Securing Domoticz with Let’s Encrypt certificate, access from HTTPS internet

If you want to be able to access your Domoticz server outside your home in a secure way, it’s best to install a Let’s Encrypt certificate (or equivalent) instead of the default self-signed certificate. Let’s Encrypt is a free, automated and open Certificate Authority (CA or CA) for the benefit of the public. It is a service provided by Internet Security Research Group (ISRG).

 

 

You will also need to install a valid certificate to securely use the Homy App for iOS or Android.

The default self-signed certificate is rejected by modern browsers

If you try to access the WEB interface in HTTPS of Domoticz from a modern browser, you will get this alert that informs you that you are going to access a dangerous site (from the browser’s point of view). Do not worry, you know this site. Click Show advanced settings and then Continue to site … (dangerous) to access Domoticz.

domoticz https 443 alert chrome

We will fix all that by replacing the self-signed certificate installed by default during the installation of Domoticz by a valid certificate Let’s Encrypt.

Configure the router or the box Internet to make Domoticz accessible from internet

The first thing to do is to configure a port routing to the Domoticz server. To do this, connect to the management interface of your router or your internet. Here is an example on my internet box or you have to go in the menu Network v4 then NAT. The configuration is similar from one box to another, you should find it quite easily.

Create several redirection by entering the following parameters:

  • Protocol: TCP
  • Port (input): 443 or 8080
  • IP: the IP address of the Domoticz server on the local
  • Port network (redirection) : idem
  • Check Enable

Add the redirection

Create a first redirection from port 443 to port 443.

A second redirection from port 80 to port 8080 that will be used just to create the certificate Let’s Encrypt.

You can create a third port redirection 8080 to 8080 to test unsecured access but I do not recommend it.

domoticz https ssl lets encrypt router configuration

Create a free domain name with Duck DNS

DuckDNS is a totally free service that allows you to create up to 5 domain names. The extension of your domain will have the extension duckdns.org. This extension can not be customized but we will not be choosy.

To use Duck DNS, you will need a Persona account, Twitter, github or reddit.

duckdns configuration homy

Once logged in, simply enter the desired domain name in the creation field.DuckDNS automatically detects the IP address of your internet box. It is however possible to modify it and even to indicate an IP address of type IP v6 if your box supports it.

duckdns ip address

If you have created an 8080 port redirect, you can test that you have access to Domoticz from the Internet by entering the domain name in a browser. As you can see, Chrome (or any other browser) informs you that the site is not secure. All commands executed and data exchanged with the server are sent without encryption on the internet.

duckdns domoticz http

Install Let’s Encrypt on Raspbian

We will see here how to install Let’s Encrypt on Raspbian to generate a valid certificate. You can use this certificate if Domoticz is installed on a NAS (Synology for example). You can also generate a Let’s Encrypt certificate using the Cerbot tool that requires Python 2.7. Follow the official documentation for more details.

To install Let’s Encrypt on Raspbian, run the following commands one after the other

cd /etc 
sudo git clone https://github.com/letsencrypt/letsencrypt 
cd letsencrypt 
sudo ./letsencrypt-auto

Create a certificate Let’s Encrypt You will need the following information to create your certificate:

  • <your complete sub.domain name> A domain name. Use the domain name created on DuckDNS for example (without the http: // front)
  • <your email> An email address (well, it’s not the hardest to find :-))
  • <user home> The path to the Domoticz web interface folder. On Raspbian it is ~/domoticz /www

Modify the parameters of the command Let’s Encrypt and execute the command

sudo /etc/letsencrypt/letsencrypt-auto certonly --webroot --email <your email> -d <your complete sub.domain name > -w <user home>/domoticz /www/

During the certificate creation process, Let’s Encrypt will try to join the Domoticz server on port 80, which is why it must be routed to port 8080 , at least the time to create the certificate.If everything went well, you should get a report of this type

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for xxxxxx.duckdns.org
Using the webroot path /home/pi/domoticz/www for all unmatched domains.
Waiting for verification...
Cleaning up challenges

You can remove the redirection from port 80 to port 8080 on your router or box internet.

Install the SSL certificate Let’s Encrypt on Domoticz

It remains only to install the certificate in the Domoticz directory by executing the following commands. For security, the first command makes a copy of the certificate installed by default.

sudo cp ~/domoticz/server_cert.pem ~/domoticz/server_cert.pemold
sudo cat /etc/letsencrypt/live/homy-domoticz.duckdns.org/privkey.pem >> ~/domoticz/server_cert.pem
sudo cat /etc/letsencrypt/live/homy-domoticz.duckdns.org/fullchain.pem >> ~/domoticz/server_cert.pem

We make a copy locally to reinstall it in case of problems (after an update for example)

sudo cp ~/domoticz/server_cert.pem ~/domoticz/letsencrypt_server_cert.pem

That’s it, you just have to restart Domoticz

sudo /etc/init.d/domoticz.sh restart

Be careful, the default certificate may be re-installed after each update of Domoticz. Run the sudo command cp ~/domoticz/letsencrypt_server_cert.pem ~/domoticz/server_cert.pem to restore the certificate Let’s Ecrypt.

Test the secure connection

Everything is ready,. You just have to test that everything works in you returning to your domain by entering an address of this type

https://your_domain.duckdns.org:443

If everything is correct, you should come directly to the Domoticz web interface without any warning message. The lock is locked indicating that the communication is encrypted and the certificate is valid. You can also consult it to check it (here on Safari).

domoticz duckdns lets encrypt ssl https connexion

In case of problems, empty your browser cache to force the full reload of the page.

You can now connect securely to Domoticz from the Homy App for iOS and Android.

Subscribe to the weekly newsletter

No spam and no other use will be made of your email. You can unsubscribe anytime.

We will be happy to hear your thoughts

Leave a Reply

DIY Projects
%d bloggers like this: