bosch-shc-api-docs icon indicating copy to clipboard operation
bosch-shc-api-docs copied to clipboard

Published 20 hours ago verified publisher icon BoschSmartHome

MacOS does not recognise self-signed controller certificate

Open FleetPhil opened this issue 7 months ago • 1 comments

I have sucessfully registered a client with the SHC, but access to the API from a macOS application using URLSession is refused with the error "Smart Home Controller Productive Root CA" certificate is not trusted.

It looks like the certificate provided by the SHC is not linked to a root that is registered on my device. This can also be seen from a curl trace...

curl -kv --cert xxx.cert.pem  --key xxx.private.key  https://192.168.86.200:8444/smarthome/rooms/ 
*   Trying 192.168.86.200:8444...
* Connected to 192.168.86.200 (192.168.86.200) port 8444
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS handshake, CERT verify (15):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 / [blank] / UNDEF
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
*  subject: C=DE; O=Robert Bosch Smart Home GmbH; CN=64-da-a0-40-3a-c8
*  start date: Jan 10 06:37:53 2023 GMT
*  expire date: Jan 10 06:37:53 2025 GMT
*  issuer: C=DE; O=Bosch Thermotechnik GmbH; CN=Smart Home Controller Issuing CA
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* using HTTP/1.x
> GET /smarthome/rooms/ HTTP/1.1
> Host: 192.168.86.200:8444
> User-Agent: curl/8.6.0
> Accept: */*
> 
< HTTP/1.1 200 OK
(continues with response)

The issue is the line SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway - this is fine on the command line with curl, but in an application this causes the error above: “Smart Home Controller Productive Root CA” certificate is not trusted

What I think I need to do is add the SHC Root CA to the keychain on my device, but I don't know how, or if this is the right approach?

FleetPhil avatar Jul 17 '24 09:07 FleetPhil