Let’s Encrypt HTTPS certificates

[Kouseri]

Hi,

Has anyone tried or played with HTTPS certificates from Let's Encrypt? The Let's Encrypt seems to be an interesting project to provide
free certificates for the public's benefit.

I'm using the Domoticz via the HTTPS protocol and I have been thinking getting a "real" HTTPS certificate in order to get rid of certificate warnings. I haven't obtained
the "real" certificate yet because I'm not familiar with the certificate process and all stuff related to it. I know there is a wiki entry about Secure Remote Access but
does someone know how the process would go with the certificates from the Let's Encrypt?

[gizmocuz]

currently i can not see how to create a certificate

but with startssl you can already get a free certificate that you can use with domoticz,

[bizziebis]

I'm going to try it later today. You need a client to generate the certificate from your system. You don't create it from their website as far as I know.

It will at least save me from importing certificates to every device to ge domoticz secure

edit: Got it up and running, not so difficult

I followed this website: https://coolaj86.com/articles/lets-encr ... pberry-pi/

Then I created the server_cert.pem with the following content:
-privkey.pem
-cert.pem
-chain.pem

Schermopname (19).jpg (201.35 KiB) Viewed 9097 times

[Kouseri]

edit: Got it up and running, not so difficult

Great that you were able to get it working! Because I'm not familiar at all what comes to certificates, I'm wondering how to proceed with the Let's encrypt...
I guess I've to take care of steps 1 - 3 from https://coolaj86.com/articles/lets-encr ... pberry-pi/ but what to do after that? Simple instructions are
appreciated...

[ThinkPad]

Could someone create a tutorial how i can use this to migrate from HTTP to HTTPS ?
I know the benefits of HTTPS, but don't have the knowledge in setting this up.

[Moppersmurf]

Hi Thinkpad, would be handy if someone could make this. But if your running Domoticz on a NAS you can also make a VPN connection. That's not to difficult.

[ThinkPad]

I already have a VPN that i use when i need to reach my network from a external location.
But for using Android app and such, a port forward is needed, don't want to start my VPN for that every time. That is why i want to use HTTPS. And it seems with this method you get a supported certificate for free. But i don't know how to set that up, that's why i was asking here

[rverbruggen]

Hi all,

I'm going to implement a Let's Encrypt certificate to my Domoticz this or next week and will write everything down so I will generate a tutorial/document/wikipage on how to do this.

When it's done I will also post it here!

[ThinkPad]

That's great! Can't wait

[nayr]

The Free SSL Providers always make you jump through a bunch hoops and wait for approval to prevent abuse, time is money.. and its not much money at all.

for like $15 through ssls.com you can have a signed cert valid for 3 years installed within 5-10mins... Used to use free providers but the hassle of getting it, along with the short lifespan drove me to open my wallet.. now I just spend a few mins looking for best price and then get it done.

But I guess if your desperate to keep costs low, then thats why these free guys exist.. let us know how it goes.

[ThinkPad]

They even advise you to use a cronjob, so i think it is a procedure that you do once, and from then on can be renewed automatically

See: https://letsencrypt.readthedocs.org/en/ ... ml#renewal

[nayr]

thats because you have no other choice but to run there update script or do it manually constantly.

Let’s Encrypt CA issues short lived certificates (90 days). Make sure you renew the certificates at least once in 3 months.

like I said, hoops.. I am not running code as root in via cron unsigned from a 3rd party... especially not in exchange for something free.. smells like a NSA operated CA.

[ThinkPad]

For me (and probably others), using HTTPS over HTTP is already a big step towards better securing my network. And in this case i even get a certificate that is accepted by browsers, and for free!

[nayr]

you can run your own Certificate Authority for free too, and it will be accepted by any browsers you actually care about.. or just self sign it and accept the cert perminently on the few devices that connect to Domoticz...

Its not like its a public website, you own and control every device that connects to your home automation system.. its frivolous one way or another to have a 3rd party cert, and likely less secure.. because only YOU can issue certs from your own CA.

I use a 3rd party cert on Domoticz only because I got tired of Android warning me every boot about my personal CA being installed.. only a problem because my toddler could click on the warning and remove the cert far too easy.. I probably could have just rooted the tablet and installed the CA permanently, but this was easier.. Our last vacation he found a way to wipe my certs and the tablet was locked out all remote access until we got home.

[bizziebis]

If you want to use their tool you need your domoticz server to be reachable on port 80 or 433 from the internet. So you have to stop Domoticz first. If you use port redirection it will not work.

Then you need to construct the new server_cert.pem from a combination of the newly generated fullchain.pem and privkey.pem

This you have to do each 90 days. It could be automated by a script though..

I don't like to forward default HTTP and HTTPS ports in my router. So for each certificate renewal I need to briefly forward those ports and disable them afterwards.

I hope I'm wrong and there is a different way to do this, otherwise it will always be a hassle.

[nayr]

another nice thing about running your own CA is you can give subjectAltNames for local hostnames.

for example, https://domoticz and https://192.168.1.100 from inside your network, and https://yourexternal.domain.net for outside your network using the same cert and it will always show valid.

no 3rd party CA is going to give you shortname certs or non routable IP's, my CA gives me certs for:
https://router
https://plex
https://wifi
https://dispatch
https://nas
https://nvr

and so on in adnasuium.. since only my machines connect to these hosts, they already have my personal CA installed and all validate A-OK.. is running https on your LAN overkill? perhaps, but I run multiple wireless networks, including an open and unencrypted public network with very limited access to my LAN.. and I bet most of you give out wifi passwords to friends/family, and are subject to all the other weakness in pre-shared key wifi.

I have no problem exposing a service directly to the internet, as long as it requires client certificates for connection and I am the only person with the ability to sign those certificates.. if the only thing protecting it is a passphrase then its kept behind a firewall.

[rverbruggen]

Got it working this weekend! This week i'll create the write-up/wiki page so everyone can use it.

Tested with ssllabs.com and got a B.

In the upcomming weeks I'll try to improve so we can score an A+ on our Domoticz servers.

[nayr]

I got an A+ on mine, what web server are you using?

If its nginx go look at my config in the X509 thread, it has an A+ Nginx configuration: viewtopic.php?f=21&t=9799
just omit ssl_verify_client optional;

[rverbruggen]

I got an A+ on mine, what web server are you using?

If its nginx go look at my config in the X509 thread, it has an A+ Nginx configuration: viewtopic.php?f=21&t=9799
just omit ssl_verify_client optional;

I did it without a proxy like nginx, just using the build in webserver.

Hopefully this way we can make it a 1-click install or something like that.

[nayr]

ah, I see.. well I dont trust domoticz that much, I'd rather expose nginx as its powering some massive sites and sure to be on top of security.

I dont think you'll get an A+ rating using only the built in HTTPS without modifying the built in webserver code to harden it, I dont see any configuration options for chiper suits or anything.. Going to have to drop all the old weak crypto out of the client options.