Support of Let's Encrypt
Moderators: leecollings, remb0
-
- Posts: 18
- Joined: Monday 24 April 2017 23:03
- Target OS: Raspberry Pi / ODroid
- Domoticz version: Stable
- Location: Gerstheim, France
- Contact:
Support of Let's Encrypt
I use Let's Encrypt for SSL support, i have to run scripts manually to update the certificates and replace them in Domoticz configuration.
Also, I have to replace them each time Domoticz is updated.
Could it be automatic ?
Also, I have to replace them each time Domoticz is updated.
Could it be automatic ?
Domoticz Beta on Rasbperry Pi 3
RFLink / YeeLight / Xiaomi Devices / 433MHz / SonOff via MQTT
RFLink / YeeLight / Xiaomi Devices / 433MHz / SonOff via MQTT
-
- Posts: 115
- Joined: Saturday 31 August 2013 14:48
- Target OS: Raspberry Pi / ODroid
- Domoticz version: beta
- Location: Eindhoven (NL)
- Contact:
Re: Support of Let's Encrypt
@ https://www.domoticz.com/wiki/Native_HT ... SL_support
you can define your own letsencrypt certificate.
-sslcert file_path ( for example D :\server_cert.pem or /opt/domoticz/server_cert.pem)
-
- Posts: 18
- Joined: Monday 24 April 2017 23:03
- Target OS: Raspberry Pi / ODroid
- Domoticz version: Stable
- Location: Gerstheim, France
- Contact:
Re: Support of Let's Encrypt
Yes but it's not so easy :
- Manually generate new certificate every 6 month
- Tree files to concatenate (privkey.pem/fullchain.pem/server_cert.pem).
Domoticz Beta on Rasbperry Pi 3
RFLink / YeeLight / Xiaomi Devices / 433MHz / SonOff via MQTT
RFLink / YeeLight / Xiaomi Devices / 433MHz / SonOff via MQTT
-
- Posts: 6
- Joined: Wednesday 21 June 2017 11:26
- Target OS: Raspberry Pi / ODroid
- Domoticz version:
- Contact:
Re: Support of Let's Encrypt
Hi, here's another variant for installing a letsencrypt certificate with Domoticz on a Raspberry Pi (Raspbian). This also includes a cronjob that auto renews. (not tested live yet though...)
I'm using a custom ssl port for Domoticz so I forward port 443 to certbot-auto(listening on port 8889 in this example) for the certificate setup and renewal only. Certbot-auto is a tool from EFF that simplifies the process.
#0 Setup router forwarding
#1 Login to rpi and update
#2 Install certbot-auto
#3 generate and install certificate
Done! "domo_server_cert.pem" is your backup if Domoticz overwrites the live one during updates.
Renewalscript(not tested live yet):
Paste the following script and save it:
Setup Cron:
Add this:
The script will run every Sunday at 3 AM
Edit: added a line to the to the script(row 4). Now renewal should work
I'm using a custom ssl port for Domoticz so I forward port 443 to certbot-auto(listening on port 8889 in this example) for the certificate setup and renewal only. Certbot-auto is a tool from EFF that simplifies the process.
#0 Setup router forwarding
Code: Select all
External port 443 => 8889 on local raspberry pi
Code: Select all
sudo apt-get update
sudo apt-get upgrade
sudo /home/pi/domoticz/updaterelease
Code: Select all
cd ~
mkdir certbot
cd certbot
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
Code: Select all
sudo ./certbot-auto certonly --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8889 -d YOURDOMAIN.COM
sudo rm /home/pi/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem >> ~/domoticz/server_cert.pem
sudo cp /home/pi/domoticz/server_cert.pem /home/pi/domoticz/domo_server_cert.pem
cd domoticz/
sudo /etc/init.d/domoticz.sh restart
Renewalscript(not tested live yet):
Code: Select all
nano /home/pi/cert-domoticz-update.sh
Code: Select all
#!/bin/bash
/home/pi/certbot/certbot-auto renew
rm /home/pi/domoticz/server_cert.pem
rm /home/pi/domoticz/domo_server_cert.pem
cat /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem >> /home/pi/domoticz/domo_server_cert.pem
cat /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem >> /home/pi/domoticz/domo_server_cert.pem
cp /home/pi/domoticz/domo_server_cert.pem /home/pi/domoticz/server_cert.pem
/etc/init.d/domoticz.sh restart
Code: Select all
sudo chmod a+x /home/pi/cert-domoticz-update.sh
Code: Select all
crontab -e
Code: Select all
3 0 * * 7 /home/pi/cert-domoticz-update.sh
Edit: added a line to the to the script(row 4). Now renewal should work
Last edited by kijdhfcjdks on Wednesday 25 April 2018 20:29, edited 1 time in total.
