Howto use ssl client certificates

---

So I wanted to access my pimatic system from outside my apartment, wherever I am. I thought about just configuring port forwarding in my router, however just using passwords on plain http didn’t feel good, and also I’m not very confident pimatic is safe to open to the world wide web (sorry).

I decided to configure SSL client certificates to ensure only access to pimatic by devices being configured with the right SSL certificate. In this howto I like to share with you how I configured my system accordingly.

I will be updating this first post over time to keep all information in one place.

The global configuration looks as follows

• domain name
• pimatic
• nginx as a proxy http server handling SSL
• Let’s Encrypt for the SSL certificate of the webserver
• A self signed Certificate Authority to sign your client certificates

Configure a domain name
You need to have a (sub)domain name to be able to use Let’s Encrypt to create a SSL certificate for your configuration. There are many ways to do this. You could use a dynamic DNS service. I configured a subdomain on a domain I own, and since I have a fixed external IP address configured the subdomain to use that address. It’s up to you how to acquire and configure the needed domain.

For the sake of this howto I use the domain name pimatic.example.com.

If you do a nslookup of your pimatic domain your external IP address should be returned
nslookup pimatic.example.com

Depending on the configuration of your router you most probably now get a time out when you browse to the domain.

Run pimatic on a different port
You need to run pimatic on a different port number because nginx and pimatic can not run on the same port number. I decided to go for port 8080 but you can pick any available port other than port 80 and 443.

Stop pimatic
sudo service pimatic stop
and change the following snippet in your pimatic config.json

    "httpServer": {
      "enabled": true,
      "port": 80
    },

to

    "httpServer": {
      "enabled": true,
      "port": 8080
    },

Start pimatic after making these changes
sudo service pimatic start

Check if you can access and use pimatic using the internal IP address of your pimatic device and port 8080.

Install nginx
Just a straightforward sudo apt-get install nginx will install NGINX.

Enable port forwarding
You need to forward port 80 (HTTP) and port 443 (HTTPS) to you pimatic device. Check the documentation of your router how to do this.

After this step you should be able to see the “Welcome to nginx on Debian!” screen when you browse to your pimatic domain.

Install Let’s Encrypt
I first created my own self signed certificate, but Android shows an annoying warning if you add your own Certificate Authority to the device which you can’t hide. So I decided to use the Let’s Encrypt service instead.

sudo su -
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto
mv certbot-auto /usr/local/sbin/
exit

Run Let’s Encrypt
Generate the Let’s Encrypt certificate
sudo certbot-auto certonly --webroot -w /var/www/html/ -d pimatic.example.com

The Let’s Encrypt certificate is only valid for 90 days. To have the certificate automatically renewed every 60 days you have to schedule a task. Modify the root user crontab
sudo crontab -e
and add the following lines to the end

# at 4:47am/pm, renew all Let's Encrypt certificates over 60 days old
47 4,16 * * * /usr/local/sbin/certbot-auto renew --renew-hook "service nginx reload"

Configure nginx
Now we have an SSL certificate for our pimatic domain we can configure HTTPS

Update /etc/nginx/sites-enabled/default to look like

# Default server configuration
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        server_name pimatic.example.com;

        # Maintain the .well-known directory alias for Let's Encrypt renewals
        location /.well-known {
                alias /var/www/html/.well-known;
        }

        # Redirect to HTTPS
        location / {
                return 301 https://$host$request_uri;
        }
}

# HTTPS configuration
server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        # Let's Encrypt signed certificates
        ssl_certificate     /etc/letsencrypt/live/pimatic.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/pimatic.example.com/privkey.pem;

        # Turn on OCSP stapling as recommended at
        # https://community.letsencrypt.org/t/integration-guide/13123
        # requires nginx version >= 1.3.7
        ssl_stapling on;
        ssl_stapling_verify on;

        # Uncomment this line only after testing in browsers,
        # as it commits you to continuing to serve your site over HTTPS
        # in future
        # add_header Strict-Transport-Security "max-age=31536000";

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name pimatic.example.com;
}

Reload the nginx configuration
sudo service nginx reload

After this step you should be able to see the “Welcome to nginx on Debian!” screen when you browse to your pimatic domain and HTTP is redirected to HTTPS.

Create self signed Certificate Authority

sudo su -
cd /etc/ssl/
openssl genrsa -des3 -out private/my_pimatic_CA.key 4096
openssl req -new -x509 -days 3650 -key private/my_pimatic_CA.key -out certs/my_pimatic_CA.crt

Update nginx Configuration
You now have to configure nginx to require a client certificate signed by the pimatic Certificate Authority.

Change the following snippet in /etc/nginx/sites-enabled/default

        ssl_certificate     /etc/letsencrypt/live/pimatic.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/pimatic.example.com/privkey.pem;

to

        ssl_certificate     /etc/letsencrypt/live/pimatic.example.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/pimatic.example.com/privkey.pem;
        ssl_client_certificate /etc/ssl/certs/my_pimatic_CA.crt;
        ssl_verify_client on;

When you now try to access your pimatic domain your browser is asked for a certificate. As you don’t have one yet you will be denied acces. Verify that this is the case as this is the whole basis on which the security is founded. Any device without a valid certificate should be denied access.

Create a client certificate

sudo su -
cd /etc/ssl/
openssl genrsa -des3 -out private/client.key 4096
openssl req -new -key private/client.key -out client.csr
openssl x509 -req -days 3650 -in client.csr -CA certs/my_pimatic_CA.crt -CAkey private/my_pimatic_CA.key -set_serial 01 -out certs/client.crt
openssl pkcs12 -export -clcerts -in certs/client.crt -inkey private/client.key -out client.p12
exit

Installing the client certificate on OS X
Copy the .p12 certificate to your OS X computer and double click the file in the Finder to open the certificate in Keychain Access.

When you now browse to your pimatic domain you should see the “Welcome to nginx on Debian!” screen again.

Installing the client certificate on Android
I just emailed the .p12 file to myself and opened the file in the Gmail app. The client certificate will automatically be installed.

Installing the client certificate on Windows
I don’t own any Windows devices, so please provide me with the needed instructions and I can update this post accordingly.

Installing the client certificate on iOS
I don’t own any iOS devices, so please provide me with the needed instructions and I can update this post accordingly.

Update nginx Configuration, again
The last thing to configure in nginx is the proxying to pimatic

Add the following snippet to your HTTPS configuration in /etc/nginx/sites-enabled/default to be like

        location / {
                # Proxy requests to pimatic
                proxy_pass http://127.0.0.1:8080;
        }

Reload the nginx configuration
sudo service nginx reload

Getting rid of certificate pop-up in Chrome on OS X
Every time you want to access pimatic your Chrome browser will ask you which certificate you would like to use for authentication. This is obviously not what you want.

You can tell Chrome to always use a specific certificate for a given domain. In Terminal execute the following command.

write com.google.Chrome AutoSelectCertificateForUrls -array-add -string '{"pattern":"https://pimatic.example.com","filter":{"ISSUER":{"CN":"My pimatic CA"}}}'

Thx a lot for hat very nice tutorial!!

I was trying to do this but getting erros after ./certbot-auto:

Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find executable apache2ctl in PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Certbot doesn’t know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run “certbot-auto certonly” to do so. You’ll need to manually configure your web server to use the resulting certificate.

Any hints for this?

Sorry for not getting back to you earlier @S-O, I was on vacation. Apache is not used in this setup, If you read only a few lines further in my tutorial you will find the line containing
sudo certbot-auto certonly --webroot -w /var/www/html/ -d pimatic.example.com
Just continue following the instructions

Thanks for this tut.

i get this after being by the last steps.

sudo service nginx reload
Job for nginx.service failed. See ‘systemctl status nginx.service’ and ‘journalctl -xn’ for details.

also i cant setup port 8080 since i use a nas on this port. when i go to my domain i redirect to the nas. so i changed the setup to port 443. Maybe this is not right?

also i can only acces the pimatic by adding :433 after internal ip and domain.

any ideas?

443 is to be used by the ssl service of nginx. Since you configured Pimatic on that port nginx won’t start. Just pick port number 8081 instead.

Ok, this did the trick. thanks. Only problem now is that i only hav IOS devices and windows.

400 Bad Request

No required SSL certificate was sent
nginx/1.6.2

I see that nothing works now anymore. i cant get on my pimatic anymore

Have you installed the client certificate? Also pimatic should still be available on port 8081 or whichever port you decided to run it on

I saw that i missed to change the 8080 to 8081 in the last part of your tutorial.
when i enter https://mydomain.nl i get the certificate error. No i didnt install the certificate cause i dont have a clue how to get it on my windows machine
im sry for my noobness

If you have no client certificate installed, but nginx configured to require a client certificate you won’t be granted access. That’s the whole point of this setup.

