-
Notifications
You must be signed in to change notification settings - Fork 2
SolarNode Simulate HTTPS Requests With Node Certificate
These commands can be run on a SolarNode to try and troubleshoot SSL connections to SolarNetwork.
We use OpenSSL's s_client tool for this, which requires the node certificate in PEM form so first
we convert the node.jks keystore into that form.
First get the node's keystore password:
cd /etc/solarnode
grep keyStorePassword identity.jsonThat should print out something like:
"keyStorePassword" : "xyz"
Now convert the Java keystore into PKCS#12 form. You will be prompted for the password several times, use the value you extracted from the previous step:
keytool -importkeystore -srckeystore node.jks -srcstoretype jks \
-destkeystore node.p12 -deststoretype pkcs12The output should look similar to:
Importing keystore node.jks to node.p12...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias node successfully imported.
Entry for alias ca successfully imported.
Import command completed: 2 entries successfully imported, 0 entries failed or cancelled
The s_client tool requires the certificate to be PEM encoded, so now we convert the PKCS#12
keystore into PEM form. Keep using the same password when prompted:
openssl pkcs12 -in node.p12 -out node.pemThe output should look similar to:
Enter Import Password:
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
OpenSSL comes with the s_client tool that can be used to debug TLS connections. We'll use
s_client to connect to SolarIn and make a HTTP request for the node's metadata, using the node's
certificate for authentication:
openssl s_client -connect in.solarnetwork.net:443 -showcerts -cert node.pem -certform pem -crlfThen paste in this HTTP request:
GET /solarin/api/v1/pub/nodes/meta HTTP/1.1
Host: in.solarnetwork.net
Accept: application/json
Connection: Close
Note there are 2 returns at the end of that message.
You should see a successful request, like:
HTTP/1.1 200
Server: nginx
Date: Wed, 07 Jun 2023 22:14:32 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: close
Vary: origin,access-control-request-method,access-control-request-headers,accept,accept-encoding
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Frame-Options: DENY
243
{"success":true,"data":{"totalResults":2,"startingOffset":0,"returnedResultCount":2,"results":[{"nodeId":664,...}]}}
0
closed
Note there may or may not be any actual metadata in the response, but you should at least see
{"success":true}