HOWTO: Utilize a valid, signed SSL cert in Sighthound 3.0

[luma]

One major improvement with Sighthound 3.0 is that the web interface is FINALLY secured by default using HTTPS. For a security product, this is a great (and necessary) feature. However, the default behavior generates a self-signed certificate with a randomly-generated name. This makes it difficult to establish trust without keeping track of fingerprints. After some digging I've found that you can actually replace the generated certificate files with a signed version from a valid CA.

Requirements

• Sighthound 3.0 installed on a 64-bit Windows system in the default location.
• A trusted Certificate Authority to generate a signed certificate from a certificate signing request. I used a free cert from StartSSL, but it does have validation problems with Chrome on mobile due to cert chaining issues. Other tested platforms seemed to work OK.
• A fully-qualified DNS name which resolves to your Sighthound host. In this guide I'll be using "yourdnsname.example.com".

Process

• Enable remote access in Sighthound via Tools > Options > Remote Access > Enable remote access
• Disarm all cameras and shutdown SH. NOTE: if you launch Sighthound before the final step it will blow away all your work and force you to start over.
• Open an Administrator command shell (cmd.exe)
• Enter the following commands, replacing "yourdnsname.example.com" with your fully qualified domain name in the final command. Optionally, modify the rest of "subj" field in the final command to fill in your location and organization details.
  

  Code: Select all

  set SHWEBDIR=%LocalAppData%\Sighthound Video\web
cd /d "%SHWEBDIR%"
move sv.* %temp%
del status
bitsadmin.exe /transfer "DownloadOpenSSLConf" http://web.mit.edu/crypto/openssl.cnf "%SHWEBDIR%\openssl.cnf"
set OPENSSL_CONF=%SHWEBDIR%\openssl.cnf
"%ProgramFiles(x86)%\Sighthound Video\openssl.exe" genrsa -out "%SHWEBDIR%\sv.key" 2048
"%ProgramFiles(x86)%\Sighthound Video\openssl.exe" req -new -key "%SHWEBDIR%\sv.key" -out "%SHWEBDIR%\sv.csr" -subj /C=XX/ST=XX/L=XX/O=support@sighthound.com/OU=sighthound/CN=yourdnsname.example.com

• This will generate a certificate signing request file available at "%LocalAppData%\Sighthound Video\web\sv.csr". Hand the signing request to your CA and get a BASE64 encoded (sometimes called "CER encoded") certificate file back.
• Open the created certificate file in notepad and confirm that it's in text format, where the first line reads "-----BEGIN CERTIFICATE-----" and the last line reads "-----END CERTIFICATE-----". There should be only one such section.
• Save the created certificate to: %LocalAppData%\Sighthound Video\web\sv.crt
• Run the following commands in the same command shell to dump the fingerprint details to the required file:
  

  Code: Select all

  "%ProgramFiles(x86)%\Sighthound Video\openssl.exe" x509 -subject -dates -fingerprint -in "%SHWEBDIR%\sv.crt" | find "Fingerprint"> fingerprint.out
for /F "tokens=2 delims= " %z in (fingerprint.out) do set %z
echo %Fingerprint::=%>sv.sha
del fingerprint.out

• Optional: backup the contents of "%LocalAppData%\Sighthound Video\web". On launch, SH checks that everything there is valid and will wipe all files/folders if it finds any problem. If you have a cert (and it's matching keyfile) that you've just paid money for, it'd be a good idea to stash a copy somewhere.
• Launch Sighthound and let it start up with the new certificate details.
• Confirm that you are presented with a valid cert when you open https://yourdnsname.example.com:8848

[mooneypilot]

Good information. However, I don't have a DNS name, and am using an IP address. Does this work if you use an IP address instead of a DNS name?

[luma]

Yup, you can get SSL cert for an IP address. It's not often done because it doesn't allow you to change IPs (obviously), but it's still perfectly valid.

[BruceWillis88]

So I'm mostly through this process, having a bit of trouble. For those following along, make sure you edit the request line to include your Country, State, and Locality as well as the organization name and domain as mentioned.

Secondly, I could use some clarification as to what's supposed to be in the Sighthound Video\Web folder on first launch after installing the certificate. Is that where fingerprint.out is supposed to go?

[luma]

I put "XX" in the fields for country, etc where you'll probably want to substitute your own values. The fingerprint.out is deleted in the last step as it's only there for temporary use to capture the SHA hash. If you copy/paste the code exactly as it appears in my post you should wind up with all the correct files in the correct place.

[BruceWillis88]

I think I have followed your instructions very closely, but when I launch SH at the end, the remote access portion doesn't launch correctly. In SH, when I go to Tools > Options > Remote Access tab, the server status shows as "Starting..." and I am not able to access via http as normal.

I think the second half of the code thats capturing the SHA hash is not working as expected. The file fingerprint.out is created and has SHA1 fingerprint data included, but nothing happens with sv.sha and fingerprint.out is not deleted.

[luma]

In that case, try creating the sv.sha file manually. The only thing in that file should be a single line with the hash you see in fingerprint.out.

Here is what mine looks like:

Code: Select all

905F72149E92A63B82A16E58596582C3373DE719

[BruceWillis88]

The instructions appear to have worked and the file sv.sha looks like yours but the remote access portion still will not launch. Sighthound launches, but remote access 404s and when I go to options > remote access it just says "starting" but never does.

EDIT: To follow up, after trying again a few times I was able to get everything working with the information already on this page.

[paul.kasper]

I was able to do this successfully to get the web portal functioning, but have yet to get it to work properly in the iOS or Android app. However, reverting to the old APK found [url=sighthound.com/files/Sighthound.apk]here[/url] seems to work well.

Does anyone else have this working on mobile? I'm able to successfully use the web interface in mobile browsers on the affected devices, just not in the official app.

Thanks!

[BruceWillis88]

My mobile app recognizes the secure connection. After setting up the SSL, the first time I logged into the iOS app I was given a prompt to acknowledge an ssl change.