Native secure access with Lets Encrypt

From Domoticz
Jump to: navigation, search

This article shows you how to add a Lets Encrypt certificate to Domoticz so you can access your server over a secure HTTPS channel.

The provided steps are executed using a Raspberry Pi, but they should work on every Linux OS.

Prerequisites (see here : http://www.domoticz.com/wiki/Native_HTTPS_/_SSL_support)

  • Port 80 (HTTP) and 443 (HTTPS) are forwarded to your Domoticz server
  • You own a domain name
  • The (sub)domain name for Domoticz has a DNS entry that points to your external IP address

Startup script

If you want Domoticz to use only HTTPS, you will need to edit the startup script.

sudo vi /etc/init.d/domoticz.sh

DAEMON_ARGS="-daemon -sslwww 443"

Install Lets Encrypt

git clone https://github.com/letsencrypt/letsencrypt

cd letsencrypt

sudo ./letsencrypt-auto

Create the certificate

sudo ~/.local/share/letsencrypt/bin/letsencrypt certonly --manual --email <your email> -d <your domain name>

Edit Nov 4 2016 : Alternative : For me, it was : sudo ./letsencrypt-auto certonly --manual --email <your email> -d <your domain name>

Edit Dec 29 2016 : To create and validate in one command : sudo ~/.local/share/letsencrypt/bin/letsencrypt certonly --webroot --email <your email> -d <your domain name> -w <user home>/domoticz/www/ (check that your domoticz is accessible on the port HTTP 80 via NAT forwarding in your router)

Edit Sep 10 2017 : If you do not want to expose port HTTP 80 to the outside world you can also use --preferred-challenges=dns and create a TXT record (as described) to validate the ownership


You can specify multiple domain names using another -d parameter and domain name for each additional domain name.

If the following message shows don't press enter:

If you don't have HTTP server configured, you can run the following command on the target server (as root):
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" <some random string> > .well-known/acmechallenge/<some random string>
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()" 
Press ENTER to continue

Open another shell window and execute the given commands to validate the ownership of the server.

mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" <some random string> > .wellknown/acmechallenge/<some random string>
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()"

Edit Nov 4 2016. Alternative : Domoticz is a web server, so the direct registration is possible. Simply put the file /tmp/letsencrypt/public_html/.well-known/acme-challenge/<some random string> to /home/pi/domoticz/www/.well-known/acme-challenge/ and check that your domoticz is accessible on the port HTTP 80. (aka : NAT forwarding in your router)


Now press enter on the other shell. If everything is OK this message shows:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/<your domain>/fullchain.pem. Your
   cert will expire on <date>. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Add the certificate to Domoticz

The last thing to do is adding the created certificate to Domoticz. This is easily done with the following commands:

sudo rm ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/<your domain>/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/<your domain>/fullchain.pem >> ~/domoticz/server_cert.pem

When there's a domoticz error after rebooting the service like : Error: [web:443] missing SSL DH parameters from file Add the DHparam :

sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem