SSL Certs - where are they?

  • Platform information:
    • Hardware: Raspberry Pi 3
    • OS: Raspbian
    • Java Runtime Environment: which java platform is used and what version
    • openHAB version: 2, via openhabian
  • Issue of the topic:

Everything is working. The Pi is behind an existing home router, for which I already have SSL certs on a separate server (obviously not on same port as the Openhab). I would like to put those same certs on the Openhab SSL connection. But I seem unable to determine where to place the dot pem files which worked just fine on the RPi Webmin. Apparently Openhab2 runs its own unique web server.

Can someone tell me where these files (cert.pem, privkey.pem, and fullchain.pem) belong in order to cause the Openhab2 webserver to utilize them for SSL?

depends on if you would like to replace the certificate in openhab software or in a reverse proxy that is the “interface” between the internet and your openhab installation:

I read the linked document, but it never said that certs cannot be implemented in the Openhab webserver or that authentication cannot be done in this same webserver. After reading much documents and threads herein, I am coming to the conclusion that the proxy is the only way.

It would be really helpful to us newbies if the document started off with something like “You cannot require authentication or or use externally generated certs with the built-in Openhab web service. If you want these capabilities, you must use a proxy to achieve that end.” Yes, it says “there is no authentication in place” but to my feeble mind, that just says its not enabled, and is different than saying it cannot be done without a proxy.

Anyone can help with enhancing the documentation. There’s a link at each page bottom so go ahead, propose your change.

If you use the proxy setup in openhabian it’ll use Let’s Encrypt certs, including renewals. Read the code if you really want to know where it stores them, but there’s IMHO no point in trying to get these over to jetty because that does not do proper authentication so you must not expose it to the Inet without a proxy inbetween, and if you have that you don’t need certs on the web server.