Support of Let's Encrypt

Use this forum to discuss possible implementation of a new feature before opening a ticket.
A developer shall edit the topic title with "[xxx]" where xxx is the id of the accompanying tracker id.
Duplicate posts about the same id. +1 posts are not allowed.

Moderators: leecollings, remb0

Post Reply
tho071088
Posts: 18
Joined: Monday 24 April 2017 23:03
Target OS: Raspberry Pi / ODroid
Domoticz version: Stable
Location: Gerstheim, France
Contact:

Support of Let's Encrypt

Post by tho071088 »

I use Let's Encrypt for SSL support, i have to run scripts manually to update the certificates and replace them in Domoticz configuration.
Also, I have to replace them each time Domoticz is updated.

Could it be automatic ?
Domoticz Beta on Rasbperry Pi 3
RFLink / YeeLight / Xiaomi Devices / 433MHz / SonOff via MQTT
niki_lauda
Posts: 115
Joined: Saturday 31 August 2013 14:48
Target OS: Raspberry Pi / ODroid
Domoticz version: beta
Location: Eindhoven (NL)
Contact:

Re: Support of Let's Encrypt

Post by niki_lauda »

tho071088 wrote: Thursday 26 October 2017 10:02 I use Let's Encrypt for SSL support, i have to run scripts manually to update the certificates and replace them in Domoticz configuration.
Also, I have to replace them each time Domoticz is updated.

Could it be automatic ?
@ https://www.domoticz.com/wiki/Native_HT ... SL_support
you can define your own letsencrypt certificate.

-sslcert file_path ( for example D :\server_cert.pem or /opt/domoticz/server_cert.pem)
tho071088
Posts: 18
Joined: Monday 24 April 2017 23:03
Target OS: Raspberry Pi / ODroid
Domoticz version: Stable
Location: Gerstheim, France
Contact:

Re: Support of Let's Encrypt

Post by tho071088 »

Yes but it's not so easy :oops: :
  • Manually generate new certificate every 6 month
  • Tree files to concatenate (privkey.pem/fullchain.pem/server_cert.pem).
Something automatic could be nice.
Domoticz Beta on Rasbperry Pi 3
RFLink / YeeLight / Xiaomi Devices / 433MHz / SonOff via MQTT
kijdhfcjdks
Posts: 6
Joined: Wednesday 21 June 2017 11:26
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by kijdhfcjdks »

Hi, here's another variant for installing a letsencrypt certificate with Domoticz on a Raspberry Pi (Raspbian). This also includes a cronjob that auto renews. (not tested live yet though...)

I'm using a custom ssl port for Domoticz so I forward port 443 to certbot-auto(listening on port 8889 in this example) for the certificate setup and renewal only. Certbot-auto is a tool from EFF that simplifies the process.

#0 Setup router forwarding

Code: Select all

External port 443 => 8889 on local raspberry pi
#1 Login to rpi and update

Code: Select all

sudo apt-get update
sudo apt-get upgrade
sudo /home/pi/domoticz/updaterelease
#2 Install certbot-auto

Code: Select all

cd ~
mkdir certbot
cd certbot
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
#3 generate and install certificate

Code: Select all

sudo ./certbot-auto certonly  --standalone --preferred-challenges tls-sni-01  --tls-sni-01-port 8889 -d YOURDOMAIN.COM
sudo rm /home/pi/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem >> ~/domoticz/server_cert.pem
sudo cp /home/pi/domoticz/server_cert.pem /home/pi/domoticz/domo_server_cert.pem
cd domoticz/
sudo /etc/init.d/domoticz.sh restart
Done! "domo_server_cert.pem" is your backup if Domoticz overwrites the live one during updates.

Renewalscript(not tested live yet):

Code: Select all

nano /home/pi/cert-domoticz-update.sh
Paste the following script and save it:

Code: Select all

#!/bin/bash
/home/pi/certbot/certbot-auto renew
rm /home/pi/domoticz/server_cert.pem
rm /home/pi/domoticz/domo_server_cert.pem
cat /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem >> /home/pi/domoticz/domo_server_cert.pem
cat /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem >> /home/pi/domoticz/domo_server_cert.pem
cp /home/pi/domoticz/domo_server_cert.pem /home/pi/domoticz/server_cert.pem
/etc/init.d/domoticz.sh restart

Code: Select all

sudo chmod a+x /home/pi/cert-domoticz-update.sh
Setup Cron:

Code: Select all

crontab -e
Add this:

Code: Select all

3 0 * * 7  /home/pi/cert-domoticz-update.sh
The script will run every Sunday at 3 AM

Edit: added a line to the to the script(row 4). Now renewal should work
Last edited by kijdhfcjdks on Wednesday 25 April 2018 20:29, edited 1 time in total.
Deluka
Posts: 19
Joined: Thursday 03 March 2016 18:38
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by Deluka »

I'm trying this but getting the following error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
jsiegmund
Posts: 33
Joined: Sunday 14 May 2017 21:13
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by jsiegmund »

Deluka wrote: Saturday 24 February 2018 18:08 I'm trying this but getting the following error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
That's because of this: https://community.letsencrypt.org/t/imp ... sues/50811

The TLS path is no longer valid. You need to remove the two arguments concerning tls and use the default HTTP verification method instead.
Deluka
Posts: 19
Joined: Thursday 03 March 2016 18:38
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by Deluka »

Oke thx that solved my problem
kijdhfcjdks
Posts: 6
Joined: Wednesday 21 June 2017 11:26
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by kijdhfcjdks »

jsiegmund wrote: Tuesday 06 March 2018 18:13
Deluka wrote: Saturday 24 February 2018 18:08 I'm trying this but getting the following error

Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
That's because of this: https://community.letsencrypt.org/t/imp ... sues/50811

The TLS path is no longer valid. You need to remove the two arguments concerning tls and use the default HTTP verification method instead.
I re-downloaded certbot and followed the steps and the deprecated command works for me anyway. Can't use the standard ports so that's why I use these flags.
clubeddie
Posts: 80
Joined: Saturday 19 March 2016 21:12
Target OS: NAS (Synology & others)
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by clubeddie »

I tried your steps, but i am getting stuck at
kijdhfcjdks wrote: Monday 01 January 2018 22:28
cat /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem >> /home/pi/domoticz/domo_server_cert.pem
After this command i get

etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem: No such file or directory, where YOURDOMAIN.COM is offcourse my own domain. Any clue?

Directory live isn't exists
FTNJSL
Posts: 1
Joined: Friday 19 January 2024 15:53
Target OS: -
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by FTNJSL »

kijdhfcjdks wrote: Monday 01 January 2018 22:28

#1 Login to rpi and update

Code: Select all

sudo apt-get update
sudo apt-get upgrade
sudo /home/pi/domoticz/updaterelease
...
Hello,
The tutorial no longer works because certain commands have apparently evolved in recent years. Can you please help me update this tutorial ? For example:

#1 => ERROR 404: Not Found.
#2 ./certbot-auto: command not found
#3 If I run this >>> sudo certbot certonly --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8889 -d YOURDOMAIN the result is
certbot: error: argument --preferred-challenges: Unrecognized challenges: tls-sni-01
And -port is not recognize

thanks in advance.
lost
Posts: 616
Joined: Thursday 10 November 2016 9:30
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Support of Let's Encrypt

Post by lost »

FTNJSL wrote: Friday 19 January 2024 16:08 The tutorial no longer works...
You may use this wiki howto:
https://www.domoticz.com/wiki/Native_se ... ts_Encrypt

This proved to be a good base for my own setup, just had to setup certbot pre/post hooks to open/close port 80 (certbot setup a temporary http server for the update) just the time cert update is done (did not wanted to let it open anytime, even if no service is otherwise bind there).

Take care not forget the domoticz startup modification with option --sslcert, if you just overwrite default self-signed certificate yours will be overwritten on Domoticz upgrades!
Post Reply

Who is online

Users browsing this forum: No registered users and 1 guest