This is on my to-do list for a long time! Good to know it’s possible. Will try it myself soon.
-
pimatic with trusted SSL certificate from letsencrypt
-
@mwittig said:
@Yves911 said:
yes why not… but for what for ??
or better use nginx if you’re running on raspi2.
If you’re planning to provide external access to your pimatic server a proxy server will give you a more robust sollution against security flaws. Most users use node 0.10.24 which contains all SSL vulnerabilities which have been published in the past two years. In essence, its insecure to expose a pimatic server without using a proxy.
I moved from stunnel to a nginx reverse-proxy and i am satisfied with it (less cpu used by nginx than stunnel)
pimatic rocks!
-
Hi,
I’m currenty using pimatic without any proxy or something.
Is there a step by step tutorial for my case?starting from 0.
With your script I’m not successful
regards
-
See the first post of this thread. Have you also done this before running the script:
First you need to whitelist your domain. here: https://docs.google.com/forms/d/15Ucm4A20y2rf9gySCTXD6yoLG6Tba7AwYgglV7CKHmM/viewform?edit_requested=true&fbzx=-8040913067797313829 You have to wait some days to get whitelisted with your domain… Then get the letsencrypt agent from git: cd /opt git clone https://github.com/letsencrypt/letsencryptpimatic-google-calendar | pimatic-wmi | pimatic-snmp | pimatic-wakeonlan |
Like my work? Then consider a donation
Follow me: www.thorstenreichelt.de -
@thost96 hi, the whitelisting part isn’t working anymore. but I already installed letsencrypt.
-
@Partovic
can you post your error messages?pimatic-google-calendar | pimatic-wmi | pimatic-snmp | pimatic-wakeonlan |
Like my work? Then consider a donation
Follow me: www.thorstenreichelt.de -
When do you want it?
I have spent yesterday evening setting up a nginx 1.10 reverse proxy with HTTP/2 (and Let’s encrypt!) on my Pi.
It was not overly complicated, but I had to take the information from different sources and finding all the bits and pieces was the hardest and most time consuming part.
I will create a new thread, explaining all the steps I went through but not before sunday.
-
@n3ro said in pimatic with trusted SSL certificate from letsencrypt:
To get your certificate and convert it i have written a short stupid script:
#!/bin/sh service pimatic stop cd /opt/letsencrypt git pull ./letsencrypt-auto -d YOUR.DOMAIN.COM --agree-dev-preview --server \https://acme-v01.api.letsencrypt.org/directory auth cd /etc/letsencrypt/live/YOUR.DOMAIN.COM openssl x509 -outform der -in cert.pem -out cert.crt openssl x509 -outform der -in fullchain.pem -out fullchain.crt cat fullchain.pem privkey.pem > fullchain_key.pem chmod 0700 * service pimatic startI had to SUDO some of the above lines to get them to run…!!
ln -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/cert.crt /opt/pimatic-app/ca/certs/cacert.crt ln -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/privkey.pem /opt/pimatic-app/ca/pimatic-ssl/private/privkey.pem ln -s /etc/letsencrypt/live/YOUR.DOMAIN.COM/fullchain.pem /opt/pimatic-app/ca/pimatic-ssl/public/cert.pemI had to adjust the pimatic-app paths.
If you want to get notified before you could use this script:
The renew script works, but gives e an error on line 11 “fi”…have to look into this…
-
i dont use thy phyton agent anymore. now i use a light shell script
its much better to usw!
https://github.com/gheift/letsencrypt.sh
i wrote a short renew script to use it:
#!/bin/bash cd /opt/letsencrypt/ cp server.pem server.working.ok # multiple subdomains: ./letsencrypt.sh sign -a account.key -k server.key -c server.pem YOUR.DOMAIN.COM YOUR.SECOND.DOMAIN.COM cat x3 >> server.pem # Pfad anpassen: #cp server.key /etc/nginx/SSL/YOURDOMAIN.key #cp server.pem /etc/nginx/SSL/YOURDOMAIN.crt # verify openssl x509 -in server.pem -text -noout > verify.txt openssl x509 -outform der -in server.pem -out server.crt cat server.pem server.key > server_key.pem chmod 0700 server.* #restart service nginx restart echo "Your SSL is now renewed." | mail -s "SSL Cert Monitor" root#!/bin/sh einzertifikat=/opt/letsencrypt/server.pem NUMDAYS=7 ACTUALDATE=`echo $(date +%s)` ADAY=86400 WARN_ME_AT_THIS_DATE=`echo $ADAY*$NUMDAYS|bc ` DATEEXP=`openssl x509 -noout -enddate -in $einzertifikat`; TIMESTAMP=`echo $DATEEXP | cut -d\= -f2` UNIXTIMESTAMP=`date -d "$TIMESTAMP" +"%s"` WARNDATE=`echo $UNIXTIMESTAMP-$WARN_ME_AT_THIS_DATE|bc` WARNDATEDAYS=`echo $[$[$(date +%s)-$(date -d "$TIMESTAMP" +%s)]/60/60/24*-1]` if [ $WARNDATE -lt $ACTUALDATE ]; then echo "Your SSL Cert will expire in $NUMDAYS day." echo "Your SSL Cert will expire in $NUMDAYS day." | mail -s "SSL Cert Monitor" root /opt/letsencrypt/renew.sh else echo Zertifikat OK fiYou need to add a part to your nginx config to renew your cert when the webserver is running:
location ~ "^/\.well-known/acme-challenge/([-_a-zA-Z0-9]*)$" { default_type text/plain; return 200 "$1.XXXXCRYPTCODEXXXX"; }and yes you need to sudo some commands or run all with root
pimatic + MySensors + Homeduino + z-way
https://github.com/n3roGit/MySensors_n3ro -
I see the last few posts are only 17 days old, but I was unable to get that script to work. Initially complained about an outdated agreement url, then threw an error about being unable to shift so far.
searching high and far for something that would also allow dns challenge I ended up with https://github.com/lukas2511/letsencrypt.sh , but still http challenge and ngnix. (needed dns challenge for certs to another server).
Update on the dns-01 challenge. I move my nameservers to cloudflare.com on free a account, and hacked together a bash/curl script to access their API to complete the dns challenge. Primary need for this is serveres you’re unable to modify webserver configuration for, or servers not publicly accessible. I used it to have valid ssl certs for internal webservers. Your milage may vary, its a quick and somewhat diry hack; but the other options had way too many dependencies for embedded use. http://pastebin.com/e3NyNV49 and
