Securing Openhab with free ssl Let's Encrypt Certificates

These steps will create a keystore file for your openhab server from the the Let’s Encrypt service and configure jetty to use it.

1) Get / install the lets encrypt program

git clone
cd letsencrypt

2) Create the ssl keys

./letsencrypt-auto certonly --standalone -d DOMAIN.TLD --email EMAIL@EMAIL.TLD

note: if it fails with a error that the domain can’t be validated, you may need to ensure port 443 is open

3) Create a PKCS12 file containing full chain and private key

Change to the directory ( /etc/letsencrypt/live/DOMAIN.tld) where the certificates were created.
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out pkcs.p12 -name NAME

4) Convert PKCS12 to Keystore

The STORE_PASS is the password which was entered in step 3) as a password for the pkcs12 file.

keytool -importkeystore -deststorepass PASSWORD_STORE -destkeypass PASSWORD_KEYPASS -destkeystore keystore.jks -srckeystore pkcs.p12 -srcstoretype PKCS12 -srcstorepass STORE_PASS -alias NAME

5. Shut down openHAB

6. Backup [openhab dir]/etc/keystore

7. Copy the keystore.jks file to your openhab
cp keystore.jks [openhab]/etc/keystore.jks

8. prepare jetty.xml password

java -cp ./server/plugins/org.eclipse.jetty.util_8.1.3.v20120522.jar passwd

If you are stuck at this point, your location for the jetty utils may be different. In Linux you may find the location by issuing (OH1.x) find / -name *jetty.util* (OH2) find / -name *jetty-util*. In windows use the search function.

9. update jetty.xml
Open jetty.xml in the [openhab]/etc/jetty.xml
find the ssl section, and update the passwords from the previous step & keystore file

<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Set name="port"><Property name="jetty.port.ssl" /></Set>
<Set name="maxIdleTime">30000</Set>
<Set name="Acceptors">2</Set>
<Set name="AcceptQueueSize">100</Set>
<Set name="Keystore"><Property name="jetty.home" default="." />/etc/keystore.jks</Set>
<Set name="Password">OBF:1v2j1vu11ym71ym71vv91v1v</Set>
<Set name="KeyPassword">OBF:1v2j1vu11ym71ym71vv91v1v</Set>

10. Start your openHAB

Hope this helps you


This is a good idea. I just done that yesterday! (with a self sign) :slightly_smiling:

Thank you very much for the example. I still did not managed to get things working again. I used myopenhab a lot and lost the connection due to the new certificates. I do not know much about certificates, I hope that you can help me out. I did all the steps above. I am not able to figure out

Parameters DOMAIN.TLD and EMAIL@EMAIL.TLD. I do not have a server online and my raspberrypi is running locally on the LAN. I used the myopenhab persistent addon and a registration at the myopenhab website. What do I need to use for both parameters?

Thanks in advance!

Then you just need to update your java. The above example is for accessing your openhab without my.openhab.
You will find more hints here:

you could use a domain from on of the free domain services and your normal email. Having said that, if you only run your openhab from your local network and have all internet access though myopenhab, I think there is not much need to have certificates.

In that case get your myopenhab running again by using the latest java version just as @sihui described.
See also OH2 my.openHAB shows offline and nothing in logs

Thanks Sihui and Marcel for the directions. Solved by installing the latest Java. Openhab is online again :slight_smile:

Many thanks for putting this together. I get stuck at step 8

I enter:

java -cp ./server/plugins/org.eclipse.jetty.util_8.1.3.v20120522.jar passwd

and receive the error:
Could not find or load main class

Would be really grateful for any help…



1 Like

I think in the new distribution this has changed location. In OH2 from the OH folder it is now:
java -cp ./runtime/karaf/system/org/eclipse/jetty/jetty-util/9.2.14.v20151106/jetty-util-9.2.14.v20151106.jar passwd

(you can find the location of the jar file by searching with find . -name jetty-util*)

Hope this helps

1 Like

thanks - although I’m still using OH1.8

I want to thank you as well. I am also using OH1.8 and was stuck exactly where dan12345 was/is, until I paid attention to the path I was executing the command from and adjusted my path and/or command accordingly. I can verify step 8 now and the path is (on my raspberry pi) /usr/share/openhab/server/plugins/org.eclipse.jetty…

I actually was looking at this: to complete the task as I have a registered domain name and wanted to overcome the untrusted / unknown CA from the default certificates. You might find it helpful though as well. Good luck.

And this as well. directions for openssl key and cert request generation, and access direction for a free cert. Between the page this is posted too, and these two links, I was able to get everything accomplished.
I would, however, avoid the wildcard *.fqdn that is suggested; it doesn’t work on all the platforms and browsers I’ve attempted it with, most, but not all.

Thanks, I update my post with some details how to find the jetty utils when it is not in the same path as mine.

followed everything after i tried to load i am getting connection refused from the browser

Thanks, I got all the way to item 9 on your list. However, the jetty.xml looks pretty different on OpenHAB 2.0
and Google was not too helpful either. Does someone know how to adapt the jetty configuration in OpenHAB 2.0 (jetty-util-9.2.19.v20160908)

You might want to check out these instructions:
The goal is slightly different but in the end you’ll have a password-protected https (Let’s Encrypt) access to your openHAB installation. Btw. this is also part of openHABian.

Thanks to Stratehm on an older post found here : SSL with OpenHAB2
I now have the basic Jetty setup running with a signed certificate on OH 2.1. The approach is more or less the same as above except, skip steps 4, 7, 8 & 9, you don’t overwrite the existing keystore container file you ‘delete’ the ‘mykey’ alias inside the OH keystore file then import your new one.

Instead of step 7 do these two, delete the old certificate:

keytool -delete -alias mykey -keystore /OpenHAB2InstallDir/etc/keystore

Add your own certificate straight from the pkcs.p12 file:

keytool -importkeystore -srckeystore /etc/letsencrypt/live/DOMAIN.tld/pkcs.p12 -srcstoretype pkcs12 -destkeystore /OpenHAB2InstallDir/etc/keystore -deststoretype jks -deststorepass openhab -destalias mykey
rm /etc/letsencrypt/live/DOMAIN.tld/pkcs.p12

Passwords are ‘openhab’ or assumed to be.

Is this still valid for Openhab2 2.4.0-M5 ? Is there any GUI based option for installing certificate?

I have same question . Is this still valid ? Security is biggest benefit . But Do I need to enable SSL on MQTT or my custom firmware like Tasmota / ESP Easy devices ?

What do you guys want to achieve? :slight_smile:
This (old) post is about using Let’s Encrypt Certs for the embedded OH2 web server (jetty)

By default, OH2 comes with its own self signed SSL Certs, used on https://OH2_IP:8443/

(imho) No real need to deploy anything else (or to change the default certs)

Also, don’t confuse HTTPS with MQTT. That’s another story. The question remains: what do you want to achieve?

Basically same as post states. Replace default certificate with Let’s Encrypt Cert. I was wondering if this manual still valid for Openhab 2.4.0-M5 as it might have some new way of achieving this.