Lets Encrypt - OPNsense/HAProxy - Domoticz

All kinds of 'OS' scripts

Moderator: leecollings

Post Reply
peliilep
Posts: 3
Joined: Sunday 06 November 2016 8:10
Target OS: Raspberry Pi / ODroid
Domoticz version: 4.7
Location: NL
Contact:

Lets Encrypt - OPNsense/HAProxy - Domoticz

Post by peliilep »

For those who are interested to automate the renewal of a Lets encrypt certificate for a Domoticz RPi behind a reverse proxy (HAproxy) on a OPNsense box I'd like to share my approach:

First of all I configured the request of a Lets encrypt certificate on the OPNsense box. As this is rather straightforward I'll skip this.
To configure the distribution from the OPNsense box to the backend (Domoticz) server isn't documented very well:

On OPNsense:
1. Go to Services >> Lets Encrypt >> Automation
2. Add a new automation and select: “Upload certificate via SFTP”
3. Provide a name, like: "Distribute.cert.HOSTNAME"
4. Provide a description: "Distribute Lets encrypt cert to backend (SERVERNAME)"
5. Run command, select: “Upload certificate via SFTP”
6. SFTP Host (of backend server): IP ADDRESS of the domoticz backend server
7. Host key: Retrieve the host key of the backend server by login on to the shell of the OPNsense box and enter following command:

Code: Select all

ssh-keyscan -t ecdsa  IP ADDRESS
c. The response is something like

Code: Select all

IP address, ‘FQDN of backend’ ecdsa-sha2-nistp256 AAAAxxxxxxxxxzgoM=
d. Copy the complete response and insert this as host key
8. Username: use the USERNAME of the user on the backend server with appropriate access to store certificates (for instance 'pi')
9. Identity type: RSA
10. Remote path: provide the remote path (The automation will add the certificate FQDN as a subdirectory)

Code: Select all

/etc/ssl/
Add the public key of the OPNsense root to the remote server to automate the login:
11. Click on “show identity”
12. The required parameter is displayed. Insert this parameter in the authorized_keys file of the username of the remote user (pi) on the Domoticz server:

Code: Select all

sudo nano /home/pi/.ssh/authorized_keys
13. Click on “test connection” to test.

Once the test is successful the automation needs to be added to the certificate request process:on the OPNsense box:
14. Go to Services >> Lets Encrypt >> Certificates
15. Open the properties of the certificate for distribution to backend server
16. Add under Advanced Settings – Automations the created automation and save
17. The next time a certificate is renewed, the certificate is installed on the OPNsense box but also distributed to the backend server.

Now switch to the domoticz box by login on via ssh.
create a bash script to verify for an updated certificate and to do the magic of creating one server_cert.pem file and some other file handling.

Code: Select all

###########################################################################
# /home/pi/domoticz/scripts/bash/certhandling.sh
###########################################################################

#!/bin/bash
DIR=/etc/ssl/FQDN
DIRn=/etc/ssl/FQDN/n
DIRn1=/etc/ssl/FQDN/n-1

FILE=/etc/ssl/FQDN/key.pem

if test -f "$FILE";
then
        echo Move previous certificate to backup n-1 location..
        sudo mv -f ${DIR}/server_cert.pem ${DIRn1}

        echo Create new PEM certificate for use in Domoticz..
        sudo cat ${DIR}/key.pem >> ${DIR}/server_cert.pem
        sudo cat ${DIR}/cert.pem >> ${DIR}/server_cert.pem
        sudo cat ${DIR}/fullchain.pem >> ${DIR}/server_cert.pem

        echo Move current Lets encrypt certificates to n location...
        sudo mv -f ${DIR}/key.pem ${DIRn}
        sudo mv -f ${DIR}/cert.pem ${DIRn}
        sudo mv -f ${DIR}/fullchain.pem ${DIRn}
        sudo mv -f ${DIR}/ca.pem ${DIRn}

        echo Restart Domoticz service...
        sudo /etc/init.d/domoticz.s
fi
Final step is to schedule the certhandling.sh script via crontab -e
Evo-Home API, HEOS, KaKu, Landys Smartmeters, Logitech Hub, RFXCOM 433, RFXCOM 868 (Visonic), Xiaomi GW, Youless, Zwave+. MySensors: USB-GW + Cat-feeder, Lux sensor, Watermeter
gschmidt
Posts: 200
Joined: Thursday 20 December 2018 11:03
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Lets Encrypt - OPNsense/HAProxy - Domoticz

Post by gschmidt »

Hi,

I am trying to setup pfSense/ACME/HAProxy.
Do you have the domoticz SLL certificate at the Client (Domoticz) side or do you use the frontend for SSL Offloading?
gschmidt
Posts: 200
Joined: Thursday 20 December 2018 11:03
Target OS: Raspberry Pi / ODroid
Domoticz version:
Contact:

Re: Lets Encrypt - OPNsense/HAProxy - Domoticz

Post by gschmidt »

Nevermind I already have it working!

My pfSense router/firewall is now taking care of all encrypted ssl connections of client web apps I want to expose to the WAN
ACME is handling the creation/automatic renewal of the Lets encrypt certificate
And the reverse proxy server HAproxy is taking care of the ssl offloading
Both are plugins of pfSense

Setup ACME first to create a certificate
Just add the certificate in the frontend of HAproxy
And add clients in the Backend of HAproxy (for domoticz use the HTTP port and not HTTPS port 443!)

No need to install certificates anymore on the client side, it is all handled by ACME/HAproxy.

Works like a charm!
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests