Let’s Encrypt HTTPS certificates

On various Hardware and OS systems: pi / windows / routers / nas, etc
rverbruggen
Posts: 5
Joined: Thursday 24 December 2015 8:43
Target OS: Linux
Domoticz version: V2.4028
Contact:

Re: Let’s Encrypt HTTPS certificates

Postby rverbruggen » Tuesday 12 January 2016 10:27

nayr wrote:ah, I see.. well I dont trust domoticz that much, I'd rather expose nginx as its powering some massive sites and sure to be on top of security.

I dont think you'll get an A+ rating using only the built in HTTPS without modifying the built in webserver code to harden it, I dont see any configuration options for chiper suits or anything.. Going to have to drop all the old weak crypto out of the client options.


Same thing goes for me!

But I hope that I can help making Domoticz better for the more average users in the future (if Domoticz will become an widely used product).
On top of that I think that it will be easier to change it now while there is a lot programming going on and hopefully the changes can be made without to much trouble, then when we have to change it when it is a full blown solution and changes get harder and harder.

User avatar
nayr
Posts: 431
Joined: Tuesday 11 November 2014 19:42
Target OS: Linux
Domoticz version: github
Location: Denver, CO - USA
Contact:

Re: Let’s Encrypt HTTPS certificates

Postby nayr » Tuesday 12 January 2016 10:47

im all for native https, and it should be the easy option.. but its not the only one, and if you want A+ level security out of it then you may be asking too much.

documentation imo should cover both possibilities, I just saw a pull request for myDomoticz that will finally allow us to run multiple domoticz sites behind a proxy, mixed with other sites all behind a single IP/Port/Certificate..

for example: https://yoursite.com/domoticz/

now you can buy a secure cert for https://yoursite.com , and put something else entirely here, then just proxy /domoticz/ to your domoticz (even using https between proxy and domo if you want)
Debian Jessie: CuBox-i4 (Primary) w/Static Routed IP and x509 / BeagleBone with OpenSprinkler / BeagleBone Planted Aquarium / 3x Raspbery Pi2b GPIO Slaves
Elemental Theme - node-domoticz-mqtt - Home Theatre Controller - AndroidTV Simple OSD Remote - x509 TLS Auth

mrcage
Posts: 6
Joined: Monday 28 December 2015 12:53
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Let’s Encrypt HTTPS certificates

Postby mrcage » Friday 15 January 2016 23:27

I think you should create a server and a client certificate to make the connection to domoticz.
You can easily create a certificate pair by using putty key generator.
Not sure if you can require this by connecting to domoticz though.
Domoticz newbie :)

User avatar
nayr
Posts: 431
Joined: Tuesday 11 November 2014 19:42
Target OS: Linux
Domoticz version: github
Location: Denver, CO - USA
Contact:

Re: Let’s Encrypt HTTPS certificates

Postby nayr » Friday 15 January 2016 23:55

mrcage wrote:I think you should create a server and a client certificate to make the connection to domoticz.
You can easily create a certificate pair by using putty key generator.
Not sure if you can require this by connecting to domoticz though.


Actually you can, I just finished up documentation and getting SSO support committed to the core.. see: viewtopic.php?f=21&t=9799

Its just more of an advanced configuration, I cannot see any easy way to simplify for the masses beyond documenting it well.. would be a huge undertaking to implement a built in key manager correctly and securely.. there is a good reason advanced authentication mechanisms are usually offloaded to external programs.
Debian Jessie: CuBox-i4 (Primary) w/Static Routed IP and x509 / BeagleBone with OpenSprinkler / BeagleBone Planted Aquarium / 3x Raspbery Pi2b GPIO Slaves
Elemental Theme - node-domoticz-mqtt - Home Theatre Controller - AndroidTV Simple OSD Remote - x509 TLS Auth

User avatar
MarcelMAH
Posts: 49
Joined: Saturday 05 December 2015 0:35
Target OS: Windows
Domoticz version: v3.4834
Location: Goes, Netherlands
Contact:

Re: Let’s Encrypt HTTPS certificates

Postby MarcelMAH » Wednesday 13 April 2016 22:19

Let's encrypt is now out of beta... I would really like Domoticz to support this native (even on Windows).
Running Domoticz on Windows 8.1 with RFXCOM - RFXtrx433 and Aeotec Z-Stick Gen5

irrbloss
Posts: 5
Joined: Sunday 19 June 2016 17:23
Target OS: Raspberry Pi
Domoticz version:
Contact:

Re: Let’s Encrypt HTTPS certificates

Postby irrbloss » Tuesday 21 June 2016 22:20

bizziebis wrote:I'm going to try it later today. You need a client to generate the certificate from your system. You don't create it from their website as far as I know.

It will at least save me from importing certificates to every device to ge domoticz secure :)

edit: Got it up and running, not so difficult ;)

I followed this website: https://coolaj86.com/articles/lets-encr ... pberry-pi/

Then I created the server_cert.pem with the following content:
-privkey.pem
-cert.pem
-chain.pem

Schermopname (19).jpg

Where did you put those files?

Calzor Suzay
Posts: 111
Joined: Tuesday 08 July 2014 15:10
Target OS: Raspberry Pi
Domoticz version: 3.5877
Location: UK
Contact:

Re: Let’s Encrypt HTTPS certificates

Postby Calzor Suzay » Tuesday 10 January 2017 18:29

With this method are you able to setup public and private keys for devices (such as iPhone, PC etc.)?

Or is NGINX the preferred method for this, it's just that at the NGINX wiki page https://www.domoticz.com/wiki/Secure_Nginx_Proxy_Setup at the top it says "Please note! Domoticz now has native HTTPS / SSL support since Version 2.2563 (June 14th 2015)"

jake
Posts: 232
Joined: Saturday 30 May 2015 22:40
Target OS: Raspberry Pi
Domoticz version: beta
Contact:

Re: RE: Re: Let’s Encrypt HTTPS certificates

Postby jake » Friday 13 January 2017 0:02

Calzor Suzay wrote:With this method are you able to setup public and private keys for devices (such as iPhone, PC etc.)?

Or is NGINX the preferred method for this, it's just that at the NGINX wiki page https://www.domoticz.com/wiki/Secure_Nginx_Proxy_Setup at the top it says "Please note! Domoticz now has native HTTPS / SSL support since Version 2.2563 (June 14th 2015)"

I never understood those lines in the Wiki as well. If I use the 443 port and forward that in my router, how much more safe is this, compared to the standard http? What is the actual risk with hacking when I use the login page and the password has sufficient quality, together with the https?

Using the https always gives me a read 'failed update browser cache' on my pc at work.


Return to “Installation, Compiling, Permissions, Security and Starting”

Who is online

Users browsing this forum: No registered users and 2 guests