Allow ECC certificates for HTTPS

bob27 · May 4, 2025, 10:02pm

I saw a similar post but no responses to it for at least a year. The Hubitat does not allow elliptic curve certificates, only RSA. If you install an ECC certificate, it accepts it but does not give any warnings that it won't work - it just doesn't work afterwards. If you have disabled HTTP, the only way to recover is to reset the system or use remote administration, if you have that configured.

My suggestions are similar to the previous post:

allow ECC certificates to be used - nearly every modern system does and it is well supported in various OSS components such as Apache, nginx, etc.
at least give a warning if an ECC certificate is selected and do not allow enablement of HTTPS/disabling of HTTP. This second suggestion should probably take place for any certificate that is not supported by the system, right now there do not really appear to be checks.

marktheknife · May 5, 2025, 1:48am

This endpoint was created for when SSL certificates on the hub was a new thing, but I believe it’ll still work if a user needs to re-enable HTTP access:

bob27 · May 5, 2025, 3:50am

being able to disable security by calling an unauthenticated api endpoint is also a pretty bad security risk. nevertheless I’m not sure that would work in this case because http would have been disabled and https would have been unable to accept requests because it was also broken.

marktheknife · May 5, 2025, 4:13am

It’s an alternative to the two options that you mentioned, and personally I don’t view it as much of a security risk since there’s no one else on my LAN to call that endpoint but me.

There’s also no one else on my LAN to break the hub’s SSL certificate handling in the first place but me .