Community
OpenEnergyMonitor

Community

HTTPS on an EmonPi

[edited 2 Oct] - Update for Buster and python3

There have been a number of questions around using HTTPS on an emonpi. My usual OS is DietPi with the Lighttpd server and I’ve written a blog post (worth reading :laughing:) on setting up the SSL Certificates up on that system. It is though slightly different for Raspbian Stretch (it will be different for Buster and probably will not work on Jessie).

There is a previous post on this but it is a little out of date as it is for Jessie. Configuring EmonCMS on EmonPi to use HTTPS

As ever TMTOWTDI

Prerequisites

You must have your own domain to which you have access to the DNS records via API. I use Cloudflare (free) and this post assumes you are using Cloudflare (as I use that plugin).

Setting up access to the domain internally / externally is for you to do. I use PiHole internally so editing the /etc/hosts on that machine is all I need to do. Setting up access externally is outside the scope of this post.

Certbot

Install certbot

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install certbot

Plugins

Plugins are a bit of a pain as not all the repositories keep up to date.

Try the python3 plugin first

sudo apt-get install python3-certbot-apache

If that is not available use the python 2

sudo apt-get install python-certbot-apache

The certbot-dns-cloudflare plugin is not available from the Raspbian Stretch or Buster repositories so it is installed via pip.

sudo apt-get install python3-pip
sudo pip3 install certbot-dns-cloudflare

For Ubuntu18.04LTS you can use python3 plugins from apt

sudo apt-get install python3-certbot-dns-cloudflare

Credentials

Next you need a Cloudflare credentials file

mkdir .secrets
cd .secrets/
nano cloudflare.ini

You can see how to get the API key from my blog post or a google search. The file should look like this…

dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 2222222222222222222222

Make it secure with chmod 600 cloudflare.ini (plenty of discussion about, on where this file should be - not getting into that here).

Makecert script

I then create a shell script for creating the certificate - just easier than a convoluted command line and I use it in other places as well :laughing:

nano makecert.sh

This consists of

#!/bin/sh

MY_DOMAIN="YourDomain"

certbot --installer apache \
  --no-redirect \
  --dns-cloudflare \
  --dns-cloudflare-credentials /home/pi/.secrets/cloudflare.ini \
  -d $MY_DOMAIN

Make the script executable and run it

chmod +x makecert.sh
sudo ./makecert.sh

You will be asked for an email address and to accept the T&C. I have set this up so the http requests will still work (no-redirect flag).

Does it work?

It does for me :grinning:

image
As I say, how your internal network is setup, will affect what you need to do to make it work.

Renewal

Certbot is really clever in that is sets up renewal automatically. To see that it has

systemctl list-timers certbot.timer

Reference

  1. https://community.letsencrypt.org/t/tutorial-certbot-cloudflare-dns-with-apache-web-servers-on-ubuntu-16-10/38847
1 Like

Thanks for sharing @borpin a useful guide!

Quick update, I started getting expiration notices for this certificate.

To cut a long story short, the installed service file points to /usr/bin/certbot, but simply certbot from the command line points to /usr/local/bin/certbot. The former path fails to renew (a version conflict) but the latter works.

I’m not enough of a UNIX geek to understand why! Something to do with pip and apt I suspect.

I have created a drop-in to the service file to (hopefully) correct the issue.

sudo systemctl edit certbot.service

and add

[Service]
ExecStart=
ExecStart=/usr/local/bin/certbot -q renew

Note, to clear the ExecStart you need a blank command (@TrystanLea this might be useful to know :grin:).

Suggest you then do

sudo systemctl daemon-reload
sudo systemctl restart certbot.service

a

sudo certbot certificates

should tell you the certificate has a long expiry.