If you want to be able to access your Domoticz server outside your home in a secure way, it’s best to install a Let’s Encrypt certificate (or equivalent) instead of the default self-signed certificate. Let’s Encrypt is a free, automated and open Certificate Authority (CA or CA) for the benefit of the public. It is a service provided by Internet Security Research Group (ISRG).
You will also need to install a valid certificate to securely use the Homy App for iOS or Android.
- 1 The default self-signed certificate is rejected by modern browsers
- 2 Configure the router or the box Internet to make Domoticz accessible from internet
- 3 Create a free domain name with Duck DNS
- 4 Install Let’s Encrypt on Raspbian
- 5 Install the SSL certificate Let’s Encrypt on Domoticz
- 6 Test the secure connection
The default self-signed certificate is rejected by modern browsers
If you try to access the WEB interface in HTTPS of Domoticz from a modern browser, you will get this alert that informs you that you are going to access a dangerous site (from the browser’s point of view). Do not worry, you know this site. Click Show advanced settings and then Continue to site … (dangerous) to access Domoticz.
We will fix all that by replacing the self-signed certificate installed by default during the installation of Domoticz by a valid certificate Let’s Encrypt.
Configure the router or the box Internet to make Domoticz accessible from internet
The first thing to do is to configure a port routing to the Domoticz server. To do this, connect to the management interface of your router or your internet. Here is an example on my internet box or you have to go in the menu Network v4 then NAT. The configuration is similar from one box to another, you should find it quite easily.
Create several redirection by entering the following parameters:
- Protocol: TCP
- Port (input): 443 or 8080
- IP: the IP address of the Domoticz server on the local
- Port network (redirection) : idem
- Check Enable
Add the redirection
Create a first redirection from port 443 to port 443.
A second redirection from port 80 to port 8080 that will be used just to create the certificate Let’s Encrypt.
You can create a third port redirection 8080 to 8080 to test unsecured access but I do not recommend it.
Create a free domain name with Duck DNS
DuckDNS is a totally free service that allows you to create up to 5 domain names. The extension of your domain will have the extension duckdns.org. This extension can not be customized but we will not be choosy.
To use Duck DNS, you will need a Persona account, Twitter, github or reddit.
Once logged in, simply enter the desired domain name in the creation field.DuckDNS automatically detects the IP address of your internet box. It is however possible to modify it and even to indicate an IP address of type IP v6 if your box supports it.
If you have created an 8080 port redirect, you can test that you have access to Domoticz from the Internet by entering the domain name in a browser. As you can see, Chrome (or any other browser) informs you that the site is not secure. All commands executed and data exchanged with the server are sent without encryption on the internet.
Install Let’s Encrypt on Raspbian
We will see here how to install Let’s Encrypt on Raspbian to generate a valid certificate. You can use this certificate if Domoticz is installed on a NAS (Synology for example). You can also generate a Let’s Encrypt certificate using the Cerbot tool that requires Python 2.7. Follow the official documentation for more details.
To install Let’s Encrypt on Raspbian, run the following commands one after the other
cd /etc sudo git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt sudo ./letsencrypt-auto
Create a certificate Let’s Encrypt You will need the following information to create your certificate:
- <your complete sub.domain name> A domain name. Use the domain name created on DuckDNS for example (without the http: // front)
- <your email> An email address (well, it’s not the hardest to find :-))
- <user home> The path to the Domoticz web interface folder. On Raspbian it is ~/domoticz /www
Modify the parameters of the command Let’s Encrypt and execute the command
sudo /etc/letsencrypt/letsencrypt-auto certonly --webroot --email <your email> -d <your complete sub.domain name > -w <user home>/domoticz /www/
During the certificate creation process, Let’s Encrypt will try to join the Domoticz server on port 80, which is why it must be routed to port 8080 , at least the time to create the certificate.If everything went well, you should get a report of this type
Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for xxxxxx.duckdns.org Using the webroot path /home/pi/domoticz/www for all unmatched domains. Waiting for verification... Cleaning up challenges
You can remove the redirection from port 80 to port 8080 on your router or box internet.
Install the SSL certificate Let’s Encrypt on Domoticz
It remains only to install the certificate in the Domoticz directory by executing the following commands. For security, the first command makes a copy of the certificate installed by default.
sudo cp ~/domoticz/server_cert.pem ~/domoticz/server_cert.pemold sudo cat /etc/letsencrypt/live/homy-domoticz.duckdns.org/privkey.pem >> ~/domoticz/server_cert.pem sudo cat /etc/letsencrypt/live/homy-domoticz.duckdns.org/fullchain.pem >> ~/domoticz/server_cert.pem
We make a copy locally to reinstall it in case of problems (after an update for example)
sudo cp ~/domoticz/server_cert.pem ~/domoticz/letsencrypt_server_cert.pem
That’s it, you just have to restart Domoticz
sudo /etc/init.d/domoticz.sh restart
Be careful, the default certificate may be re-installed after each update of Domoticz. Run the sudo command cp ~/domoticz/letsencrypt_server_cert.pem ~/domoticz/server_cert.pem to restore the certificate Let’s Ecrypt.
Test the secure connection
Everything is ready,. You just have to test that everything works in you returning to your domain by entering an address of this type
If everything is correct, you should come directly to the Domoticz web interface without any warning message. The lock is locked indicating that the communication is encrypted and the certificate is valid. You can also consult it to check it (here on Safari).
In case of problems, empty your browser cache to force the full reload of the page.
You can now connect securely to Domoticz from the Homy App for iOS and Android.
- Use the plugins on Domoticz. Manual installation or via Python Plugin Manager
- CloudMQTT test, free online MQTT broker. Control Domoticz with the JSON API
- Securing Domoticz with Let’s Encrypt certificate, access from HTTPS internet
- Xiaomi Mijia Honeywell Smoke Detector Test with Domoticz, Emergency Notification with PushOver
- #Test Zigbee2MQTT gateway. Part 2, include Xiaomi Aqara or Mijia accessories to Domoticz with Node-RED [update]