How to secure remote access to Domoticz with HTTPS using SSL Certificates

If you landed here, it means that you’ve tried to secure external access to your Domoticz server with HTTPS following the steps described here https://www.domoticz.com/wiki/Native_secure_access_with_Lets_Encrypt

And, like me, you got blocked after running the command:

$ sudo ./letsencrypt-auto

You certainly saw the below printed in your Terminal.

Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.

Keep reading. The solution is below. Well, in fact it was above ;)

Let’s start from scratch.

Install the needed system dependancies.

$ sudo apt update
$ sudo apt install python3 python3-venv libaugeas0

Remove existing certbot-auto

$ sudo apt-get remove certbot

Set up a Python virtual environment

$ sudo python3 -m venv /opt/certbot/
$ sudo /opt/certbot/bin/pip install — upgrade pip

Now, install and prepare fresh new Certbot with the command

$ sudo /opt/certbot/bin/pip install certbot
$ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Without stopping Domoticz (make sure it’s up and running), execute the following command

$ sudo certbot certonly --webroot

You’ll be then asked to enter your domain name.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel):

Let’s assume, mine is: hello.domo.com.

After this, you’ll be required to enter the root directory of your Domoticz application.

Requesting a certificate for hello.domo.com
Performing the following challenges:
http-01 challenge for hello.domo.com
Input the webroot for hello.domo.com: (Enter ‘c’ to cancel):

If like me, you’ve installed it on your home directory, you should enter something similar to:

/home/pi/domoticz/www

Don’t forget the ‘www’! Certbot will add a file in that directory which needs to be accessible from the internet. Aim is to verify your domain name.

Now, you should be promoted with something similar to:

Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
 — Congratulations! Your certificate and chain have been saved at:
 /etc/letsencrypt/live/hello.domo.com/fullchain.pem
 Your key file has been saved at:
 /etc/letsencrypt/live/hello.domo.com/privkey.pem
 Your certificate will expire on 2021–07–22. To obtain a new or
 tweaked version of this certificate in the future, simply run
 certbot again. To non-interactively renew *all* of your
 certificates, run “certbot renew”
 — If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Well done! We’re almost there. Few more commands to install the certificate in the right place.

$ sudo mv ~/domoticz/server_cert.pem ~/domoticz/server_cert.pem.org
$ sudo cat /etc/letsencrypt/live/hello.domo.com/privkey.pem > ~/domoticz/server_cert.pem
$ sudo cat /etc/letsencrypt/live/hello.domo.com/fullchain.pem >> ~/domoticz/server_cert.pem

One last to enable automatic renewal.

$ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Enjoy!

Sources:

• https://certbot.eff.org/lets-encrypt/pip-other
• https://www.domoticz.com/wiki/Native_secure_access_with_Lets_Encrypt