Skip to content

Instantly share code, notes, and snippets.

@dfraser

dfraser/openhab-letsencrypt.md

Last active October 6, 2016 23:49
Show Gist options
  • Save dfraser/e5710fb84c6d35aa0743 to your computer and use it in GitHub Desktop.
Save dfraser/e5710fb84c6d35aa0743 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
openhab-letsencrypt.md

Using Let's Encrypt with openHAB

You can use a FREE certificate from [Let's Encrypt] (https://letsencrypt.org/) to secure your [openHAB] (http://www.openhab.org/) installation.

This quick information page is based on detail from https://gist.github.com/jpmens/8029383.

To start, get the Let's Encrypt client as shown here https://letsencrypt.org/howitworks/. I checked it out into /root/letsencrypt.

Pick a password for your keystore. Use the commandline in step 9 of [jpmen's tutorial] (https://gist.github.com/jpmens/8029383) to create jetty passwords and update the jetty.xml.

In order to verify your domain, Let's Encrypt will connect to your computer on port 443, using the name you specified. You need to make sure all your networking is in place so that this will be possible. You'll need to stop openHAB so that the Let's Encrypt client can listen for that connection.

The script below gets a certificate for myserver.mydomain.com, creates the pcks12 keystore with password xxxsecret, builds the java keystore from it, and puts it in the right place (on my system). Once this works once for you, you can run it monthly in a cron to keep things up to date.

Please read the script carefully, understand what it's doing, and make appropriate modifications.

#!/bin/bash
DOMAIN=myserver.mydomain.com
PASSWORD=xxxsecret
cd /root/letsencrypt
service openhab stop
./letsencrypt-auto certonly --renew-by-default --standalone-supported-challenges tls-sni-01 -d ${DOMAIN}
openssl pkcs12 -export -password pass:${PASSWORD} -inkey /etc/letsencrypt/live/${DOMAIN}/privkey.pem -in /etc/letsencrypt/live/${DOMAIN}/fullchain.pem -out /tmp/cert.p12
keytool -importkeystore -srckeystore /tmp/cert.p12 -srcstoretype PKCS12 -destkeystore /tmp/keystore.jks -srcstorepass ${PASSWORD} -deststorepass ${PASSWORD} -noprompt
rm /tmp/cert.p12
mv /tmp/keystore.jks /opt/openhab/etc/keystore
service openhab start

This isn't going to be a perfect configuration for you out of the box, but it should get you started. Please let me know how it goes!

Cheers.

Dan

@lionelbeard
Copy link

Thanks for your tuto, it works well on my setup. So cool to have a real certificate :-)
I have just to also update keyPassword (with same password as keystore) in jetty.xml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment