Using HTTPS with openhabian

  • Platform information:
    • Hardware: Raspberry Pi 4, 4 GB
    • OS: openhabian
    • Java Runtime Environment: which java platform is used and what version
    • openHAB version: 3.1

Hi,
we bought a raspberry Pi4 and installed openhabian via the SD Image.
We had installed openHAB on an Synology NAS earlier and found the same problem:
Light Switches in openHAB don´t work. They worked if we connected via HTTPS.
If we try to connect via HTTPS we get the message, that the certificate is not valid.
Is there a way to correct the default certificate?
Or is there an easy to understand documentation about how to install a Let´s Encrypt certificate on openhabian?
We are very beginners with raspberry and openhabian and we searched the documentation, the forum and the web for hours.

regards
Andreas

It’s important to understand how certificates work.

  1. The certificate is a way to prove identity. In this case a certificate proves that when you are connecting to openHAB, it is actually openHAB that you are connecting to.

  2. The certificate is tied to the dns name of the server. If you can connect to your openHAB instance using https://myhostname:8443 or https://192.168.1.123:8443, you will get an error on the second URL because the certificate is tied to the DNS name (there are ways around that but that’s outside the scope of this thread).

  3. A service like LetsEncrypt works by you presenting proof that you own a given DNS domain name. That means:
    a. you need to actually own a domain name
    b. have to have a service that is publicly accessible from the Internet on that domain

  4. Once you get a certificate for a domain name you own and which is accessible over the internet, that becomes the only way you can access the service and have the certificate be valid.

  5. openHAB is not safe to expose to the Internet

  6. openHAB ships with a default self-signed certificate. That’s what the error you see in the browser is complaining about. A self signed certificate isn’t very useful when it comes to proving identity. It would be like being able to design and print a valid passport at home.

  7. But who cares if the self signed certificate can prove identity when you are on the same network? You already know that it’s highly unlikely that someone has hacked your network and inserted themselves between you and your openHAB server for some nefarious purposes.

So you’ve got a few options here (in order of preference):

  1. Just use HTTP and port 8080 locally. It would be unusual to have a local home network where encryption between services on the same network will actually mitigate any likely threats.

  2. Just because the browser complains about an untrustworthy certificate doesn’t mean you can’t access the website. Click on “advanced” and proceed to the openHAB page. The certificate isn’t actually invalid. It’s just not trusted because it’s self siogned. The browser won’t let you access a page that has an invalid certificate (e.g. expired, wrong domain name, etc.) but it will let you click through for a self signed certificate. You can, if necessary set a property on the page to automatically accept the certificate even though it’s self signed so next time you don’t have to click through.

  3. Establish a Certificate Authority for all your home services. Configure all your devices to trust any certificate signed by that Certificate Authority.

  4. Only connect to openHAB through myopenhab.org, even when on your local network. The connection is end-to-end encrypted and if that’s what you care about you basically get it for free.

  5. Acquire a DNS domain name. It’ll have to support dynamic DNS as your home publicly available IP address is likely to change periodically. Expose a port and set up port forwarding on your router. In openhabian-config option 40 there is an option (44) to install and set up Nginx as a reverse proxy. I think it will also set up LetsEncrypt certificates. If not see Securing Communication and Access | openHAB for instructions for how to do that. Once set up and working, all your connections to openHAB has to be done through the publicly available URL.

Honestly, anything after 2 is a whole heck of a lot of work to just make a scary by mostly benign warning go away when accessing OH on your local network.

1 Like

Thanks a lot for your answer.
I forgot to mention, that I only want to access openHAB over the local network. And I’m not really interested in HTTPS, but we have a problem with the light switches on our self configured page.
We can control our blinds with no problem, but light switches don’t work. With our old openHAB installion on a NAS we could solve this by using HTTPS. This is obviously not the case with openHabian. Can you give us a hint how to fix this?

Regards
Andreas

Not without a whole lot of information about what light switches they are, how they are connected to OH, which bindings, versions, etc. And even then I probably can’t help much as it’s highly unlikely its any technology I’ve personally ever dealt with.

Connecting to OH over HTTPS should have nothing to do with making those lights work. That’s only going to influence the network traffic between your browser and the OH server. It’s a completely separate connection between OH and the lights.