Support HTTPS for incoming requests

[mensa84]

Hello,

for security reasons: Is it also possible to use HTTPS instead of HTTP?
That would be a really nice feature :)

[benzman81]

Not possible for now. Feel free to provide a pull request.

[mensa84]

Thanks for your answer, if I want to create a pull request, I always get that message, what should I do?

"Choose different branches or forks above to discuss and review changes. "

I don't see a different branch or fork.

[benzman81]

First you need to fork the repo. Develop you feature, and then create a pull request from this repo to mine.

[mensa84]

Oh, sorry, I am no developer. Could I just create a "Feature request"?

[benzman81]

Of course ;-)

[mensa84]

Where and how? Or was that here already one? ;)

[benzman81]

This issue is the feature request ;-)

[mensa84]

Perfect, thanks!
Is it complicated, to get HTTPS to work?

[benzman81]

I dont know. Since this is within local network I have no focus on this. So if someone will implement it, it has to come from the community.

[mensa84]

I have to use that Webhooks plugin from WAN side, because the device "Withings Sleep" can only trigger IFTTT and IFTTT runs in the cloud. So currently I have to access my webhooks plugin from external by HTTP, more secure would be HTTPS.

[alexbohariuc]

I have to use that Webhooks plugin from WAN side, because the device "Withings Sleep" can only trigger IFTTT and IFTTT runs in the cloud. So currently I have to access my webhooks plugin from external by HTTP, more secure would be HTTPS.

Actually, I'm using IFTTT and it's working via HTTP - dunno which is your scenario, but sending webhook request from IFTTT to homebridge via this plugin works.

[benzman81]

You should not open a port and send http through it as this punches a hole in your firewall and everyone on the inet listening can access it. You can try to use ngrok as tunnel.

[mensa84]

Is there a free version of ngrok which can do this or a free alternative?
I don't wanna pay a monthly fee, just to access my devices/homebridge outside home.

[benzman81]

Now support https with a self signed cert (beta state). Feel free to tests. After you feedback as verification I will close this.

[mensa84]

Installation of 0.0.55 fails:

root@Server:~# npm -g install homebridge-http-webhook@0.0.55 --unsafe-perm
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/homebridge-http-webhook - Not found
npm ERR! 404
npm ERR! 404  'homebridge-http-webhook@0.0.55' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2020-01-16T08_10_52_251Z-debug.log

[benzman81]

Should do. Try newest version 0.0.56.

[mensa84]

Same error:

root@Server:~# npm -g install homebridge-http-webhook@0.0.56
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/homebridge-http-webhook - Not found
npm ERR! 404
npm ERR! 404  'homebridge-http-webhook@0.0.56' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2020-01-17T08_03_42_853Z-debug.log

[benzman81]

Must be some issue on your local machine. Others already installed this version without issues.

[mensa84]

It worked now by uninstalling and re-installing with @latest.

But HTTPS is not working. I always get that error:

Fehler: Gesicherte Verbindung fehlgeschlagen

Beim Verbinden mit server:51828 trat ein Fehler auf. SSL hat einen Eintrag erhalten, der die maximal erlaubte Länge überschritten hat.

Fehlercode: SSL_ERROR_RX_RECORD_TOO_LONG

    Die Website kann nicht angezeigt werden, da die Authentizität der erhaltenen Daten nicht verifiziert werden konnte.
    Kontaktieren Sie bitte den Inhaber der Website, um ihn über dieses Problem zu informieren.

[benzman81]

Tried with current version of chrome, firefox, safari and some request tool. Didn't get this exception. I only found this error regarding firefox. May you look here: https://www.ssl2buy.com/wiki/ssl_error_rx_record_too_long-firefox-error

If you can't get this to work, you might use the new version 0.0.57. With this you should be able to use your own certificate (didn't test it, but option is available). Maybe this helps.

[mensa84]

It does not matter which browser is able to do it successfully. IFTTT can't handle it.
So I think 0.0.57 also will not help to work with IFTTT, or?

[benzman81]

Tested with IFTTT, too. Its working over here.

[benzman81]

anyone tested https successfully except me?

[mensa84]

I would like to test again, is it necessary to use "https_keyfile" and "https_certfile"?
Or what is the simplest configuration to just activate HTTPS?

[benzman81]

These settings are just needed if you want a custom key and cert file. Just set https to true is the simplest setting.

