Community
OpenEnergyMonitor

Community

SSL/HTTPS on internal network


(Brian Orpin) #1

Has anyone tried to install an SSL certificate on an internal/external EmonCMS setup? I have managed to setup a means of generating a wildcard certificate (remarkably easy) that I have now got to work on Pi-Hole. Ran out of time last night, but next system to try is EmonCMS.


(Brian Orpin) #2

Well the solution was so simply as to be unbelieveable. OK so I had already done it for my Home Assistant, Pi-Hole and an externally facing Pi outside of my main LAN but still.

Having got a wildcard SSL certificate, I simply created a folder, dropped the certificate files in, modified the lighttpd.conf file, added an entry to my Pi-hole /etc/hosts to point to the FQDN, restarted the services and this is the result!

image

That is a domain I have bought specifically for my internal network. The top level is externally routeable - I did that before I got the DNS-01 query sorted for the certificate and it is just sitting now.


(Greebo) #3

Where did you get your certificate from? I presume you were aware of Lets Encrypt (https://letsencrypt.org/)?


(Brian Orpin) #4

Yes. Bought the domain on Google domains as it offered a means of DDNS for my own FQDN. I was then going to use the Google API & certbot plugin to do a LetsEncrypt DNS-01 challenge for the wildcard certificate. However, I discovered Google charge for the DNS update. I therefore changed the name servers to cloudflare which also enables the DDNS update via certbot plugin API (without a charge) which then enabled me to write the TXT record so certbot could do the DNS-01 challenge.

I think I could probably have changed my normal domain to cloudflare and done the same and saved a tenner. However, I felt that mitigating the risk of mucking up the existing setup for £10, was money well spent :slight_smile:

I still have the external Pi running but I suspect I do/did not actually need it as the challenge was DNS rather than HTTP.

So far I have manually uploaded the certificate files to the various servers that need it. One of the next tasks is to automate the distribution.


(Brian Orpin) #5

I have modified my approach to this which makes it simpler. Letsencrypt SSL Certificates by DNS Challenge with Lighttpd

This still uses the DNS-01 query method, so you do not need your emoncms instance exposed to the Internet, just a Domain DNS you can edit by API. Instead of using a wildcard certificate, you are doing it for a specific subdomain for that machine and the renewals can be automated.

A similar mechanism could be used for the standard Apache webserver used by EmonSD.