native HTTPS / SSL support in Domoticz

[lost]

You need to start domoticz as root. Try 'sudo ./domoticz.sh'. Or just reboot the pi

In my understanding, he's just willing to run Domoticz as a non root user. As there may only be the http(s) usual ports (80/443, thus < 1024) binding needing root rights under Domoticz, he changed them for some figures over 1024.

But this doesn't work: Still binds https to 443 whatever figures in the command line... and complains for root permissions!

Never tried this as with non standard https there is many networks (open-wifi etc) where they will be filtered out, but for security reasons running Domoticz as a non root user makes sense as the executable does not seems to drop rights after ports bindings.

[jannl]

Hm. Ok. My domoticz.sh is in /etc/init.d. You made no typo in the domoticz.sh you use?

Why not start as root?
Via portforwarding on you router you can arrange a different port.

Verstuurd vanaf mijn SM-G930F met Tapatalk

[gomario]

You need to start domoticz as root. Try 'sudo ./domoticz.sh'. Or just reboot the pi

In my understanding, he's just willing to run Domoticz as a non root user. As there may only be the http(s) usual ports (80/443, thus < 1024) binding needing root rights under Domoticz, he changed them for some figures over 1024.

But this doesn't work: Still binds https to 443 whatever figures in the command line... and complains for root permissions!

Never tried this as with non standard https there is many networks (open-wifi etc) where they will be filtered out, but for security reasons running Domoticz as a non root user makes sense as the executable does not seems to drop rights after ports bindings.

YES! You said it perfectly.
a) trying to run as a non-root user as recommended (generally and even in the domoticz installation guide)
b)non-root won't easily open lower ports (or at all without installing iptables -> no experience with that either + adding more complexity)
...simplest solution is going high port
b) won't start with that port no matter what I specify in domoticz.sh in etc/init.d/domoticz.sh and just in case I missed something even in home/pi/domoticz/domoticz.sh
c) when I run sudo ./domoticz it starts with 443, but that's what I don't want .. only proves that it's installed correctly and can be run at all

To recap... I proceed as such:
1. Fresh install of Debian on my Acer Netbook, update/upgrade, installing domoticz (with openzwave suport) -no a single error/warning
All files are owned by pi..
2. Before even trying to set it for auto start:
I just run ./domoticz and get the error regarding port numbers. With sudo it works(obviously).

When running as pi and changing the port (in the only version of domoticz.sh existing at this time -> no etc/init.d copy yet)
and even after going the init.d start-up route, no matter what I change the port to in either file and it register and give me the low port error.
It is not commented out or anything, totally stock, checked, reinstalled...

If I type ./domoticz -sslwww 8090 ..IT WORKS!

After following "Starting Domoticz automatically when the system boots Init.d Method"
and changing the port in etc/init.d it starts with any port specified but Top still shows as process run by root (chuid in domoticz.sh is ignored?)

Sorry for such a chunky post...I guess I'm trying to give you as much info I can think of...
So..my question after all this then is...Is there any way to run this as pi(non-root user)? As that seems to be the source of all the problems...
Thank you again for all your wisdom gents!

[SDISDI]

Hi. Not sure if it is the same issue you are seeing, but I have been using the same custom sslwww port for a couple of years, but after updating today (to V3.8153) I have just had to set it to a lower port number.

Code: Select all

sudo service domoticz.sh status -l

returns

Code: Select all

Jul 31 22:31:19 raspberrypi domoticz.sh[654]: 2017-07-31 22:31:19.545  Error: Please specify a valid sslwww port

I haven't found the cut-off yet, but port 31000 is OK but port 35000 gives the error.

[Thomasdc]

Hi,

i am trying to get the https access to domoticz (RPI) working but it doens't seems to work
so what i did.

in my router, portforwarded an wan port towards the '443' port of domoticz

when i try to access my domoticz from 'https://WAN-IP:Wanport_to_443'
i get the message in my browser that it is an unsafe connection:

https://photos.app.goo.gl/OKT4bDfyxB2VMHWR2

am i doing something wrong?
(i did not do anything except the portfowarding to 443 i didn't install certificates or anything, but i dont think i need to do this? or am i wrong?

i want to use Controliz ( https://www.controlicz.com/faq ) --> so i need to use the ssl connection.. but is what i did right/enough?

thanks!
regards, Thomas

[mack]

when i try to access my domoticz from 'https://WAN-IP:Wanport_to_443'
i get the message in my browser that it is an unsafe connection:

https://photos.app.goo.gl/OKT4bDfyxB2VMHWR2

am i doing something wrong?
(i did not do anything except the portfowarding to 443 i didn't install certificates or anything, but i dont think i need to do this? or am i wrong?

The unsafe connection message is normal for self-signed certificates. To continue, add the exception to Allow the connection in your browser and things should be fine. If you wish to avoid the issue, you would need to install an authortity-signed certificate for your domain.. something like LetsEncrypt. Since in your example, you say "WAN-IP", I'm lead to believe you don't have a domain name set up, so the so-called insecure connection would be your only choice. If you didn't want to use the self-signed certificate that ships with domoticz, you can always generate a new one and sign yourself.

[simulacra]

I have 3 files

ca_bundle.crt
certificate.crt
private.key

How can I adapt them to use with Domoticz?

[peliilep]

For my RPi I use TTP certificates and convert them to a server cert pem file for domotica as follows (so feel free to be inspired by this ):

Decrypt the private key with the password you entered previously:
sudo openssl rsa -in server.key -out server.decrypted.key
Convert the certificate .crt to .pem
sudo openssl x509 -in certificate.crt -out server.pem -outform PEM
Convert the chain certificate .crt to .pem
sudo openssl x509 -in chain.crt -out chain.pem -outform PEM
Generate DH parameters (lengthy process!! May take up to 45 minutes):
sudo openssl dhparam -out dhparam.pem 2048
Create new server certificate for Domoticz
cat server.decrypted.key >> server_cert.pem
cat server.pem >> server_cert.pem
cat chain.crt >> server_cert.pem
cat dhparam.pem >> server_cert.pem
Stop Domoticz: sudo /etc/init.d/domoticz.sh stop
Edit the /etc/init.d/domoticz.sh script file to edit the ssl certificate daemon setting
sudo nano /etc/init.d/domoticz.sh
In the daemon args section add following line:
DAEMON_ARGS="$DAEMON_ARGS -sslcert PATH TO YOUR/server_cert.pem"
Do a systemctl daemon-reload:
sudo systemctl daemon-reload
Start Domoticz: sudo /etc/init.d/domoticz.sh start

I encourage to store the text of all certificates and private keys in a password vault like Keepass and to remove all certificate material from your Pi (except the servers_cert.pem )
Apply proper access rights to the server certificate
sudo chmod 400 server_cert.pem

Will this help?

[simulacra]

Thanks for the tip.
I use Letsencrypt now, following Domoticz Wiki.
but maybe I'll try your steps to adapt a cert from another provider.