Native secure access with Lets Encrypt

From Domoticz
Jump to: navigation, search

Domoticz includes a SSL certificate generated for the *.domoticz.com domain. So for your own domain, it may result some warning error by your browser.

This article shows how to add a LetsEncrypt certificate to Domoticz so you can access your server over a secure HTTPS channel and without warning error. This certificate has a lifetime of 3 months and must be renewed every 3 months.

The provided steps are executed using a Raspberry Pi, but they should work on every Linux OS.

Prerequisites (see here : http://www.domoticz.com/wiki/Native_HTTPS_/_SSL_support)

  • You own a domain name
  • The (sub)domain name for Domoticz has a DNS entry that points to your external IP address
  • Port 80 (HTTP) and 443 (HTTPS) , in your internet box, are forwarded to your Domoticz server. Forwarding Port 80 is only needed for the creation and renewal time. I advice that you disable it after.
  • domoticz must listen to the port HTTP and HTTPS. Check this in the startup script : /etc/init.d/domoticz.sh


Install Lets Encrypt

cd /etc
sudo git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
sudo ./letsencrypt-auto

On Pi this last command will take a long time ...

Create the certificate

sudo /etc/letsencrypt/letsencrypt-auto certonly --webroot --email <your email> -d <your complete sub.domain name> -w <user home>/domoticz/www/
(check that your domoticz is accessible on the port HTTP 80 via NAT forwarding in your router)

Letsencrypt create a temporarly file in the www directory of domoticz. This file will be checked by the letsencrypt server to ensure that you are the owner of the domain. Then it remove the temporarly file.


Edit Sep 10 2017 : If you do not want to expose port HTTP 80 to the outside world you can also use --preferred-challenges=dns and create a DNS TXT record (as described) to validate the ownership


You can specify multiple domain names using another -d parameter and domain name for each additional domain name.


If everything is OK this message shows:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/<your domain>/fullchain.pem. Your
   cert will expire on <date>. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

The certificate is created in /etc/letsencrypt/live/

Add the certificate to Domoticz

Then you add the created certificate to Domoticz with :

sudo rm ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/<your domain>/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/<your domain>/fullchain.pem >> ~/domoticz/server_cert.pem
sudo cp ~/domoticz/server_cert.pem ~/domoticz/letsencrypt_server_cert.pem
sudo /etc/init.d/domoticz.sh restart

As every update of domoticz overwrites your certificate, the last command backups your new certificate so that you may may restore it if needed.

When there's a domoticz error after rebooting the service like : Error: [web:443] missing SSL DH parameters from file

Add the DHparam :

sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem

and if you get also an error like : /etc/ssl/certs/dhparam.pem: No such file or directory

cd /etc/ssl/certs
sudo openssl dhparam -dsaparam -out dhparam.pem 4096
sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem
sudo /etc/init.d/domoticz.sh restart