Use TLS for openHAB in Docker

  • Platform information:
    • Hardware: Raspberry Pi 4
    • OS: Raspberry Pi OS / x64 / 11 (bullseye)
    • Java Runtime Environment: 11.0.15 (Temurin-11.0.15+10) (running in Docker)
    • openHAB version: 3.3.0 (running in Docker)
    • ConBee 2 USB stick

Dear community,

As you can read, I’m running openHAB in Docker on my Raspberry Pi 4. I want to encrypt all web traffic with openHAB via TLS.

My first approach was to put openHAB under an URL path (myRaspi/openHAB) and redirect all web traffic for https:myRaspi/openHAB to http:localhost:8080 with nginx, but due to this GitHub issue I failed doing so.

That’s why I at least want to encrypt all traffic to https:myRaspi:8443. For this I need to instruct openHAB running in Docker to use my already existing certificates of myRaspi.

How do I have to pass the already existing certificates to the container and what do I have to configure so that openHAB will properly use them?

Thanks in advance!

See Securing Communication and Access | openHAB. For how to manipulate a keystore using keytool see The Most Common Java Keytool Keystore Commands

I’ve already found this piece of documentation, thank you. But from my understanding it doesn’t cover how to make it work with Docker

There’s nothing special about Docker. Go to what ever volume you’ve mounted into the container for userdata, find the etc/keystore file and manipulate that using keytool.

1 Like

Since I’m running my own PKI, it was a little more work, but here is what worked for me:

  1. Create a single p12 file with the complete certificate chain and private key.
  2. Copy this p12 file into the openHAB container (e. g. docker cp myRaspi.p12 openhab:/tmp)
  3. Connect to the openHAB container (docker exec -it openhab bash)
  4. Remove the old certificate and install the new one:
keytool -delete -alias mykey -keystore userdata/etc/keystore
keytool -importkeystore -srckeystore /tmp/myRaspi.p12 -srcstoretype PKCS12 -destkeystore /openhab/userdata/etc/keystore -deststoretype jks -destalias mykey -srcalias myRaspi

Now I can successfully access https://myRaspi:8443 with the proper certificate.

Since the keystore file is stored outside docker, it is easier as @rlkoshak explained to change the userdata/etc/keystore outside of docker.