You can probably use winscp to transfer the certificate to your windows pc. The certificate is actually a plain text file, so you could also copy/paste the contents in a new text file on your windows pc ant then rename that file.

Thanks for the help. I tried to locate the file client.p12. it seems its not located in etc/ssl/certs? Im really sorry i just dont seem to get the drift. thanks for your patience.

It most probably is in /etc/ssl/

K, i found it. After copy paste the code into a crt file on windows and you try to install it i get this message:

file cannot be used for certificate

@rrooggiieerr

I now have the following.

when i enter my domain.nl it turns out no certificate.

when i enter mydomain.nl:8081 i just enter my pimatic. how can this be? did i miss something?

also i cant seem to get the certificate right.

In my HowTo I have described various checks to validate the workings of the different steps. Did you execute these checks and were they successful along the way?

Also I don’t own any Windows devices, so you have to do some Googling to make the certificate work

Actually I have same problem, just been busy to troubleshoot this.

In the end config should look like this? This gives error when trying to reload nginx service.

# Redirect to HTTPS
        location / {
                return 301 https://$host$request_uri;
        }
        location / {
                # Proxy requests to pimatic
                proxy_pass http://127.0.0.1:8080;
         }

Also, is it necessary to uncomment?
# add_header Strict-Transport-Security "max-age=31536000";

Everything else working for me to this point, nginx site needs certificate, after installing certificate lets me in to nginx page, but redirecting to pimatic doesn’t work.

This is my current config, is it ok?

# Default server configuration
server {
        listen 80 default_server;
        listen [::]:80 default_server;

        root /var/www/html;

        server_name somename.com;

        # Maintain the .well-known directory alias for Let's Encrypt renewals
        location /.well-known {
                alias /var/www/html/.well-known;
        }

        # Redirect to HTTPS
        location / {
               	return 301 https://$host$request_uri;
        }
        location / {
                # Proxy requests to pimatic
                proxy_pass http://127.0.0.1:8080;
        }
}

# SSL configuration
server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        # Let's Encrypt signed certificates
        ssl_certificate     /etc/letsencrypt/live/somename.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/somename.com/privkey.pem;
	ssl_client_certificate /etc/ssl/certs/my_pimatic_CA.crt;
        ssl_verify_client on;



        # Turn on OCSP stapling as recommended at
        # https://community.letsencrypt.org/t/integration-guide/13123
        # requires nginx version >= 1.3.7
        ssl_stapling on;
        ssl_stapling_verify on;

        # Uncomment this line only after testing in browsers,
        # as it commits you to continuing to serve your site over HTTPS
        # in future
        add_header Strict-Transport-Security "max-age=31536000";

        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name somename.com;
}

"Add the following snippet to your HTTPS configuration in /etc/nginx/sites-enabled/default to be like

    location / {
            # Proxy requests to pimatic
            proxy_pass http://127.0.0.1:8080;
    }

"

The HTTPS configuration is the part about port 443, you have added it to the HTTP configuration

This is what my config looks like:

# Default server configuration
#
server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	server_name pimatic.example.com;

	# Maintain the .well-known directory alias for Let's Encrypt renewals
	location /.well-known {
		alias /var/www/html/.well-known;
	}

	# Redirect to HTTPS
	location / {
		return 301 https://$host$request_uri;
	}
}

# HTTPS configuration
server {
	listen 443 ssl default_server;
	listen [::]:443 ssl default_server;

	# Let's Encrypt signed certificates
	ssl_certificate     /etc/letsencrypt/live/pimatic.example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/pimatic.example.com/privkey.pem;
	ssl_client_certificate /etc/ssl/certs/pimatic_CA.crt;
	ssl_verify_client on;

	# Turn on OCSP stapling as recommended at 
	# https://community.letsencrypt.org/t/integration-guide/13123 
	# requires nginx version >= 1.3.7
	ssl_stapling on;
	ssl_stapling_verify on;

	# Uncomment this line only after testing in browsers,
	# as it commits you to continuing to serve your site over HTTPS
	# in future
	# add_header Strict-Transport-Security "max-age=31536000";

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name pimatic.example.com;

	location / {
		# Proxy request to pimatic
		proxy_pass http://127.0.0.1:8080;
	}
}

Thank You again, all working now