I’m working on setting up TLS for the service running on port 8443 (not Mosquitto, which appears to be the service which deals with MQTT messages). I’m having trouble finding the configuration which stores the password for the Java keystore. Let me explain what I’ve found so far and I’m hoping someone can point me in the right direction for where to find this password.
The OpenHAB docs explain that a self-signed certificate is used by default. This is good and will work for the vast majority of people, but some people might want to change it. It identifies the location of the keystore as $OPENHAB_USERDATA/etc/keystore. The variable is defined in /usr/lib/systemd/system/openhab2.service as being /var/lib/openhab2 and there is a keystore at /var/lib/openhab2/etc/keystore. So far so good.
Next, I wanted to take a look at what is in there before I go messing around with things. The Java keytool is not in $PATH nor is it in a standard place (which is fine, and I’ll just document these things). I wanted to list the keys, so I ran this:
/opt/jdk/zulu8.40.0.178-ca-jdk1.8.0_222-linux_aarch32hf/bin/keytool -list -v -storepass changeit -keystore /var/lib/openhab2/etc/keystore
The password changeit is the default password for Java keystores, and I even found a closed issue reporting that openhabian didn’t change it from the default and it was effectively closed as WONTFIX because the tiny security gain isn’t worth the effort. However, when I run the command above, it says the password is incorrect.
Surely this password must be in a configuration file somewhere, because the webserver on 8443 is reading its certificates from somewhere, but I can’t find it. I found /usr/share/openhab2/runtime/etc/jetty.xml that contains a value for jetty.ssl.password, but that password doesn’t work, and it also points to /etc/myKeystore which doesn’t actually exist, so I’m guessing this config file isn’t being used?
The OpenHAB docs say that Jetty is included as the HTTP server, so it seemed promising. I think I’d be able to troubleshoot this far more effectively if I understood how OSGi, Apache Karaf, Eclipse Equinox, Jetty, Mosquitto, and whatever other components make up OpenHAB fit together. The OpenHAB docs mentions the technologies, but then the “concepts” section of the docs do not mention any of these components. I also checked the Developer Guides and Developer Appendix and couldn’t find a software architecture diagram for all of OpenHAB there either.
Another way I might be able to piece together these things would be to build an image myself and flash it onto a pi. I see that is described on the wiki now, but I’d really rather wrap up the task of getting TLS set up on my system (and documented).
P.S.: I like my new username 