Securing Openhab with free ssl Let's Encrypt Certificates

I actually was looking at this: https://gist.github.com/jpmens/8029383 to complete the task as I have a registered domain name and wanted to overcome the untrusted / unknown CA from the default certificates. You might find it helpful though as well. Good luck.

And this as well. directions for openssl key and cert request generation, and access direction for a free cert. Between the page this is posted too, and these two links, I was able to get everything accomplished. https://samhobbs.co.uk/2014/04/ssl-certificate-signing-cacert-raspberry-pi-ubuntu-debian
I would, however, avoid the wildcard *.fqdn that is suggested; it doesn’t work on all the platforms and browsers I’ve attempted it with, most, but not all.

Thanks, I update my post with some details how to find the jetty utils when it is not in the same path as mine.

followed everything after i tried to load i am getting connection refused from the browser

Thanks, I got all the way to item 9 on your list. However, the jetty.xml looks pretty different on OpenHAB 2.0
and Google was not too helpful either. Does someone know how to adapt the jetty configuration in OpenHAB 2.0 (jetty-util-9.2.19.v20160908)

You might want to check out these instructions: http://docs.openhab.org/installation/security.html#nginx-reverse-proxy
The goal is slightly different but in the end you’ll have a password-protected https (Let’s Encrypt) access to your openHAB installation. Btw. this is also part of openHABian.

Thanks to Stratehm on an older post found here : SSL with OpenHAB2
I now have the basic Jetty setup running with a signed certificate on OH 2.1. The approach is more or less the same as above except, skip steps 4, 7, 8 & 9, you don’t overwrite the existing keystore container file you ‘delete’ the ‘mykey’ alias inside the OH keystore file then import your new one.

Instead of step 7 do these two, delete the old certificate:

keytool -delete -alias mykey -keystore /OpenHAB2InstallDir/etc/keystore

Add your own certificate straight from the pkcs.p12 file:

keytool -importkeystore -srckeystore /etc/letsencrypt/live/DOMAIN.tld/pkcs.p12 -srcstoretype pkcs12 -destkeystore /OpenHAB2InstallDir/etc/keystore -deststoretype jks -deststorepass openhab -destalias mykey
rm /etc/letsencrypt/live/DOMAIN.tld/pkcs.p12

Passwords are ‘openhab’ or assumed to be.

Is this still valid for Openhab2 2.4.0-M5 ? Is there any GUI based option for installing certificate?

I have same question . Is this still valid ? Security is biggest benefit . But Do I need to enable SSL on MQTT or my custom firmware like Tasmota / ESP Easy devices ?

What do you guys want to achieve? :slight_smile:
This (old) post is about using Let’s Encrypt Certs for the embedded OH2 web server (jetty)

By default, OH2 comes with its own self signed SSL Certs, used on https://OH2_IP:8443/

(imho) No real need to deploy anything else (or to change the default certs)

Also, don’t confuse HTTPS with MQTT. That’s another story. The question remains: what do you want to achieve?

Basically same as post states. Replace default certificate with Let’s Encrypt Cert. I was wondering if this manual still valid for Openhab 2.4.0-M5 as it might have some new way of achieving this.

Not if they are all in the same private network

I would also like to know, the documentation suggests using an nginx proxy. But using SSL on Jetty should be working as well, but I can’t seem to locate the keystore (or myKeystore as the jetty.config.xml suggests).

haven’t tried it but I found : http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
what’s wrong with the self signed certs ? :slight_smile:

The original post was written more than 2 years ago when OH2 was using Jetty 8
Now, we have Jetty 9 so the configs are different

Jetty 8 related: https://wiki.eclipse.org/Jetty/Howto/Configure_SSL
Jetty 9 related: http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html

with some adaptation you can make it work (apply Let’s Encrypt Certs to OH2 running Jetty 9)

Thanks. Need to try it some day.

For those trying to replace the self-signed key and certificate in OH2.5 the steps above need a little modification. This is what has worked for me. NB. OH is designed with few security layers in place and it uses a default password “openhab” both for the keystore and the key itself. The name of the key has to be “mykey” unless you change other config files. Feel free to figure out how to change it, but do not expect much in terms of increasing the overall security. The only advantage of using a proper certificate, like LE in this case, is to avoid browser warnings and/or having to install CAs into them, while at least having browser-OH traffic encrypted. While this is useful and important part of security hygiene, it is also merely a drop in the ocean in terms of home automation security, which is still very, very poor no matter the provider nowadays. Rant end.

openssl pkcs12 -nodes -passout pass:openhab \
        -inkey YOUR_PRIVATE_KEY \
        -in YOUR_CERTIFICATE \
        -export -name mykey \
        -out SOMEWHERE/oh.pkcs12
keytool -delete -alias mykey -deststorepass openhab \
        -keystore /var/db/openhab2/userdata/etc/keystore
keytool -importkeystore -srcstorepass openhab \
        -srckeystore SOMEWHERE/oh.pkcs12 \
        -srcstoretype PKCS12 -deststoretype jks \
        -alias mykey -destalias mykey -deststorepass openhab \
        -destkeystore /var/db/openhab2/userdata/etc/keystore
3 Likes

@mstormi would be great to implant this into openHABian. Any chances?

Apart from that I don’t understand what this is about and won’t dig gazillions of messages just to understand your question in the first place, chances are right as high as chances you implement this yourself are.
BTW in openHABian use nginx rather than to run jetty on SSL. nginx automatically uses LetsEncrypt certs when you install from the menu.

And stop pinging people please.

How to ask a good question / Help Us Help You - Tutorials & Examples - openHAB Community

:+1:

Hello,
My installation Ubuntu 22.04 and OpenHab 3 with a domain name.

I solved the issue with the following way.

The principle being to replace the default keystore file (/var/lib/openhab/etc) generated by openhab for the installation and giving a certificate for openhab.org.
No need to modify jetty.xml.
Assumption : you already have a LetsEncrypt certificate into /etc/letsencrypt/live/mydomain.be

First step : need to add all .pem files to a PKCS 12 archive. We do this with the OpenSSL tool with the following command.

openssl pkcs12 -export \
	 -in /etc/letsencrypt/live/mydomain.be/cert.pem \
	 -inkey /etc/letsencrypt/live/mydomain.be/privkey.pem \
	 -out /tmp/mydomain.be.p12 \
	 -name mydomain.be \
	 -CAfile /etc/letsencrypt/live/mydomain.be/fullchain.pem \
	 -caname "Let's Encrypt Authority X3" \
	 -password pass:openhab

Change mydomain.be with your own DNS name.
IMPORTANT : password must be openhab otherwise it will not work !!! (that’s the password used by openhab to generate its keystore file and used later on)

Second step: is to import the certificates into a .keystore file.


keytool -importkeystore \
	-deststorepass openhab \
	-destkeypass openhab \
	-deststoretype pkcs12 \
	-srckeystore /tmp/mydomain.be.p12 \
	-srcstoretype PKCS12 \
	-srcstorepass openhab \
	-destkeystore /tmp/mydomain.be.keystore \
	-alias mydomain.be



Third Step : You can now copy the keystore at location /tmp/mydomain.be.keystore in /var/lib/openhab/etc.
mv /tmp/mydomain.be.keystore /var/lib/openhab/etc/keystore
This will replace the default keystore file by the one generated from the letsencrypt certificate.

Something interesting could be to check that the new keystore file is correct with :
keytool -list -v -keystore /var/lib/openhab/etc/keystore >output_filename.txt
(it will request the password = openhab)
View the Output File :
nano /var/lib/openhab/etc/output_filename.txt


note : no error message should be present into this output file.

Last step : make a script to cron it in order to update the certificate when it is renewed by letsencrypt.