-
- Posts: 19
- Joined: Thursday 03 March 2016 18:38
- Target OS: Raspberry Pi / ODroid
- Domoticz version:
- Contact:
Re: Support of Let's Encrypt
I'm trying this but getting the following error
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA
-
- Posts: 33
- Joined: Sunday 14 May 2017 21:13
- Target OS: Raspberry Pi / ODroid
- Domoticz version:
- Contact:
Re: Support of Let's Encrypt
That's because of this: https://community.letsencrypt.org/t/imp ... sues/50811
The TLS path is no longer valid. You need to remove the two arguments concerning tls and use the default HTTP verification method instead.
-
- Posts: 19
- Joined: Thursday 03 March 2016 18:38
- Target OS: Raspberry Pi / ODroid
- Domoticz version:
- Contact:
Re: Support of Let's Encrypt
Oke thx that solved my problem
-
- Posts: 6
- Joined: Wednesday 21 June 2017 11:26
- Target OS: Raspberry Pi / ODroid
- Domoticz version:
- Contact:
Re: Support of Let's Encrypt
I re-downloaded certbot and followed the steps and the deprecated command works for me anyway. Can't use the standard ports so that's why I use these flags.jsiegmund wrote: ↑Tuesday 06 March 2018 18:13That's because of this: https://community.letsencrypt.org/t/imp ... sues/50811
The TLS path is no longer valid. You need to remove the two arguments concerning tls and use the default HTTP verification method instead.
-
- Posts: 80
- Joined: Saturday 19 March 2016 21:12
- Target OS: NAS (Synology & others)
- Domoticz version:
- Contact:
Re: Support of Let's Encrypt
I tried your steps, but i am getting stuck at
etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem: No such file or directory, where YOURDOMAIN.COM is offcourse my own domain. Any clue?
Directory live isn't exists
After this command i getkijdhfcjdks wrote: ↑Monday 01 January 2018 22:28
cat /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem >> /home/pi/domoticz/domo_server_cert.pem
etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem: No such file or directory, where YOURDOMAIN.COM is offcourse my own domain. Any clue?
Directory live isn't exists
Re: Support of Let's Encrypt
Hello,kijdhfcjdks wrote: ↑Monday 01 January 2018 22:28
#1 Login to rpi and update...Code: Select all
sudo apt-get update sudo apt-get upgrade sudo /home/pi/domoticz/updaterelease
The tutorial no longer works because certain commands have apparently evolved in recent years. Can you please help me update this tutorial ? For example:
#1 => ERROR 404: Not Found.
#2 ./certbot-auto: command not found
#3 If I run this >>> sudo certbot certonly --standalone --preferred-challenges tls-sni-01 --tls-sni-01-port 8889 -d YOURDOMAIN the result is
certbot: error: argument --preferred-challenges: Unrecognized challenges: tls-sni-01
And -port is not recognize
thanks in advance.
-
- Posts: 616
- Joined: Thursday 10 November 2016 9:30
- Target OS: Raspberry Pi / ODroid
- Domoticz version:
- Contact:
Re: Support of Let's Encrypt
You may use this wiki howto:
https://www.domoticz.com/wiki/Native_se ... ts_Encrypt
This proved to be a good base for my own setup, just had to setup certbot pre/post hooks to open/close port 80 (certbot setup a temporary http server for the update) just the time cert update is done (did not wanted to let it open anytime, even if no service is otherwise bind there).
Take care not forget the domoticz startup modification with option --sslcert, if you just overwrite default self-signed certificate yours will be overwritten on Domoticz upgrades!
Who is online
Users browsing this forum: No registered users and 1 guest