Letsencrypt Tutorial

Introduction

At some point you probably want to access your opentrigger setup from outside your firewall. This tutorial will guide you how to setup password protection and encrypt your traffic with Letsencrypt. Please be aware that security is always an investment, and there is no such thing as absolute security. Blindly following this tutorial alone will not protect your data.

Forwarding ports on your firewall and setting up domain names is a very specific task we can not cover in this tutorial. Your Router/Firewall/... usually comes with documentation which should cover the former.
Another source of information would be: portforward.com (only read the articles, they also want to sell you software which does it for you - but do you really want to thrust that?).
If you need a free subdomain with dyndns service have a look at: freedns.afraid.org

Requirements

For this tutorial we assume that you are running Raspbian jessie, your opentrigger stack ist already set up and you have a domain name configured.
Your domain name resolution has to work from outside (the public internet) and on your local network. The TCP Ports 80 and 443 must be mapped to your device - nothing more, nothing less. Keep away form that DMZ or ExposedHost settings. We will use letutorial.dev.opentrigger.com as domain for this tutorial, please replace that with your hostname.

Installing required Packages

sudo apt-get install nginx apache2-utils haveged

nginx is a resource friendly, but fully featured webserver.
apache2-utils contain the htpasswd tool we will use to add basic authentication.
haveged helps with entropy problems, its not a hard requirement, but will speed things up a bit.

After that nginx is running on port 80 and if you navigate to http://letutorial.dev.opentrigger.com/ you should see the nginx default page.

We also need certbot which currently is the recomendet way of getting Letsencrypt certificates.

wget https://dl.eff.org/certbot-auto
sudo install certbot-auto /usr/local/bin/
rm certbot-auto

Certificates

Now we start certbot-auto which will download and install its dependencies and performs (self)updates when needed. So the first run will take a little longer.

certbot-auto certonly --webroot -w /var/www/html/ -d letutorial.dev.opentrigger.com

Some dialogs will pop up and asking you to provide an Email address and agree to the 'Terms of Service'.

After the procedure is complete, certbot will tell you where your new certificates are stored:

Configuring nginx

Generating dhparams, even with havegd running, this could take some time.

sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048

If you don't want to wait you could start another terminal session and leave that running in the background. (or use your shell to make that happen).

Setup your credentials. Substitute <username> with your preferred username.

sudo htpasswd -c /etc/nginx/letutorial.dev.opentrigger.com.htpasswd <username>

You will be asked for the password (twice). Please refer to man htpasswd on how to manage users.

Create a new site configuration file.

sudo nano /etc/nginx/sites-available/https

Paste the following content.

## sudo apt-get install nginx apache2-utils haveged

server {

    listen 443 ssl;
    server_name letutorial.dev.opentrigger.com; ## hostname

    ssl                         on;
    ssl_dhparam                 /etc/nginx/dhparam.pem;   ## create with: `sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048` 
    ssl_certificate             /etc/letsencrypt/live/letutorial.dev.opentrigger.com/fullchain.pem;
    ssl_certificate_key         /etc/letsencrypt/live/letutorial.dev.opentrigger.com/privkey.pem;

    ssl_session_cache           shared:SSL:30m;
    ssl_session_timeout         30m;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
    ssl_buffer_size             8k;
    ssl_prefer_server_ciphers   on;

    add_header    Strict-Transport-Security max-age=31536000;

    ## if you want error or access logs
    # access_log  /var/log/nginx/letutorial.dev.opentrigger.com.access.log;
    # error_log /var/log/nginx/letutorial.dev.opentrigger.com.error.log;

    ## basic authentication - see `man htpasswd`
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/letutorial.dev.opentrigger.com.htpasswd;    ## create with: `sudo htpasswd -c /etc/nginx/letutorial.dev.opentrigger.com.htpasswd <username>`

    ## you migt want to serve some static files
    # root /var/www/html;
    # location / { try_files $uri $uri/ =404; }
    # location ~ /\.  { return 404; }


    ## reverse proxy for node-red
    location /node-red/ {
      proxy_pass                      http://127.0.0.1:1880/;

      proxy_read_timeout              90;
      proxy_set_header                Host $host;
      proxy_set_header                X-Real-IP $remote_addr;
      proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header                X-Forwarded-Proto $scheme;
      proxy_set_header                Upgrade $http_upgrade;
      proxy_set_header                Connection $http_connection;
      proxy_http_version              1.1;
      proxy_pass_request_headers      on;

    }

    ## reverse proxy for mosquitto websockets (if it is configured and listening on port 8080)
    location /mosquitto-websockets/ {
      proxy_pass          http://127.0.0.1:8080/;

      proxy_http_version  1.1;
      proxy_set_header    Upgrade $http_upgrade;
      proxy_set_header    Connection "upgrade";
    }   

}

Testing

Check if openssl dhparam is finished by now, if not you have to wait for it.

Enable the site.

sudo ln -s /etc/nginx/sites-available/https /etc/nginx/sites-enabled/
sudo service nginx restart

Now you should be able to access your device over a password protected and encrypted Link:

Now go to ssllabs.com/ssltest and run the test. You should not go for less than A:

Renewal

Your certificate is valid for 90 days, but renewal is easy:

certbot renew

It would be best to automate the renewal process, please consult certbot's documentation for that.

results matching ""

    No results matching ""