Support of Let's Encrypt

Use this forum to discuss possible implementation of a new feature before opening a ticket.
A developer shall edit the topic title with "[xxx]" where xxx is the id of the accompanying tracker id.
Duplicate posts about the same id. +1 posts are not allowed.
Post Reply
tho071088
Posts: 21
Joined: Monday 24 April 2017 23:03
Target OS: Raspberry Pi
Domoticz version: Beta
Location: Gerstheim, France
Contact:

Support of Let's Encrypt

Post by tho071088 » Thursday 26 October 2017 10:02

I use Let's Encrypt for SSL support, i have to run scripts manually to update the certificates and replace them in Domoticz configuration.
Also, I have to replace them each time Domoticz is updated.

Could it be automatic ?
Domoticz Beta on Rasbperry Pi 3
RFLink / YeeLight / Xiaomi Devices / 433MHz / SonOff via MQTT

niki_lauda
Posts: 129
Joined: Saturday 31 August 2013 14:48
Target OS: Raspberry Pi
Domoticz version: beta
Location: Eindhoven (NL)
Contact:

Re: Support of Let's Encrypt

Post by niki_lauda » Friday 15 December 2017 22:20

tho071088 wrote:
Thursday 26 October 2017 10:02
I use Let's Encrypt for SSL support, i have to run scripts manually to update the certificates and replace them in Domoticz configuration.
Also, I have to replace them each time Domoticz is updated.

Could it be automatic ?
@ https://www.domoticz.com/wiki/Native_HT ... SL_support
you can define your own letsencrypt certificate.

-sslcert file_path ( for example D :\server_cert.pem or /opt/domoticz/server_cert.pem)

tho071088
Posts: 21
Joined: Monday 24 April 2017 23:03
Target OS: Raspberry Pi
Domoticz version: Beta
Location: Gerstheim, France
Contact:

Re: Support of Let's Encrypt

Post by tho071088 » Tuesday 19 December 2017 22:06

Yes but it's not so easy :oops: :
  • Manually generate new certificate every 6 month
  • Tree files to concatenate (privkey.pem/fullchain.pem/server_cert.pem).
Something automatic could be nice.
Domoticz Beta on Rasbperry Pi 3
RFLink / YeeLight / Xiaomi Devices / 433MHz / SonOff via MQTT

kijdhfcjdks
Posts: 10
Joined: Wednesday 21 June 2017 11:26
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by kijdhfcjdks » Monday 01 January 2018 23:28

Hi, here's another variant for installing a letsencrypt certificate with Domoticz on a Raspberry Pi (Raspbian). This also includes a cronjob that auto renews. (not tested live yet though...)

I'm using a custom ssl port for Domoticz so I forward port 443 to certbot-auto(listening on port 8889 in this example) for the certificate setup and renewal only. Certbot-auto is a tool from EFF that simplifies the process.

#0 Setup router forwarding

Code: Select all

External port 443 => 8889 on local raspberry pi
#1 Login to rpi and update

Code: Select all

sudo apt-get update
sudo apt-get upgrade
sudo /home/pi/domoticz/updaterelease
#2 Install certbot-auto

Code: Select all

cd ~
mkdir certbot
cd certbot
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
#3 generate and install certificate

Code: Select all

sudo ./certbot-auto certonly  --standalone --preferred-challenges tls-sni-01  --tls-sni-01-port 8889 -d YOURDOMAIN.COM
sudo rm /home/pi/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem >> ~/domoticz/server_cert.pem
sudo cp /home/pi/domoticz/server_cert.pem /home/pi/domoticz/domo_server_cert.pem
cd domoticz/
sudo /etc/init.d/domoticz.sh restart
Done! "domo_server_cert.pem" is your backup if Domoticz overwrites the live one during updates.

Renewalscript(not tested live yet):

Code: Select all

nano /home/pi/cert-domoticz-update.sh
Paste the following script and save it:

Code: Select all

#!/bin/bash
/home/pi/certbot/certbot-auto renew
rm /home/pi/domoticz/server_cert.pem
rm /home/pi/domoticz/domo_server_cert.pem
cat /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem >> /home/pi/domoticz/domo_server_cert.pem
cat /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem >> /home/pi/domoticz/domo_server_cert.pem
cp /home/pi/domoticz/domo_server_cert.pem /home/pi/domoticz/server_cert.pem
/etc/init.d/domoticz.sh restart

Code: Select all

sudo chmod a+x /home/pi/cert-domoticz-update.sh
Setup Cron:

Code: Select all

crontab -e
Add this:

Code: Select all

3 0 * * 7  /home/pi/cert-domoticz-update.sh
The script will run every Sunday at 3 AM

Edit: added a line to the to the script(row 4). Now renewal should work
Last edited by kijdhfcjdks on Wednesday 25 April 2018 20:29, edited 1 time in total.

Deluka
Posts: 21
Joined: Thursday 03 March 2016 19:38
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by Deluka » Saturday 24 February 2018 19:08

I'm trying this but getting the following error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA

jsiegmund
Posts: 25
Joined: Sunday 14 May 2017 21:13
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by jsiegmund » Tuesday 06 March 2018 19:13

Deluka wrote:
Saturday 24 February 2018 19:08
I'm trying this but getting the following error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
That's because of this: https://community.letsencrypt.org/t/imp ... sues/50811

The TLS path is no longer valid. You need to remove the two arguments concerning tls and use the default HTTP verification method instead.

Deluka
Posts: 21
Joined: Thursday 03 March 2016 19:38
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by Deluka » Wednesday 07 March 2018 23:51

Oke thx that solved my problem

kijdhfcjdks
Posts: 10
Joined: Wednesday 21 June 2017 11:26
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by kijdhfcjdks » Wednesday 25 April 2018 20:33

jsiegmund wrote:
Tuesday 06 March 2018 19:13
Deluka wrote:
Saturday 24 February 2018 19:08
I'm trying this but getting the following error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
That's because of this: https://community.letsencrypt.org/t/imp ... sues/50811

The TLS path is no longer valid. You need to remove the two arguments concerning tls and use the default HTTP verification method instead.
I re-downloaded certbot and followed the steps and the deprecated command works for me anyway. Can't use the standard ports so that's why I use these flags.

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest