https fontend with my own CA signed certificates

[clemenlg]

Hello,
I followed the instructions to secure my frontend with https, and add into the configuration.yaml the paramters: ssl_cert and ssl_key.
As my certificates are signed with my own CA, I need to configure too the CA CRT file, but I don't know if it's possible (don't appear in the docs neither as ssl_ca), and if I start with my self signed certificates (own CA) Firefox can't load the site (Error: SEC_ERROR_INADEQUATE_CERT_TYPE).
With the MQTT server works with the own CA signed certificates, because paremeters ca, key and cert are fully documented.
It's possible to use my own CA signed certificates for the frontend ad occurs with the mqtt broker?
If I generate de CRT without sign with my own CA, works fine, but not with a CA signed CRT (because I can't add the CA CRT file in the zigbee2mqtt frontend settings).
Regards

[jamesonuk]

You are missing how TLS works. Your CA is about trust. When Z2M supplies it's server certificate to your client it checks that it is for the website you are viewing and that it has been issued by someone you trust. It is you client that needs to have the CA certificate setup as a trusted CA not the server.

[clemenlg]

Hello @jamesonuk , first of all, thank you for you reply.
Yes, I know that CA certificate must be installed in the browser, in fact, I've it, and works correctly with HomeAssitant, websites, proxmox, mosquitto, ...
If I create the certificates without the CA, it works in zigbee2mqtt:

openssl genrsa -out zigbee2mqtt_web.key 2048
openssl req -new -key zigbee2mqtt_web.key -out zigbee2mqtt_web.csr -config zigbee2mqtt_web.csr.cnf -extensions req_ext
openssl x509 -req -in zigbee2mqtt_web.csr -signkey zigbee2mqtt_web.key -out zigbee2mqtt_web.crt -extfile zigbee2mqtt_web.csr.cnf -extensions req_ext -days 3650

But if I create the certificates signed with the CA, it fails (load the site in the browser):

openssl genrsa -out zigbee2mqtt_web.key 2048
openssl req -new -key zigbee2mqtt_web.key -out zigbee2mqtt_web.csr -config zigbee2mqtt_web.csr.cnf -extensions req_ext
openssl x509 -req -in zigbee2mqtt_web.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out zigbee2mqtt_web.crt -extfile zigbee2mqtt_web.csr.cnf -extensions req_ext -days 3650

I know you said, that it's a browser problem, but I think that if it would be a server problem, my browser ask me for a problem with the CA (MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT), asking too to add a exception for this site, and it's not the problem, as I wrote (SEC_ERROR_INADEQUATE_CERT_TYPE). I could be totally wrong, that's why I asked the question.
I created the crt with the same parameters for mosquitto, home assitant, client for zigbee2mqtt, webservers, proxmox, ... And it works for all, except for zigbee2mqtt, that's the reason why I asked it.
Regards

[jamesonuk]

I know you said, that it's a browser problem, but I think that if it would be a server problem

It is almost certainly a certificate / config problem. I have a certificate signed by own CA setup with

        "frontend": {
            "base_url": "/",
            "enabled": true,
            "host": "zigbee2mqtt.fqdn",
            "package": "zigbee2mqtt-frontend",
            "port": 5443,
            "ssl_cert": "/app/data/z2m.cert.pem",
            "ssl_key": "/app/data/z2m.key.pem",
            "url": "https://zigbee2mqtt.fqdn:5443"
        },

and it is working fine,.

you aren't using the new frontend package are you (you would have had to explicitly set it).

Without seeing your config I am only guessing (but it will not be Z2M related),

Probably something like https://stackoverflow.com/questions/44874571/firefox-sec-error-inadequate-cert-type-with-no-enhanced-key-usage. Have you tried in Chrome / Edge / anOther browser?

[clemenlg]

I saw too the enhanced key usage, because I've it in my config file, but it works with home assistant (Https certificate signed with my ca). I must do some tests, I can't do it today, I'll check it tomorrow.
Thanks for all your help, I'm very appreciate it.
Regards

[jamesonuk]

I would take Z2M out of this and create a simple python server which is really simple to test
https://anvileight.com/blog/posts/simple-python-http-server/#python-3-x-1

You say it works elsewhere but you have a specific zigbee2mqtt_web.csr.cnf file that is specific to this certificate which could be different. You could have just managed to catch an update in Firefox that picks this up and now your older certificate won't work either or something completely different.

I would stuck your existing cert and key in that python server (and have that run on the same hostname as you were using for z2m) and see if you get the same error in Firefox. Also check in other browsers. This really will be a setup issue as the handshake will happen before you get to any real Z2M code (only had a quick look but

zigbee2mqtt/lib/extension/frontend.ts

Lines 88 to 93 in bdb94da

	if (hasSSL(sslKey, "ssl_key") && hasSSL(sslCert, "ssl_cert")) {
	const serverOptions = {key: readFileSync(sslKey), cert: readFileSync(sslCert)};
	this.server = createSecureServer(serverOptions, this.onRequest);
	} else {
	this.server = createServer(this.onRequest);
	}

looks to be the code it really is as simple as load cert and key and use the node:https package which is used everywhere.)

[clemenlg]

I found the problem...
In the certificate config file I've:
extendedKeyUsage = critical, clientAuth
And it fails, because it must be:
extendedKeyUsage = critical, serverAuth
I made this change because it doesn't work with serverAuth for the mosquitto certificate clients: homeassitant, zigbee2mqtt, esp32, ...
The python script was very helpful in finding the error, because a simplier code can make me changes easily...
Thanks for your help @jamesonuk, I close the issue with the documented problem and solution.
Regards

[clemenlg]

Hello,
The problem was in the certificate configuration file, as @jamesonuk first guessed (my mistake).
For mosquitto clients I must put in my certificate configuration file clientAuth in the extendedKeyUsage parameters, but in the webservers it fails, because must be serverAuth.
Web server certificate configuration:

[req]
default_bits            = 2048
prompt                  = no
default_md              = sha256
distinguished_name      = dn

[dn]
C                       = ES
ST                      = Valencia
L                       = Valencia
O                       = Organization
OU                      = Unit
emailAddress            = my@mail.com
CN                      = webdomain.tdl

[req_ext]
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage        = critical, serverAuth
subjectAltName          = @alt_names

[alt_names]
DNS.1                   = webdomain.tld
IP.1                    = my.webserver.ip.address

Mosquitto client certificate configuration:

[req]
default_bits            = 2048
prompt                  = no
default_md              = sha256
distinguished_name      = dn

[dn]
C                       = ES
ST                      = Valencia
L                       = Valencia
O                       = Organization
OU                      = Unit
emailAddress            = my@mail.com
CN                      = mqttdomain.tdl

[req_ext]
basicConstraints        = critical, CA:FALSE
subjectKeyIdentifier    = hash
authorityKeyIdentifier  = keyid:always, issuer:always
keyUsage                = critical, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage        = critical, clientAuth
subjectAltName          = @alt_names

[alt_names]
DNS.1                   = mqttdomain.tld
IP.1                    = my.mqttserver.ip.address

Regards