[Ovmsdev] mongoose-wolfssl

Michael Balzer dexter at expeedo.de
Mon Mar 22 02:30:33 HKT 2021 

Am 21.03.21 um 17:43 schrieb Craig Leres:
>
> On 3/21/21 6:31 AM, Michael Balzer wrote:
>> I have now added that as a standard feature and included an info on 
>> how to create a cert + key in the webserver configuration.
>
> This is awesome!
>
> But I'm having trouble getting it to work. I suspect I don't 
> understand how certs work with ovms.
>
> A long time ago, with the help of some friends, I wrote a /bin/sh 
> script to generate self signed certs:
>
>     https://ee.lbl.gov/downloads/create-cert/create-cert.tar.gz
>

Your script creates a CA as well and takes care of optional details. 
That's much more simple if all you need is a cert/key pair for encryption.

> What I am expecting is the cn in the certificate to match the https 
> hostname, e.g. ovms-dev.alameda.xse.com and I know my browser does not 
> like it if I navigate to https://ovms-dev.alameda.xse.com/ and the 
> certificate returned does not match.

Of course you need to create the certificate for the hostnames and IP 
addresses you use. CN is the primary hostname, additional hostnames and 
IP addresses are added using the "Subject Alternative Name" extension.

If you're using a dyndns or fixed IP entry like 
"ovms-dev.alameda.xse.com" as your primary address, set that as the CN.

Example:

openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes \
  -keyout ovms.key -out ovms.crt -subj "/CN=test1.local" \
  -addext 
"subjectAltName=DNS:test1.dexters-web.de,IP:192.168.4.1,IP:192.168.2.106"

=>

Certificate:
…
         Subject: CN = test1.local
…
             X509v3 Subject Alternative Name:
                 DNS:test1.dexters-web.de, IP Address:192.168.4.1, IP 
Address:192.168.2.106

> but when I upload the pem and key files it doesn't like the private key:
>
>     Error!
>     TLS private key must be in PEM PRIVATE KEY format

You probably copied the wrong section. You need to copy the full PEM 
text including the BEGIN and END lines, as suggested by the placeholder 
for the textarea.

> I've never used "subjectAltName=IP:192.168.4.1", is that required?

Only if you want to be able to access the OVMS AP by https://192.168.4.1/ .

Regards,
Michael

-- 
Michael Balzer * Helkenberger Weg 9 * D-58256 Ennepetal
Fon 02333 / 833 5735 * Handy 0176 / 206 989 26


-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20210321/6e97362f/attachment.sig>

More information about the OvmsDev mailing list