[SOLVED] Configure personal SSL certificate on native Domoticz web server

[Deuteros]

Hi all,
I have currently installed Domoticz on my Cubietruck with the last version of Armbian and all is working fine connecting via HTTPS.

Now I want to change the default Domoticz SSL certificate with a free one delivered by STARTSSL (I've a personal domain and the DNS is managed by no-ip.com).

I created a certificate request (.CSR) and a key (.KEY), I forwarded the request to STARSSL that issued me the certificate (.PEM).

What now I ask is how to configure the certificate on the Domoticz web server.

I tried using directly the .PEM file released by adding in the /etc/init.d/domoticz.sh the line:

Code: Select all

DAEMON_ARGS="$DAEMON_ARGS -sslcert /home/domoticz/server_cert.pem"

Obviously the file is in the folder /home/domoticz.

I restarted the service but unfortunately I cannot access the Domoticz SSL page (Chrome returns the error ERR_CONNECTION_CLOSED).

I must combine the .KEY and the .PEM files together? If so, how?

I tried to look into the wiki but I could not find anything help.

Any help appreciated

Thanks

[maomanna]

interesting!

I am also looking to a solution for using a personal certificate.

My error in the http log is:

Code: Select all

2016-12-04 21:18:43.558 Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 443: use_certificate_chain_file: No such file or directory

this is set in my /etc/init.d/domoticz.sh

Code: Select all

DAEMON_ARGS="$DAEMON_ARGS -sslwww 443"
DAEMON_ARGS="$DAEMON_ARGS -sslcert server_cert.pem"

EDIT:

I got a step further.

Now i recieve this error:

Code: Select all

2016-12-04 21:26:09.964 Error: [web:443] missing SSL DH parameters from file /domoticz/server_cert.pem

The fix on this page (http://www.domoticz.com/wiki/Native_sec ... o_Domoticz) points to /etc/ssl/certs/dhparam.pem. My ubuntu server misses this file.

[maomanna]

I created the dhparam.pem file.

I still get the ERR_SSL_PROTOCOL_ERROR or connection refused error.

[Deuteros]

Hi maomanna,
I finally managed to install the StartSSL SSL certificate on Domoticz native server!

This is the procedure that I followed (I've installed Domoticz in the /domoticz folder):

- Install the openssl tools:

Code: Select all

sudo apt install openssl

- Create a CSR and a private key:

Code: Select all

openssl req -newkey rsa:2048 -keyout server.key -out server.csr

During this process you will be asked for a password to encrypt the private key. Remember to preserve both the private key and the password in a safe place.

- Decrypt the private key with the password you entered previously:

Code: Select all

openssl rsa -in server.key -out server.decrypted.key

- Forward to StartSSL the CSR file to obtain a certificate

- Once StartSSL notify you that the certificate was issued go to their control panel and download the ZIP file containing the certificates for the different web servers

- Inside the zip will be a file named ApacheServer.zip. Copy the 2_something.crt file inside (not the 1_root_bundle.crt) on your Domoticz server

- Convert the files to .CRT .PEM:

Code: Select all

openssl x509 -in 2_something.crt -out server.pem -outform PEM

- Generate DH parameters:

Code: Select all

openssl dhparam -out dhparam.pem 2048

- Make a copy of server_cert.pem files within the Domoticz folder as backup

Code: Select all

sudo mv /domoticz/server_cert.pem /domoticz/server_cert.pem.selfsigned

- Create the Domoticz new certificate:

Code: Select all

sudo cat server.decrypted.key >> /domoticz/server_cert.pem
sudo cat server.pem >> /domoticz/server_cert.pem
sudo cat dhparam.pem >> /domoticz/server_cert.pem

- Restart Domoticz service:

Code: Select all

sudo service domoticz restart

- Now everything should work properly!

With the new certificate will disappear even the error popup Browser Cache Refresh failed.

I hope that the guide will help you.

[gertlind1]

Very nice.
Works perfectly, good job.

I think you should add this to the WIKI.

---
Gert

[gertlind1]

One thing i just noticed.

After an update https doesn't work.
Luckily i saved the generated server_cert.pem file to another place and copied it back to domoticz folder.
Restarted the service and all good again.

Could have been something else though, will see at the next update.

[Deuteros]

Hi guys,
after running some tests I noticed that on Android devices remains a certificate warning.

I tested the SSL certificate through the service provided by Qualsys (https://www.ssllabs.com/ssltest/index.html) and I noticed that the certificate chain is incorrect because Android devices do not have some StartSSL certificates on the local store.

We must then add these certificates in the chain during the creating process of the Domoticz certificate.

Consequently, the correct procedure is the following (I've installed Domoticz in the /domoticz folder):

- Install the openssl tools:

Code: Select all

sudo apt install openssl

- Create a CSR and a private key:

Code: Select all

openssl req -newkey rsa:2048 -keyout server.key -out server.csr

During this process you will be asked for a password to encrypt the private key. Remember to preserve both the private key and the password in a safe place.

- Decrypt the private key with the password you entered previously:

Code: Select all

openssl rsa -in server.key -out server.decrypted.key

- Forward to StartSSL the CSR file to obtain a certificate

- Once StartSSL notify you that the certificate was issued go to their control panel and download the ZIP file containing the certificates for the different web servers

- Inside the zip will be a file named ApacheServer.zip. Copy the 2_something.crt file inside (not the 1_root_bundle.crt) on your Domoticz server

- Convert the .CRT file to .PEM:

Code: Select all

openssl x509 -in 2_something.crt -out server.pem -outform PEM

- Generate DH parameters:

Code: Select all

openssl dhparam -out dhparam.pem 2048

- Download the Root 1 - StartCom Certification Authority:

Code: Select all

wget https://www.startssl.com/certs/ca.crt

- Download the StartCom Class 1 DV Server CA:

Code: Select all

wget https://www.startssl.com/certs/sca.server1.crt

- Stop the Domoticz server:

Code: Select all

sudo service domoticz stop

- Make a copy of the server_cert.pem file within the Domoticz folder as backup

Code: Select all

sudo mv /domoticz/server_cert.pem /domoticz/server_cert.pem.selfsigned

- Create the Domoticz new certificate (the order is important!):

Code: Select all

sudo cat server.decrypted.key >> /domoticz/server_cert.pem
sudo cat server.pem >> /domoticz/server_cert.pem
sudo cat sca.server1.crt >> /domoticz/server_cert.pem
sudo cat ca.crt >> /domoticz/server_cert.pem
sudo cat dhparam.pem >> /domoticz/server_cert.pem

- Start the Domoticz server:

Code: Select all

sudo service domoticz start

- Now everything should work properly, including Android devices!

- Test the certificate on https://www.ssllabs.com/ssltest/index.html

Another useful tool is available on https://whatsmychaincert.com: it checks the correctness of the certificate chain and if it is wrong they provides a correct one.

As said by gertlind1 is possible that during the Domoticz updates the certificate is overwritten with the default one: backup the server_cert.pem file in a folder outside the Domoticz installation folder.

Alternatively, but it is to be tested, we should keep the server_cert.pem file in an external folder (for example /home /domoticz) and change the /etc/init.d/domoticz.sh file by adding the following line:

Code: Select all

DAEMON_ARGS="$DAEMON_ARGS -sslcert /home/domoticz/server_cert.pem"

Perhaps the process can be improved, maybe some conversions are not necessary, but it works!