Path for certificates not correct

Summary:
In the logs it says that the certificates are expected in teddycloud/certs/client/78dXXXXXX12fd/ and not teddycloud/certs/client/. I had to create the directory manually. Doesn’t Teddycloud handle this when adding a new Toniebox?

When mqtt suddenly stopped working (deactivated in menu, I did not disable it) I was inspecting my logs and found error messages regarding the client certificates. This is my output after restarting my teddycloud container:

TeddyCloud v0.6.2 (203f12d) - 2024-10-26 18:14:34 +0000 ubuntu linux-x86_64(64)
INFO |settings.c:0848:settings_load_ovl| Load settings from /teddycloud/config/config.overlay.ini
INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-root.pem' assumed PEM style
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/ca-key.pem' detected as DER style RSA PRIVATE KEY
INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/teddy-cert.pem' assumed PEM style
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/teddy-key.pem' detected as DER style RSA PRIVATE KEY
ERROR|tls_adapter.c:0189:read_certificate| Failed to open '/teddycloud/certs/client/78dXXXXXX12fd/ca.der' for cert type detection
ERROR|tls_adapter.c:0376:load_cert| Loading cert '/teddycloud/certs/client/78dXXXXXX12fd/ca.der' failed
ERROR|tls_adapter.c:0189:read_certificate| Failed to open '/teddycloud/certs/client/78dXXXXXX12fd/client.der' for cert type detection
ERROR|tls_adapter.c:0376:load_cert| Loading cert '/teddycloud/certs/client/78dXXXXXX12fd/client.der' failed
ERROR|tls_adapter.c:0189:read_certificate| Failed to open '/teddycloud/certs/client/78dXXXXXX12fd/private.der' for cert type detection
ERROR|tls_adapter.c:0376:load_cert| Loading cert '/teddycloud/certs/client/78dXXXXXX12fd/private.der' failed
INFO |settings.c:0848:settings_load_ovl| Load settings from /teddycloud/config/config.ini
INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-root.pem' assumed PEM style
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/ca-key.pem' detected as DER style RSA PRIVATE KEY
INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/teddy-cert.pem' assumed PEM style
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/teddy-key.pem' detected as DER style RSA PRIVATE KEY
INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/ca.der' detected as DER style CERTIFICATE
INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/client.der' detected as DER style CERTIFICATE
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/client/private.der' detected as DER style RSA PRIVATE KEY
INFO |settings.c:0848:settings_load_ovl| Load settings from /teddycloud/config/config.overlay.ini
INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-root.pem' assumed PEM style
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/ca-key.pem' detected as DER style RSA PRIVATE KEY
INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/teddy-cert.pem' assumed PEM style
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/teddy-key.pem' detected as DER style RSA PRIVATE KEY
ERROR|tls_adapter.c:0189:read_certificate| Failed to open '/teddycloud/certs/client/78dXXXXXX12fd/ca.der' for cert type detection
ERROR|tls_adapter.c:0376:load_cert| Loading cert '/teddycloud/certs/client/78dXXXXXX12fd/ca.der' failed
ERROR|tls_adapter.c:0189:read_certificate| Failed to open '/teddycloud/certs/client/78dXXXXXX12fd/client.der' for cert type detection
ERROR|tls_adapter.c:0376:load_cert| Loading cert '/teddycloud/certs/client/78dXXXXXX12fd/client.der' failed
ERROR|tls_adapter.c:0189:read_certificate| Failed to open '/teddycloud/certs/client/78dXXXXXX12fd/private.der' for cert type detection
ERROR|tls_adapter.c:0376:load_cert| Loading cert '/teddycloud/certs/client/78dXXXXXX12fd/private.der' failed
INFO |tls_adapter.c:0390:tls_adapter_init| Loading certificates...
INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-root.pem' assumed PEM style
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/ca-key.pem' detected as DER style RSA PRIVATE KEY
INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/teddy-cert.pem' assumed PEM style
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/teddy-key.pem' detected as DER style RSA PRIVATE KEY
INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/ca.der' detected as DER style CERTIFICATE
INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/client.der' detected as DER style CERTIFICATE
INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/client/private.der' detected as DER style RSA PRIVATE KEY
INFO |mqtt.c:0313:mqttConnect| Connect to '192.168.178.114'
INFO |mqtt.c:0334:mqttConnect|   trying IP: 192.168.178.114
INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.custom.json with size 2
INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.json with size 5039666
INFO |mqtt.c:0439:mqtt_thread| Connected
INFO |toniesJson.c:0100:tonies_update| Updating tonies.json from api.revvox.de...
INFO |cloud_request.c:0200:web_request| Connecting to HTTP server api.revvox.de:443...
INFO |cloud_request.c:0252:web_request|   trying IP: 157.90.183.226
INFO |cloud_request.c:0382:web_request| Redirecting to: https://raw.githubusercontent.com/toniebox-reverse-engineering/tonies-json/release/tonies.json
INFO |cloud_request.c:0200:web_request| Connecting to HTTP server raw.githubusercontent.com:443...
INFO |cloud_request.c:0252:web_request|   trying IP: 185.199.109.133
INFO |toniesJson.c:0124:tonies_update| ... success updating tonies.json from api.revvox.de, reloading
INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.custom.json with size 2
INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.json with size 5043399
INFO |toniesJson.c:0211:tonieboxes_update| Updating tonies.json from api.revvox.de...
INFO |cloud_request.c:0200:web_request| Connecting to HTTP server api.revvox.de:443...
INFO |cloud_request.c:0252:web_request|   trying IP: 157.90.183.226
INFO |cloud_request.c:0382:web_request| Redirecting to: https://raw.githubusercontent.com/toniebox-reverse-engineering/tonies-json/release/tonieboxes.json
INFO |cloud_request.c:0200:web_request| Connecting to HTTP server raw.githubusercontent.com:443...
INFO |cloud_request.c:0252:web_request|   trying IP: 185.199.109.133
INFO |toniesJson.c:0238:tonieboxes_update| ... success updating tonieboxes.json from api.revvox.de, reloading
INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.custom.json with size 2
INFO |toniesJson.c:0280:tonies_readJson| Trying to read /teddycloud/config/tonies.json with size 5043399
INFO |server.c:0959:server_init| 1 open HTTPS API connections
INFO |mqtt.c:0699:mqtt_init_box| Registered new box 'teddyCloud Box 78dXXXXXX12fd' (cn: '78dXXXXXX12fd')
INFO |mqtt.c:0700:mqtt_init_box| Using base path 'teddyCloud/box/78dXXXXXX12fd' and id 'teddyCloud_Box_78dXXXXXX12fd'
WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator
WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

and then basically floods the logs with:

2024-11-11T18:20:48.202747807Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.202764744Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.202777471Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.202792381Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.202804734Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.202816761Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.202829721Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389673622Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389722577Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389731744Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389739271Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389746371Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389753464Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389761411Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389768611Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389775711Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

2024-11-11T18:20:48.389782861Z WARN |platform_linux.c:0292:socketReceive| buffer does not contain null terminator

This does only occur once I use the webui.

These are my settings under Settings:

image779×410 19.1 KB

And this is what I see under Toniebox → Settings:

image974×359 23.1 KB

chuckf@ubuntuserver:~$ sudo docker exec -it teddycloud bash
[sudo] password for chuckf:
root@teddycloud:/# ls teddycloud/certs/client/
ca.der  client.der  private.der
root@teddycloud:/#

This is my docker-compose file:

version: '3'
services:
  teddycloud:
    container_name: teddycloud
    hostname: teddycloud
    image: ghcr.io/toniebox-reverse-engineering/teddycloud:latest
    ports:
     - 80:80 #optional (for the webinterface)
     - 8443:8443 #optional (for the webinterface)
     - 443:443 #Port is needed for the connection for the box, must not be changed!
    volumes:
      - certs:/teddycloud/certs
      - config:/teddycloud/config
      - /some/path/on/my/NAS/teddycloud/content:/teddycloud/data/content
      - library:/teddycloud/data/library
      - firmware:/teddycloud/data/firmware
      - cache:/teddycloud/data/cache
    restart: unless-stopped
    networks:
     - myteddycloud-creation
volumes:
  certs:
  config:
  library:
  firmware:
  cache:
networks:
  myteddycloud-creation:
    external: true

I manually copied the certificates to the toniebox folder I manually created and then the error about the certificates failing to load vanished:

TeddyCloud v0.6.2 (203f12d) - 2024-10-26 18:14:34 +0000 ubuntu linux-x86_64(64)

INFO |settings.c:0848:settings_load_ovl| Load settings from /teddycloud/config/config.overlay.ini

INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/ca-root.pem' assumed PEM style

INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/ca-key.pem' detected as DER style RSA PRIVATE KEY

INFO |tls_adapter.c:0204:read_certificate| File '/teddycloud/certs/server/teddy-cert.pem' assumed PEM style

INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/server/teddy-key.pem' detected as DER style RSA PRIVATE KEY

INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/78XXXXXX12fd/ca.der' detected as DER style CERTIFICATE

INFO |tls_adapter.c:0197:read_certificate| File '/teddycloud/certs/client/78XXXXXX12fd/client.der' detected as DER style CERTIFICATE

INFO |tls_adapter.c:0201:read_certificate| File '/teddycloud/certs/client/78XXXXXX12fd/private.der' detected as DER style RSA PRIVATE KEY

My questions are:

1. Shouldn’t teddycloud create the appropriate subfolder themself? I don’t know the ID of the box until I already uploaded the certs to /client/ so I couldn’t create the /client/ID/ folder beforehand (nor does the wiki mention it)
2. Any idea what’s causing the null buffer warning?

Any input is greatly appreciated!

This is a bit complicated. The ESP32 installation process already does that, creates the dir for the client certs and adds the clients certificates.
For the others, the subdirs could be created manually.
As teddyCloud falls back to the global client certificates in /certs/client/ anyway, this is fully optional. It would be important to be able to do OTAs (as those are bound to the cert/model of the box), but those are broken anyway.

This happens, if teddyCloud faces multiple errors and can’t connect to the mqtt server.

The null buffer warnings previously just caused crashes. The network packets seem to be misaligned somehow, and / or teddyCloud expects HTTP packets with a line ending that is not found. I implemented a workaround, that triggers those messages on purpose to find out when this happens. Didn’t think it would be so widespread.
I changed the log level for that in the develop branch already.

Thanks for your prompt reply!

Just out of curiosity, if using multiple tonieboxes, is this still optional? Because you’d only have one sets of certificates in the client dir but from what I understand you would need the client certs per box.

I’ll keep an eye on that. Unfortunately I didn’t save the logs prior to restarting the container. Will any error messages regarding this be in the generel log I can view in portainer?
My other MQTT devices are probably the most reliable type of all integrations I have in my home assistant instance. So I didn’t see any errors there.

If it helps, I assigned teddycloud a unique IP using mcvlan. I didn’t want to spin up a single VM just for teddycloud.
I access teddycloud via HTTP.

Nice!

This sets the cert the teddyCloud will use for connections passed through from the box. It is not problem if BOX A uses the cert of BOX B for that. Only for OTAs this is problematic, if an ESP32 box would try to use a CC3200 OTA. But as the OTA doesn’t work anyway…

Yes, teddyCloud will print, that MQTT is disabled due to an error.