[mensa84]

I am receiving that errors:

Mar 29 17:25:31 Server homebridge[9713]: [3/29/2020, 5:25:31 PM] [HttpWebHooks] Using automatic created ssl certificate.
Mar 29 17:25:31 Server homebridge[9713]: [3/29/2020, 5:25:31 PM] Error: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small
Mar 29 17:25:31 Server homebridge[9713]:     at Object.createSecureContext (_tls_common.js:137:17)
Mar 29 17:25:31 Server homebridge[9713]:     at Server.setSecureContext (_tls_wrap.js:1080:27)
Mar 29 17:25:31 Server homebridge[9713]:     at Server (_tls_wrap.js:960:8)
Mar 29 17:25:31 Server homebridge[9713]:     at new Server (https.js:61:14)
Mar 29 17:25:31 Server homebridge[9713]:     at Object.createServer (https.js:84:10)
Mar 29 17:25:31 Server homebridge[9713]:     at Object.https.createServer (/usr/lib/node_modules/homebridge-http-webhooks/node_modules/http-auth/src/server/https.js:34:38)
Mar 29 17:25:31 Server homebridge[9713]:     at HttpWebHooksPlatform.accessories (/usr/lib/node_modules/homebridge-http-webhooks/index.js:497:15)
Mar 29 17:25:31 Server homebridge[9713]:     at Server._loadPlatformAccessories (/usr/lib/node_modules/homebridge/lib/server.js:403:20)
Mar 29 17:25:31 Server homebridge[9713]:     at Server._loadPlatforms (/usr/lib/node_modules/homebridge/lib/server.js:341:16)
Mar 29 17:25:31 Server homebridge[9713]:     at Server.run (/usr/lib/node_modules/homebridge/lib/server.js:90:36)
Mar 29 17:25:31 Server homebridge[9713]:     at module.exports (/usr/lib/node_modules/homebridge/lib/cli.js:59:10)
Mar 29 17:25:31 Server homebridge[9713]:     at Object.<anonymous> (/usr/lib/node_modules/homebridge/bin/homebridge:17:22)
Mar 29 17:25:31 Server homebridge[9713]:     at Module._compile (internal/modules/cjs/loader.js:816:30)
Mar 29 17:25:31 Server homebridge[9713]:     at Object.Module._extensions..js (internal/modules/cjs/loader.js:827:10)
Mar 29 17:25:31 Server homebridge[9713]:     at Module.load (internal/modules/cjs/loader.js:685:32)
Mar 29 17:25:31 Server homebridge[9713]:     at Function.Module._load (internal/modules/cjs/loader.js:620:12)
Mar 29 17:25:31 Server homebridge[9713]:     at Function.Module.runMain (internal/modules/cjs/loader.js:877:12)
Mar 29 17:25:31 Server homebridge[9713]:     at internal/main/run_main_module.js:21:11

[benzman81]

Seems you hit this issue on your system jfromaniello/selfsigned#33

Once fixed, I will update the lib.

[mensa84]

Thank you, could you please tell me what I should do exactly?
It's a debian x64 linux where I only installed homebridge and some plugins, so I don't understand why my system is the issue.

[benzman81]

Either you wait for the mibrary to fix this issue, or you use the mentioned workaround:

`Only way around it is to modify: /etc/ssl/openssl.cnf and change:

CipherString = DEFAULT@SECLEVEL=2
to
CipherString = DEFAULT@SECLEVEL=1`

[mensa84]

Thank you very much! That helped and I was able to test HTTPS successfully! Thanks a lot for implementing that!

Should I later revert that change in the mentioned .cnf file?

[benzman81]

I would revert it as it lowers security right now.

I will keep this bug open until the library and so my plugin fixes this, so you will get a notification for it.

[mensa84]

Hi, is there already a fix for that problem?

I want to call a WebHook in Homebridge from The Things Stack but it always fails there as soon as I enable HTTPS here in WebHooks plugin. Do you know a solution?

SECLEVEL is still set to 1, so this is also no fix for that.

Is there any log where I can see what is the problem?

Other WebHooks with HTTPS like webhook.site do work without problems with The Things Stack.

[benzman81]

@mensa84 the bug is not fixed, yet. So no news on this side.
If you can call the https url of this plugin using curl or wget, then the plugin works as expected. You need to use the option –no-check-certificate for wget and --insecure for curl.

Your problem with The Things Stack might be, that a self signed certificate is used an so it is possible untrusted. Other https sites might have valid certificates.