Let’s Encrypt HTTPS certificates

On various Hardware and OS systems: pi / windows / routers / nas, etc
Kouseri
Posts: 76
Joined: Sunday 04 January 2015 22:24
Target OS: Raspberry Pi
Domoticz version:
Location: Finland
Contact:

Let’s Encrypt HTTPS certificates

Post by Kouseri » Sunday 06 December 2015 14:16

Hi,

Has anyone tried or played with HTTPS certificates from Let's Encrypt? The Let's Encrypt seems to be an interesting project to provide
free certificates for the public's benefit.

I'm using the Domoticz via the HTTPS protocol and I have been thinking getting a "real" HTTPS certificate in order to get rid of certificate warnings. I haven't obtained
the "real" certificate yet because I'm not familiar with the certificate process and all stuff related to it. I know there is a wiki entry about Secure Remote Access but
does someone know how the process would go with the certificates from the Let's Encrypt?

User avatar
gizmocuz
Posts: 8382
Joined: Thursday 11 July 2013 18:59
Target OS: Raspberry Pi
Domoticz version: beta
Location: Top of the world
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by gizmocuz » Sunday 06 December 2015 14:51

currently i can not see how to create a certificate

but with startssl you can already get a free certificate that you can use with domoticz,
Quality outlives Quantity!

User avatar
bizziebis
Posts: 528
Joined: Saturday 19 October 2013 14:00
Target OS: Raspberry Pi
Domoticz version: latest
Location: The Netherlands
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by bizziebis » Sunday 06 December 2015 17:16

I'm going to try it later today. You need a client to generate the certificate from your system. You don't create it from their website as far as I know.

It will at least save me from importing certificates to every device to ge domoticz secure :)

edit: Got it up and running, not so difficult ;)

I followed this website: https://coolaj86.com/articles/lets-encr ... pberry-pi/

Then I created the server_cert.pem with the following content:
-privkey.pem
-cert.pem
-chain.pem
Schermopname (19).jpg
Schermopname (19).jpg (201.35 KiB) Viewed 4311 times

Kouseri
Posts: 76
Joined: Sunday 04 January 2015 22:24
Target OS: Raspberry Pi
Domoticz version:
Location: Finland
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by Kouseri » Sunday 06 December 2015 22:06

bizziebis wrote:edit: Got it up and running, not so difficult ;)
Great that you were able to get it working! Because I'm not familiar at all what comes to certificates, I'm wondering how to proceed with the Let's encrypt... ;-)
I guess I've to take care of steps 1 - 3 from https://coolaj86.com/articles/lets-encr ... pberry-pi/ but what to do after that? Simple instructions are
appreciated... ;-)

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by ThinkPad » Monday 14 December 2015 10:50

Could someone create a tutorial how i can use this to migrate from HTTP to HTTPS ?
I know the benefits of HTTPS, but don't have the knowledge in setting this up.
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
Moppersmurf
Posts: 32
Joined: Tuesday 29 September 2015 17:39
Target OS: NAS (Synology & others)
Domoticz version: Lat.Beta
Location: Nederland
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by Moppersmurf » Friday 01 January 2016 20:22

Hi Thinkpad, would be handy if someone could make this. But if your running Domoticz on a NAS you can also make a VPN connection. That's not to difficult.

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by ThinkPad » Friday 01 January 2016 22:15

I already have a VPN that i use when i need to reach my network from a external location.
But for using Android app and such, a port forward is needed, don't want to start my VPN for that every time. That is why i want to use HTTPS. And it seems with this method you get a supported certificate for free. But i don't know how to set that up, that's why i was asking here :mrgreen:
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

rverbruggen
Posts: 5
Joined: Thursday 24 December 2015 8:43
Target OS: Linux
Domoticz version: V2.4028
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by rverbruggen » Thursday 07 January 2016 17:17

Hi all,

I'm going to implement a Let's Encrypt certificate to my Domoticz this or next week and will write everything down so I will generate a tutorial/document/wikipage on how to do this.

When it's done I will also post it here!

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by ThinkPad » Thursday 07 January 2016 17:50

That's great! Can't wait :)
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
nayr
Posts: 430
Joined: Tuesday 11 November 2014 19:42
Target OS: Linux
Domoticz version: github
Location: Denver, CO - USA
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by nayr » Thursday 07 January 2016 22:30

The Free SSL Providers always make you jump through a bunch hoops and wait for approval to prevent abuse, time is money.. and its not much money at all.

for like $15 through ssls.com you can have a signed cert valid for 3 years installed within 5-10mins... Used to use free providers but the hassle of getting it, along with the short lifespan drove me to open my wallet.. now I just spend a few mins looking for best price and then get it done.

But I guess if your desperate to keep costs low, then thats why these free guys exist.. let us know how it goes.
Last edited by nayr on Thursday 07 January 2016 22:33, edited 1 time in total.
Debian Jessie: CuBox-i4 (Primary) w/Static Routed IP and x509 / BeagleBone with OpenSprinkler / BeagleBone Planted Aquarium / 3x Raspbery Pi2b GPIO Slaves
Elemental Theme - node-domoticz-mqtt - Home Theatre Controller - AndroidTV Simple OSD Remote - x509 TLS Auth

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by ThinkPad » Thursday 07 January 2016 22:33

They even advise you to use a cronjob, so i think it is a procedure that you do once, and from then on can be renewed automatically

See: https://letsencrypt.readthedocs.org/en/ ... ml#renewal
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
nayr
Posts: 430
Joined: Tuesday 11 November 2014 19:42
Target OS: Linux
Domoticz version: github
Location: Denver, CO - USA
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by nayr » Thursday 07 January 2016 22:37

thats because you have no other choice but to run there update script or do it manually constantly.
Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.
like I said, hoops.. I am not running code as root in via cron unsigned from a 3rd party... especially not in exchange for something free.. smells like a NSA operated CA.
Debian Jessie: CuBox-i4 (Primary) w/Static Routed IP and x509 / BeagleBone with OpenSprinkler / BeagleBone Planted Aquarium / 3x Raspbery Pi2b GPIO Slaves
Elemental Theme - node-domoticz-mqtt - Home Theatre Controller - AndroidTV Simple OSD Remote - x509 TLS Auth

User avatar
ThinkPad
Posts: 1754
Joined: Tuesday 30 September 2014 8:49
Target OS: Linux
Domoticz version: beta
Location: The Netherlands
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by ThinkPad » Thursday 07 January 2016 22:40

For me (and probably others), using HTTPS over HTTP is already a big step towards better securing my network. And in this case i even get a certificate that is accepted by browsers, and for free!
ThinkTheme - theme for Domoticz
My (Dutch) blog: http://thinkpad.tweakblogs.net - My Domoticz scripts: Bitbucket
I'm not (very) active anymore on this forum as i don't use Domoticz anymore.

User avatar
nayr
Posts: 430
Joined: Tuesday 11 November 2014 19:42
Target OS: Linux
Domoticz version: github
Location: Denver, CO - USA
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by nayr » Thursday 07 January 2016 22:44

you can run your own Certificate Authority for free too, and it will be accepted by any browsers you actually care about.. or just self sign it and accept the cert perminently on the few devices that connect to Domoticz...

Its not like its a public website, you own and control every device that connects to your home automation system.. its frivolous one way or another to have a 3rd party cert, and likely less secure.. because only YOU can issue certs from your own CA.

I use a 3rd party cert on Domoticz only because I got tired of Android warning me every boot about my personal CA being installed.. only a problem because my toddler could click on the warning and remove the cert far too easy.. I probably could have just rooted the tablet and installed the CA permanently, but this was easier.. Our last vacation he found a way to wipe my certs and the tablet was locked out all remote access until we got home.
Debian Jessie: CuBox-i4 (Primary) w/Static Routed IP and x509 / BeagleBone with OpenSprinkler / BeagleBone Planted Aquarium / 3x Raspbery Pi2b GPIO Slaves
Elemental Theme - node-domoticz-mqtt - Home Theatre Controller - AndroidTV Simple OSD Remote - x509 TLS Auth

User avatar
bizziebis
Posts: 528
Joined: Saturday 19 October 2013 14:00
Target OS: Raspberry Pi
Domoticz version: latest
Location: The Netherlands
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by bizziebis » Thursday 07 January 2016 22:56

If you want to use their tool you need your domoticz server to be reachable on port 80 or 433 from the internet. So you have to stop Domoticz first. If you use port redirection it will not work.

Then you need to construct the new server_cert.pem from a combination of the newly generated fullchain.pem and privkey.pem

This you have to do each 90 days. It could be automated by a script though..

I don't like to forward default HTTP and HTTPS ports in my router. So for each certificate renewal I need to briefly forward those ports and disable them afterwards.

I hope I'm wrong and there is a different way to do this, otherwise it will always be a hassle.

User avatar
nayr
Posts: 430
Joined: Tuesday 11 November 2014 19:42
Target OS: Linux
Domoticz version: github
Location: Denver, CO - USA
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by nayr » Thursday 07 January 2016 23:11

another nice thing about running your own CA is you can give subjectAltNames for local hostnames.

for example, https://domoticz and https://192.168.1.100 from inside your network, and https://yourexternal.domain.net for outside your network using the same cert and it will always show valid.

no 3rd party CA is going to give you shortname certs or non routable IP's, my CA gives me certs for:
https://router
https://plex
https://wifi
https://dispatch
https://nas
https://nvr

and so on in adnasuium.. since only my machines connect to these hosts, they already have my personal CA installed and all validate A-OK.. is running https on your LAN overkill? perhaps, but I run multiple wireless networks, including an open and unencrypted public network with very limited access to my LAN.. and I bet most of you give out wifi passwords to friends/family, and are subject to all the other weakness in pre-shared key wifi.

I have no problem exposing a service directly to the internet, as long as it requires client certificates for connection and I am the only person with the ability to sign those certificates.. if the only thing protecting it is a passphrase then its kept behind a firewall.
Debian Jessie: CuBox-i4 (Primary) w/Static Routed IP and x509 / BeagleBone with OpenSprinkler / BeagleBone Planted Aquarium / 3x Raspbery Pi2b GPIO Slaves
Elemental Theme - node-domoticz-mqtt - Home Theatre Controller - AndroidTV Simple OSD Remote - x509 TLS Auth

rverbruggen
Posts: 5
Joined: Thursday 24 December 2015 8:43
Target OS: Linux
Domoticz version: V2.4028
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by rverbruggen » Monday 11 January 2016 8:49

Got it working this weekend! This week i'll create the write-up/wiki page so everyone can use it.

Tested with ssllabs.com and got a B.

In the upcomming weeks I'll try to improve so we can score an A+ on our Domoticz servers.

User avatar
nayr
Posts: 430
Joined: Tuesday 11 November 2014 19:42
Target OS: Linux
Domoticz version: github
Location: Denver, CO - USA
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by nayr » Monday 11 January 2016 18:12

I got an A+ on mine, what web server are you using?

If its nginx go look at my config in the X509 thread, it has an A+ Nginx configuration: viewtopic.php?f=21&t=9799
just omit ssl_verify_client optional;
Debian Jessie: CuBox-i4 (Primary) w/Static Routed IP and x509 / BeagleBone with OpenSprinkler / BeagleBone Planted Aquarium / 3x Raspbery Pi2b GPIO Slaves
Elemental Theme - node-domoticz-mqtt - Home Theatre Controller - AndroidTV Simple OSD Remote - x509 TLS Auth

rverbruggen
Posts: 5
Joined: Thursday 24 December 2015 8:43
Target OS: Linux
Domoticz version: V2.4028
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by rverbruggen » Tuesday 12 January 2016 9:00

nayr wrote:I got an A+ on mine, what web server are you using?

If its nginx go look at my config in the X509 thread, it has an A+ Nginx configuration: viewtopic.php?f=21&t=9799
just omit ssl_verify_client optional;
I did it without a proxy like nginx, just using the build in webserver.

Hopefully this way we can make it a 1-click install or something like that.

User avatar
nayr
Posts: 430
Joined: Tuesday 11 November 2014 19:42
Target OS: Linux
Domoticz version: github
Location: Denver, CO - USA
Contact:

Re: Let’s Encrypt HTTPS certificates

Post by nayr » Tuesday 12 January 2016 9:26

ah, I see.. well I dont trust domoticz that much, I'd rather expose nginx as its powering some massive sites and sure to be on top of security.

I dont think you'll get an A+ rating using only the built in HTTPS without modifying the built in webserver code to harden it, I dont see any configuration options for chiper suits or anything.. Going to have to drop all the old weak crypto out of the client options.
Debian Jessie: CuBox-i4 (Primary) w/Static Routed IP and x509 / BeagleBone with OpenSprinkler / BeagleBone Planted Aquarium / 3x Raspbery Pi2b GPIO Slaves
Elemental Theme - node-domoticz-mqtt - Home Theatre Controller - AndroidTV Simple OSD Remote - x509 TLS Auth

Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest