Securing Openhab with free ssl Let's Encrypt Certificates

Not if they are all in the same private network

I would also like to know, the documentation suggests using an nginx proxy. But using SSL on Jetty should be working as well, but I can’t seem to locate the keystore (or myKeystore as the jetty.config.xml suggests).

haven’t tried it but I found : http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
what’s wrong with the self signed certs ? :slight_smile:

The original post was written more than 2 years ago when OH2 was using Jetty 8
Now, we have Jetty 9 so the configs are different

Jetty 8 related: https://wiki.eclipse.org/Jetty/Howto/Configure_SSL
Jetty 9 related: http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html

with some adaptation you can make it work (apply Let’s Encrypt Certs to OH2 running Jetty 9)

Thanks. Need to try it some day.

For those trying to replace the self-signed key and certificate in OH2.5 the steps above need a little modification. This is what has worked for me. NB. OH is designed with few security layers in place and it uses a default password “openhab” both for the keystore and the key itself. The name of the key has to be “mykey” unless you change other config files. Feel free to figure out how to change it, but do not expect much in terms of increasing the overall security. The only advantage of using a proper certificate, like LE in this case, is to avoid browser warnings and/or having to install CAs into them, while at least having browser-OH traffic encrypted. While this is useful and important part of security hygiene, it is also merely a drop in the ocean in terms of home automation security, which is still very, very poor no matter the provider nowadays. Rant end.

openssl pkcs12 -nodes -passout pass:openhab \
        -inkey YOUR_PRIVATE_KEY \
        -in YOUR_CERTIFICATE \
        -export -name mykey \
        -out SOMEWHERE/oh.pkcs12
keytool -delete -alias mykey -deststorepass openhab \
        -keystore /var/db/openhab2/userdata/etc/keystore
keytool -importkeystore -srcstorepass openhab \
        -srckeystore SOMEWHERE/oh.pkcs12 \
        -srcstoretype PKCS12 -deststoretype jks \
        -alias mykey -destalias mykey -deststorepass openhab \
        -destkeystore /var/db/openhab2/userdata/etc/keystore
2 Likes

@mstormi would be great to implant this into openHABian. Any chances?

Apart from that I don’t understand what this is about and won’t dig gazillions of messages just to understand your question in the first place, chances are right as high as chances you implement this yourself are.
BTW in openHABian use nginx rather than to run jetty on SSL. nginx automatically uses LetsEncrypt certs when you install from the menu.

And stop pinging people please.

How to ask a good question / Help Us Help You - Tutorials & Examples - openHAB Community

:+1: