * Hostname was NOT found in DNS cache * Trying 192.***.*.***... * Connected to 192.168.1.106 (192.***.*.***) port 443 (#0) * successfully set certificate verify locations: * CAfile: none CApath: /etc/ssl/certs * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS alert, Server hello (2): * SSL certificate problem: self signed certificate * Closing connection 0 * SSLv3, TLS alert, Client hello (1): curl: (60) SSL certificate problem: self signed certificate
Ok it seems there's no certificate chain problem. 2 solutions, for the good one add your certificate in the trust store of your client (see post on top), if its done correctly curl will stop give you the fail. Or the bad one, in your node client app just pust this '"rejectUnauthorized": false' in all your http request options : request.post({uri: "https://..", rejectUnauthorized: false, ...})
1

The post above looks about right.

The certificates and/or SSL is being rejected by your client.

This could be a few things, assuming the certificates themselves are publicly signed (they probably are not).

Date and time mismatch is possible (certificates are sensitive to the system clock).

If your certs are self-signed, you'll need to make sure your remote device is configured to accept your private root certificate.

Lastly, you might need to configure your server to use only modern encryption methods. Your client may be rejecting some older methods if it has been updated since the POODLE attacks.

This post should let you create a certificate https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-in-ubuntu-16-04, though I think you've already made it this far.

This post https://unix.stackexchange.com/questions/90450/adding-a-self-signed-certificate-to-the-trusted-list will let you add your new private root cert to the trusted list on your client.

And finally this is recommended SSL config in Ubuntu (sourced from here https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-on-ubuntu-14-04).

    listen 443 ssl;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_certificate /etc/nginx/ssl/nginx.crt;
    ssl_certificate_key /etc/nginx/ssl/nginx.key;

Or if you get really stuck, just PM me your account details I'll put a second free device on your Dataplicity account:)

Improve this answer

3 Comments

Thank you for a great answer! will look into the sources you provided. Don't think its possible to PM here on SO? i'll give this a new comment if i'm stuck again and we can take it from there.
no luck. How can i reach you to setup a second dataplicity?
Ok added another device for you - glad to help :-) Please let me know if I can be of any further assistance...
1

Cool project, keen to help out.

Dataplicity Wormhole redirects a service listening on port 80 on the device to a public URL in the form https://*.dataplicity.io, and puts a dataplicity certificate in front. Due to the way HTTPS works, the port being redirected via dataplicity cannot use HTTPS, as it would mean we are unable to forward the traffic via the dataplicity.io domain. The tunnel from your device to Dataplicity is encrypted anyway.

Is there a reason you prefer not to run Dataplicity on the second Pi? While you can run a webserver locally of course, this would be a lot easier and more portable across networks if you just installed a second instance of Dataplicity on your second device...

Improve this answer

2 Comments

It's just that i don't feel i need to. It's only there to feed data to my webserv. So i would prefer to find a solution to my current setup. If possible?
If i don't find a solution however i will most likely setup a second dataplicity

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.