There have been a number of questions around using HTTPS on an emonpi. My usual OS is DietPi with the Lighttpd server and I’ve written a blog post (worth reading ) on setting up the SSL Certificates up on that system. It is though slightly different for Raspbian Stretch (it will be different for Buster and probably will not work on Jessie).
There is a previous post on this but it is a little out of date as it is for Jessie. Configuring EmonCMS on EmonPi to use HTTPS
As ever TMTOWTDI
You must have your own domain to which you have access to the DNS records via API. I use Cloudflare (free) and this post assumes you are using Cloudflare (as it uses that plugin).
Setting up access to the domain internally / externally is for you to do. I use PiHole internally so editing the
/etc/hosts on that machine is all I need to do. Setting up access externally is outside the scope of this post.
Install what is required…
sudo apt-get update sudo apt-get upgrade sudo apt-get install certbot sudo apt-get install certbot python-certbot-apache sudo apt-get install python3-pip sudo pip3 install certbot-dns-cloudflare
certbot-dns-cloudflare plugin is not available from the Raspbian Stretch repositories so it is installed via pip.
Next you need a Cloudflare credentials file
mkdir .secrets cd .secrets/ nano cloudflare.ini
You can see how to get the API key from my blog post or a google search. The file should look like this…
dns_cloudflare_email = [email protected] dns_cloudflare_api_key = 2222222222222222222222
Make it secure with
chmod 600 cloudflare.ini (plenty of discussion about, on where this file should be - not getting into that here).
I then create a shell script for creating the certificate - just easier than a convoluted command line and I use it in other places as well
This consists of
#!/bin/sh MY_DOMAIN="YourDomain" certbot --installer apache \ --no-redirect \ --dns-cloudflare \ --dns-cloudflare-credentials /home/pi/.secrets/cloudflare.ini \ -d $MY_DOMAIN
Make the script executable and run it
chmod +x makecert.sh ./makecert.sh
You will be asked for an email address and to accept the T&C. I have set this up so the http requests will still work (
Does it work?
It does for me
As I say, how your internal network is setup, will affect what you need to do to make it work.
Certbot is really clever in that is sets up renewal automatically. To see that it has
systemctl list-timers certbot.timer