How to secure remote access to Domoticz with HTTPS using SSL Certificates

Passionaute
3 min readApr 23, 2021

If you landed here, it means that you’ve tried to secure external access to your Domoticz server with HTTPS following the steps described here https://www.domoticz.com/wiki/Native_secure_access_with_Lets_Encrypt

Let’s Encrypt SSL Certificates on Domoticz to enable Https

And, like me, you got blocked after running the command:

$ sudo ./letsencrypt-auto

You certainly saw the below printed in your Terminal.

Skipping bootstrap because certbot-auto is deprecated on this system.
Your system is not supported by certbot-auto anymore.
Certbot cannot be installed.
Please visit https://certbot.eff.org/ to check for other alternatives.

Keep reading. The solution is below. Well, in fact it was above ;)

Let’s start from scratch.

Install the needed system dependancies.

$ sudo apt update
$ sudo apt install python3 python3-venv libaugeas0

Remove existing certbot-auto

$ sudo apt-get remove certbot

Set up a Python virtual environment

$ sudo python3 -m venv /opt/certbot/$ sudo /opt/certbot/bin/pip install — upgrade pip

Now, install and prepare fresh new Certbot with the command

$ sudo /opt/certbot/bin/pip install certbot
$ sudo ln -s /opt/certbot/bin/certbot /usr/bin/certbot

Without stopping Domoticz (make sure it’s up and running), execute the following command

$ sudo certbot certonly --webroot

You’ll be then asked to enter your domain name.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated) (Enter ‘c’
to cancel):

Let’s assume, mine is: hello.domo.com.

After this, you’ll be required to enter the root directory of your Domoticz application.

Requesting a certificate for hello.domo.com
Performing the following challenges:
http-01 challenge for hello.domo.com
Input the webroot for hello.domo.com: (Enter ‘c’ to cancel):

If like me, you’ve installed it on your home directory, you should enter something similar to:

/home/pi/domoticz/www

Don’t forget the ‘www’! Certbot will add a file in that directory which needs to be accessible from the internet. Aim is to verify your domain name.

Now, you should be promoted with something similar to:

Waiting for verification…
Cleaning up challenges
IMPORTANT NOTES:
— Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/hello.domo.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/hello.domo.com/privkey.pem
Your certificate will expire on 2021–07–22. To obtain a new or
tweaked version of this certificate in the future, simply run
certbot again. To non-interactively renew *all* of your
certificates, run “certbot renew”
— If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Well done! We’re almost there. Few more commands to install the certificate in the right place.

$ sudo mv ~/domoticz/server_cert.pem ~/domoticz/server_cert.pem.org$ sudo cat /etc/letsencrypt/live/hello.domo.com/privkey.pem > ~/domoticz/server_cert.pem$ sudo cat /etc/letsencrypt/live/hello.domo.com/fullchain.pem >> ~/domoticz/server_cert.pem

One last to enable automatic renewal.

$ echo "0 0,12 * * * root /opt/certbot/bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew -q" | sudo tee -a /etc/crontab > /dev/null

Enjoy!

Sources:

--

--