Native secure access with Lets Encrypt
Domoticz includes a SSL certificate generated for the *.domoticz.com domain. So for your own domain, it may result some warning error by your browser.
This article shows how to add a LetsEncrypt certificate to Domoticz so you can access your server over a secure HTTPS channel and without warning error. This certificate has a lifetime of 3 months and must be renewed every 3 months.
The provided steps are executed using a Raspberry Pi, but they should work on every Linux OS.
Prerequisites (see here : http://www.domoticz.com/wiki/Native_HTTPS_/_SSL_support)
- You own a domain name
- The (sub)domain name for Domoticz has a DNS entry that points to your external IP address
- Port 80 (HTTP) and 443 (HTTPS) , in your internet box, are forwarded to your Domoticz server. Forwarding Port 80 is only needed for the creation and renewal time. I advice that you disable it after.
- domoticz must listen to the port HTTP and HTTPS. Check this in the startup script : /etc/init.d/domoticz.sh
Install Lets Encrypt
cd /etc sudo git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt sudo ./letsencrypt-auto
On Pi this last command will take a long time ...
Create the certificate
sudo /etc/letsencrypt/letsencrypt-auto certonly --webroot --email <your email> -d <your complete sub.domain name> -w <user home>/domoticz/www/
(check that your domoticz is accessible on the port HTTP 80 via NAT forwarding in your router)
Letsencrypt create a temporarly file in the www directory of domoticz. This file will be checked by the letsencrypt server to ensure that you are the owner of the domain. Then it remove the temporarly file.
Edit Sep 10 2017 : If you do not want to expose port HTTP 80 to the outside world you can also use --preferred-challenges=dns and create a DNS TXT record (as described) to validate the ownership
You can specify multiple domain names using another -d parameter and domain name for each additional domain name.
If everything is OK this message shows:
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/<your domain>/fullchain.pem. Your cert will expire on <date>. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
The certificate is created in /etc/letsencrypt/live/
Add the certificate to Domoticz
Then you add the created certificate to Domoticz with :
sudo rm ~/domoticz/server_cert.pem sudo cat /etc/letsencrypt/live/<your domain>/privkey.pem >> ~/domoticz/server_cert.pem sudo cat /etc/letsencrypt/live/<your domain>/fullchain.pem >> ~/domoticz/server_cert.pem sudo cp ~/domoticz/server_cert.pem ~/domoticz/letsencrypt_server_cert.pem sudo /etc/init.d/domoticz.sh restart
As every update of domoticz overwrites your certificate, the last command backups your new certificate so that you may may restore it if needed.
When there's a domoticz error after rebooting the service like : Error: [web:443] missing SSL DH parameters from file
Add the DHparam :
sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem
and if you get also an error like : /etc/ssl/certs/dhparam.pem: No such file or directory
cd /etc/ssl/certs sudo openssl dhparam -dsaparam -out dhparam.pem 4096 sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem sudo /etc/init.d/domoticz.sh restart