Community
OpenEnergyMonitor

Community

HTTPS on an EmonPi

There have been a number of questions around using HTTPS on an emonpi. My usual OS is DietPi with the Lighttpd server and I’ve written a blog post (worth reading :laughing:) on setting up the SSL Certificates up on that system. It is though slightly different for Raspbian Stretch (it will be different for Buster and probably will not work on Jessie).

There is a previous post on this but it is a little out of date as it is for Jessie. Configuring EmonCMS on EmonPi to use HTTPS

As ever TMTOWTDI

Prerequisites

You must have your own domain to which you have access to the DNS records via API. I use Cloudflare (free) and this post assumes you are using Cloudflare (as it uses that plugin).

Setting up access to the domain internally / externally is for you to do. I use PiHole internally so editing the /etc/hosts on that machine is all I need to do. Setting up access externally is outside the scope of this post.

Method

Install what is required…

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install certbot
sudo apt-get install certbot python-certbot-apache
sudo apt-get install python3-pip
sudo pip3 install certbot-dns-cloudflare

The certbot-dns-cloudflare plugin is not available from the Raspbian Stretch repositories so it is installed via pip.

Next you need a Cloudflare credentials file

mkdir .secrets
cd .secrets/
nano cloudflare.ini

You can see how to get the API key from my blog post or a google search. The file should look like this…

dns_cloudflare_email = [email protected]
dns_cloudflare_api_key = 2222222222222222222222

Make it secure with chmod 600 cloudflare.ini (plenty of discussion about, on where this file should be - not getting into that here).

I then create a shell script for creating the certificate - just easier than a convoluted command line and I use it in other places as well :laughing:

nano makecert.sh

This consists of

#!/bin/sh

MY_DOMAIN="YourDomain"

certbot --installer apache \
  --no-redirect \
  --dns-cloudflare \
  --dns-cloudflare-credentials /home/pi/.secrets/cloudflare.ini \
  -d $MY_DOMAIN

Make the script executable and run it

chmod +x makecert.sh
./makecert.sh

You will be asked for an email address and to accept the T&C. I have set this up so the http requests will still work (no-redirect flag).

Does it work?

It does for me :grinning:

image
As I say, how your internal network is setup, will affect what you need to do to make it work.

Renewal

Certbot is really clever in that is sets up renewal automatically. To see that it has

systemctl list-timers certbot.timer

Reference

  1. https://community.letsencrypt.org/t/tutorial-certbot-cloudflare-dns-with-apache-web-servers-on-ubuntu-16-10/38847
1 Like

Thanks for sharing @borpin a useful guide!