native HTTPS / SSL support in Domoticz

[rgroothuis]

Hi, any explanation (WIKI) in which I can find how to setup and use the native HTTPS and/or SSL support in Domoticz?

My goal is that I want to open a port on my router and in a secure way let the Pilot Home Automation APP on my iPhone make a connection to my DOmoticz server. In the Pilot APP I can configure the options "SSL" and "Self-signed certificate" but I don't know what to configure on the Domoticz side.

Any hints, suggestions and/or explanations are more than welcome. Thanks.

[mrf68]

Hi,

activate Website Protection (found in Setup - Settings - System) by entering a username and password. Put these credentials into Pilot. Open port 443 on your router and give it a try.

[rgroothuis]

Hi,

activate Website Protection (found in Setup - Settings - System) by entering a username and password. Put these credentials into Pilot. Open port 443 on your router and give it a try.

From what I read and understand the "Website protection" is only a login name/password protection. It doesn't force HTTPS or SSL.

I've filled in a login name and password, opened a port on my router (not 443) and I was able to connect using the login name and password but without HTTPS or SSL. So this is not clarified yet.

Other suggestions are welcome as well.

[mrf68]

Try surfing to https://yourhomeipaddress:port. Does it ask for credentials and do you see a lock in the url? In that case I think you have an https connection.

[rgroothuis]

Try surfing to https://yourhomeipaddress:port. Does it ask for credentials and do you see a lock in the url? In that case I think you have an https connection.

Yes it is asking for my login name/password. But it is still HTTP. See screenshot

HTTP screenshot

Screen Shot 2015-10-21 at 10.03.31.png (40.24 KiB) Viewed 23727 times

[mrf68]

HTTPS is normally on port 443. Domoticz also listens for https to port 443. I read you want to use another port. Have you told Domoticz to serve https to that other port? When you open the file /home/pi/domoticz/domoticz.sh you'll see:

Code: Select all

DAEMON_ARGS="-daemon -www 8080 -sslwww 443"

When you want to use a different port for SSL, you need to change that line and change 443 to for example 8443. Restart Domoticz and surf to HTTPS://ipaddres:8443 and look again.

[rgroothuis]

HTTPS is normally on port 443. Domoticz also listens for https to port 443. I read you want to use another port. Have you told Domoticz to serve https to that other port? When you open the file /home/pi/domoticz/domoticz.sh you'll see:

Code: Select all

DAEMON_ARGS="-daemon -www 8080 -sslwww 443"

When you want to use a different port for SSL, you need to change that line and change 443 to for example 8443. Restart Domoticz and surf to HTTPS://ipaddres:8443 and look again.

Thanks, I think this is the trick I was looking for. This issue is now solved (for me), I'm ussing now https and the login name/password to access Domoticz from the outside world.

[havnegata]

Does this work on Windows system as well?

[rgroothuis]

Does this work on Windows system as well?

Sorry, cannot comment on that. I'm using a Raspberry.

[mrf68]

The question is: what is it you want to work on Windows?

The defintion of the ports are set during installation, see https://www.domoticz.com/wiki/Windows.

[laguyle]

Hi,

I'm looking for a way to change SSL port on my Domoticz hosted on my Synology.
There is no file "domoticz.sh" like on Raspberry...
Does anyone know how to do that ?

[amz4u2nv]

Hi,

I'm looking for a way to change SSL port on my Domoticz hosted on my Synology.
There is no file "domoticz.sh" like on Raspberry...
Does anyone know how to do that ?

Am sure you must of sorted it out -
but just in case n for others -

u can go here on synology
/var/packages/domoticz/scripts/start-stop-status

and make changes to the ssl port, not sure what happens when you update the package though.

[pioupiou92]

Hi amz4u2nv,

I'm running Domoticz on a Synology NAS as well. I applied the changes on the start-stop-status script but I'm facing an SSL error. Error messages are:

2016-05-16 10:21:01.218 Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 5085: use_certificate_chain_file: no start line
2016-05-16 10:21:01.218 Error: WebServer(SSL) check if no other application is using port: 5085

RSSLCERT value is the path to my certificat and private key folder. My certificate is valid and runs fine with the Apache web sites hosted on my nAS. It is not an auto signed certificate.

Any idea?

Best regards,

[Madgeni]

Hi there

i've changed the port in domoticz.sh, restarted domoticz, but it's still binding to 443 - any ideas why?

Thanks!

[pioupiou92]

Finally I'm answering to my own question. To run domotics with HTTPS on a Synology NAS you must:

- Create a text file named server_cert.pem with the 3 blocks : Certificate, chain and private key. Meaning 3 times ---BEGIN--- ---END--- sections.
- Copy this file to Domotics install directory (usually /volume1/@appstore/domoticz)
- Edit (VI) the file /var/packages/domoticz/scripts/start-stop-status
- Set RSSLCERT="${INSTALL_DIR}/server_cert.pem"
- Change the HTTPS port if needed (RSSLPORT="xxxx")
- Stop and restart Domoticz package

There are few error messages (missing SSL DH) however it starts successfully.

[derek]

Also maybe nice for people to know:

If you have successfully enabled https on whatever port (ideally 443) and you want to disable http, specify "-www 0" instead of "-www 8080" in your DAEMON_ARGS.

It's also in the ./domoticz --help but I didn't know the help flag existed

[flabrosse]

Sorry to resurrect this, but I'm having issues with https support. The relevant part of /etc/init.d/domoticz.sh has:

Code: Select all

DAEMON_ARGS="-daemon"
#DAEMON_ARGS="$DAEMON_ARGS -daemonname $NAME -pidfile $PIDFILE"
DAEMON_ARGS="$DAEMON_ARGS -www 8080"
DAEMON_ARGS="$DAEMON_ARGS -sslwww 443"

This is confirmed by domotics when it starts. The logs contain:

Code: Select all

2016-10-12 19:44:12.409 WebServer(HTTP) started on address: :: with port 8080
2016-10-12 19:44:12.414 WebServer(SSL) started on address: :: with port 443

However, when I go to https://192.168.1.250 I get:

Code: Select all

Your connection is not private

Attackers might be trying to steal your information from 192.168.1.250 (for example, passwords, messages or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

and the https is crossed out in the URL bar.

This is on a Pi3 with raspbian all uptodate and the latest beta of domoticz.

Any idea?

[flabrosse]

Sorry, got it. There was also an advance link on the same page that allows me to accept the certificate. Solved.

[gomario]

Resurrecting yet again...

I just can't change the SSL port for the life of me.

Running latest Jessie. Compiled without a hitch from latest build.
When I run ./domoticz as user "pi" I get:

Code: Select all

2017-07-25 15:42:37.231  Domoticz V3.8122 (c)2012-2017 GizMoCuz
2017-07-25 15:42:37.231  Build Hash: 4157243, Date: 2017-07-24 15:30:30
2017-07-25 15:42:37.232  Startup Path: /home/pi/domoticz/
2017-07-25 15:42:37.374  PluginSystem: Started, Python version '3.4.2'.
2017-07-25 15:42:37.381  Active notification Subsystems: gcm, http (2/12)
2017-07-25 15:42:37.383  WebServer(HTTP) started on address: :: with port 8080
2017-07-25 15:42:37.395  Error: WebServer(SSL) startup failed on address 0.0.0.0 with port: 443: bind: Permission denied
2017-07-25 15:42:37.395  Error: WebServer(SSL) check privileges for opening ports below 1024
2017-07-25 15:42:37.395  Proxymanager started.
2017-07-25 15:42:37.397  Starting shared server on: :::6144
2017-07-25 15:42:37.398  TCPServer: shared server started...
...

"pi" is a member of sudoers + I understand that I still can't open low ports if I'm not root.
I just want to change to a higher port but whatever I put in domoticz.sh is not reflected...
No matter what it still tells me the same error ... 433 can't be opened without permission

Using "./domoticz -sslwww 2400" works without a hitch

What am I missing, is there another config file somewhere or what the hell?
(nothing in etc/init.d ..I haven't added anything to run on startup yet)

My domoticz.sh :

Code: Select all

#! /bin/sh
### BEGIN INIT INFO
# Provides:          domoticz
# Required-Start:    $network $remote_fs $syslog
# Required-Stop:     $network $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Home Automation System
# Description:       This daemon will start the Domoticz Home Automation System
### END INIT INFO

# Do NOT "set -e"

PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
DESC="Domoticz Home Automation System"
NAME=domoticz
USERNAME=pi
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME

DAEMON=/home/$USERNAME/domoticz/$NAME
DAEMON_ARGS="-daemon"
#DAEMON_ARGS="$DAEMON_ARGS -daemonname $NAME -pidfile $PIDFILE"
DAEMON_ARGS="$DAEMON_ARGS -www 8080"
DAEMON_ARGS="$DAEMON_ARGS -sslwww 2400"
DAEMON_ARGS="$DAEMON_ARGS -log /var/log/domoticz.txt"
#DAEMON_ARGS="$DAEMON_ARGS -syslog"
.....
everything beyond this is all stock, even the lines above are virtually unchanged...
.....

Thanks in advance, any help would be greatly appreciated...

[jannl]

You need to start domoticz as root. Try 'sudo ./domoticz.sh'. Or just reboot the pi

Verstuurd vanaf mijn SM-G930F met Tapatalk