agent icon indicating copy to clipboard operation
agent copied to clipboard
verified publisher icon kerberos-io

Getting ONVIF to work with Axis cameras

Open AJJO78 opened this issue 4 months ago • 3 comments

Hi.

I'm working on a POC for a larger deployment and one of the systems that is being tested is Kerberos.io. It is a nice and rich system, but I do have one issue that is a quite major showstopper. I have tried sending e-mails, but since there is no response, I will give it a last try here.

I have been trying for a few days to get the agent to connect to my test cameras using the ONVIF protocol to get access to PTZ. The cameras I have in the POC is two models, Axis M5075-G and P6555-E.

The error message that I keep getting in the UI and in the log is: DEBU[2025-08-22T08:38:18+02:00] onvif.ConnectToOnvifDevice(): started DEBU[2025-08-22T08:38:18+02:00] onvif.ConnectToOnvifDevice(): camera is not available at https://[IP-address]/onvif/device_service or it does not support ONVIF services DEBU[2025-08-22T08:38:18+02:00] onvif.ConnectToOnvifDevice(): finished ERRO[2025-08-22T08:38:18+02:00] cloud.HandleHeartBeat(): error while connecting to ONVIF device: camera is not available at https://[IP-address]/onvif/device_service or it does not support ONVIF services

  • I have verified that the camera and the agent container is on the same NTP and time.
  • I have created an account on the Axis camera, both as a normal user that is used for the video stream and the ONVIF. I have tried having these users as both operator and administrator.
  • I have disabled and re-enabled the "Enable reply attack protection"

I have tried the plain way of just adding the configuration in the docker-compose file, like this: AGENT_CAPTURE_IPCAMERA_ONVIF: true AGENT_CAPTURE_IPCAMERA_ONVIF_XADDR: "https://[IP-address]/onvif/device_service" AGENT_CAPTURE_IPCAMERA_ONVIF_USERNAME: "xxxxxxxx" AGENT_CAPTURE_IPCAMERA_ONVIF_PASSWORD: "xxxxxxxx"

I also tried switching to HTTPS, no go.

This was no go. I then created a custom docker image and added the certificate from the camera, since this is a self-generated certificate, added a "extra_hosts" to make sure that the name of the camera, that is also the CN of the certificate would be resolved to the correct IP-address and to make sure that the certificate used would be "trusted". I the changed the IP-address for the hostname in the "AGENT_CAPTURE_IPCAMERA_ONVIF_XADDR:", but still no luck. I also just for good measure added :443 at the end of the hostname, but still no luck.

I have verified from within the container that the certificate of the camera is trusted, the camera does reply to queries against the camera. I have set the "LOG_LEVEL" to debug in hoping that I would get something more useful.

I have googled, I have tried using ChatGPT. I have tried to find out if there is anything else that needs to be installed or enabled. But no luck.

I'm stuck, and I don't know what to do next, but this is a strong requirement that we have if we would decide to go forward with this product, and eventually par for self-hosting HUB for instance.

AJJO78 avatar Aug 22 '25 07:08 AJJO78

Hello @AJJO78, could you share the Axis firmware version, and also the ONVIF version you are currently running. Also the ONVIF authentication mechanism is it set to basic-authentication or token based authentication.

cedricve avatar Aug 25 '25 07:08 cedricve

Hi and thanks for the reply.

I have on both models tried 10.12.166, 11.11.135 and 11.11.148. All of them seem to have similar issue.

The funny thing is that in the log it looks like it tries and then gives up immediately: DEBU[2025-08-22T08:37:58+02:00] onvif.ConnectToOnvifDevice(): started DEBU[2025-08-22T08:37:58+02:00] onvif.ConnectToOnvifDevice(): camera is not available at https://axis-b8a44f75c783:443/onvif/device_service or it does not support ONVIF services DEBU[2025-08-22T08:37:58+02:00] onvif.ConnectToOnvifDevice(): finished ERRO[2025-08-22T08:37:58+02:00] cloud.HandleHeartBeat(): error while connecting to ONVIF device: camera is not available at https://axis-b8a44f75c783:443/onvif/device_service or it does not support ONVIF services

So I'm curios it there is actually any request being sent out. I have not been able to catch anything in the logs in the cameras, and I haven't got around to do a wireshark to verify this.

AJJO78 avatar Aug 25 '25 10:08 AJJO78

Hi again

When I read this again, I realized that I did not answer all you your questions. Was a bit to quick there.

Regarding the version of ONVIF, I'm not sure how to check this, but the Agent containers are running using the "latest" tag that I believe was build/release 2025-05-19.

For the authentication method, when doing a curl test from within the container I have been using HTTPS and HTTP Digest authentication to verify that the camera accepts connections. Not sure what authentication method "ONVIF Device manager" used. I have not been able to find any setting in the Axis OS where the authentication method that is specific for the ONVIF, however the web interface has authentication set to "Basic and Digest".

I have disabled the "Enable replay attack protection" on the cameras.

AJJO78 avatar Aug 25 '25 20:08 AJJO78