Skip to content

Instantly share code, notes, and snippets.

@meineerde

meineerde/Use Let's Encrypt on Homematic | RaspberryMatic.md

Last active January 21, 2024 21:29
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save meineerde/6cc3c7ec01e7ebb2aa5be4eecfefeddf to your computer and use it in GitHub Desktop.
Save meineerde/6cc3c7ec01e7ebb2aa5be4eecfefeddf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Use Let's Encrypt on Homematic | RaspberryMatic.md

For the used SSL certificate to be valid, we need to use the externally visible hostname when accessing the homematic GUI. Thus, we need to configure this external hostname as the server's hostname, even if the server is only available on our internal network.

Be careful when exposing your actual homematic instance to the outside world without further safe-guards. Usually, it should only be accessible on the internal network.

Create a self-signed certificate

Go to Einstellungen -> Systemsteuerung -> Netzwerkeinstellungen. There, you can create a self-signed certificate. Enter the hostname, your email address, and your country. The latter two values are ratehr unimportant here.

We need this certificate so that the webserevr is cionfigured correctly and we have a template file which we can later overwrite with our actual SSL certificate from Let's Encrypt.

Enable SSH in Homematic

Go to Einstellungen -> Systemsteuerung -> Sicherheit. There, you can enable the SSH service and set a password for the root user.

Install acme.sh

Now, connect to the SSH-server as root with your chosen password.

We need to manually install acme.sh since the Root filesystem of our raspberrymatic installation is mounted readonly (only /usr/local is writable). We want to preserve this basic setup to still allow simple updates of RaspberryMatic.

mkdir /usr/local/.acme.sh
curl https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh > /usr/local/.acme.sh/acme.sh
chmod +x /usr/local/.acme.sh/acme.sh

Now we install the cronjob to automatically renew our certificates:

crontab -e

Add the following line:

0 0 * * * /usr/local/.acme.sh/acme.sh --cron --home /usr/local/.acme.sh > /dev/null

Obtain and install our certificate

/usr/local/.acme.sh/acme.sh --issue -d MYHOSTNAME.EXAMPLE.COM --standalone --httpport 8000 --home /usr/local/.acme.sh --fullchain-file /etc/config/server.crt --key-file /etc/config/server.key --reloadcmd "cat /etc/config/server.key /etc/config/server.crt > /etc/config/server.pem && chmod 600 /etc/config/server.pem && /etc/init.d/S50lighttpd reload"

Here, we use the standalone mode to confirm the ownership. For that to work, we need to:

  • Add the hostname to the external DNS, e.g. as a CNAME to our router
  • Configure the router to accapt HTTP requests to the hostname and to forward them to port 8000 of our internal homematic box. When using pfSense on the router, you could e.g. use the HAProxy package for that.

We leave this configuration as an excercise to the user.

If this is not possible, we could also use the DNS mode of acme.sh to avoid the HTTP negotiation (and accompanying setup of our router). For that, it is necessary that the external domain is hosted on one of the supported providers. See https://github.com/Neilpang/acme.sh/tree/master/dnsapi#how-to-use-dns-api for details on how to use this with acme.sh.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment