jeena/home-assistant.github.io
1
0
Fork 0
Code Issues Pull requests Projects Packages Wiki Activity Actions
home-assistant.github.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/index.html
Travis CI 691c559bae Site updated at 2016-10-02 16:01:22 UTC
2016-10-02 16:01:22 +00:00

345 lines
No EOL
17 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!doctype html>
<!--[if lt IE 7]> <html class="no-js lt-ie9 lt-ie8 lt-ie7"> <![endif]-->
<!--[if IE 7]> <html class="no-js lt-ie9 lt-ie8"> <![endif]-->
<!--[if IE 8]> <html class="no-js lt-ie9"> <![endif]-->
<!--[if gt IE 8]><!--> <html> <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Set up encryption using Let's Encrypt - Home Assistant</title>
<meta name="author" content="Paulus Schoutsen & Martin Hjelmare">
<meta name="description" content="Tutorial how to encrypt your connection with Home Assistant.">
<meta name="viewport" content="width=device-width">
<link rel="canonical" href="https://home-assistant.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/">
<meta property="fb:app_id" content="338291289691179">
<meta property="og:title" content="Set up encryption using Let's Encrypt">
<meta property="og:site_name" content="Home Assistant">
<meta property="og:url" content="https://home-assistant.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/">
<meta property="og:type" content="article">
<meta property="og:description" content="Tutorial how to encrypt your connection with Home Assistant.">
<meta property="og:image" content="https://home-assistant.io/images/blog/2015-12-lets-encrypt/letsencrypt-secured-fb.png">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:site" content="@home_assistant">
<meta name="twitter:creator" content="@balloob">
<meta name="twitter:title" content="Set up encryption using Let's Encrypt">
<meta name="twitter:description" content="Tutorial how to encrypt your connection with Home Assistant.">
<meta name="twitter:image" content="https://home-assistant.io/images/blog/2015-12-lets-encrypt/letsencrypt-secured-fb.png">
<link href="/stylesheets/screen.css" media="screen, projection" rel="stylesheet">
<link href="/atom.xml" rel="alternate" title="Home Assistant" type="application/atom+xml">
<link rel='shortcut icon' href='/images/favicon.ico' />
<link rel='icon' type='image/png' href='/images/favicon-192x192.png' sizes='192x192' />
</head>
<body >
<header>
<div class="grid-wrapper">
<div class="grid">
<div class="grid__item three-tenths lap-two-sixths palm-one-whole ha-title">
<a href="/" class="site-title">
<img width='40' src='/demo/favicon-192x192.png'>
<span>Home Assistant</span>
</a>
</div>
<div class="grid__item seven-tenths lap-four-sixths palm-one-whole">
<nav>
<input type="checkbox" id="toggle">
<label for="toggle" class="toggle" data-open="Main Menu" data-close="Close Menu"></label>
<ul class="menu pull-right">
<li><a href='/getting-started/'>Getting started</a></li>
<li><a href='/components/'>Components</a></li>
<li><a href='/cookbook/'>Examples</a></li>
<li><a href="/developers/">Developers</a></li>
<li><a href="/blog/">Blog</a></li>
<li><a href="/help/">Need help?</a></li>
</ul>
</nav>
</div>
</div>
</div>
</header>
<div class="grid-wrapper">
<div class="grid grid-center">
<div class="grid__item two-thirds lap-one-whole palm-one-whole">
<article class="post">
<header>
<h1 class="title indent">Set up encryption using Let's Encrypt</h1>
<div class="meta clearfix">
<time datetime="2015-12-13T18:05:00+00:00" pubdate data-updated="true"><i class="icon-calendar"></i> December 13, 2015</time>
<span class="byline author vcard"><i class='icon-user'></i> Paulus Schoutsen & Martin Hjelmare</span>
<span><i class='icon-time'></i> five minutes reading time</span>
<span>
<i class="icon-tags"></i>
<ul class="tags unstyled">
<li>How-To</li>
</ul>
</span>
<a class='comments'
href="#disqus_thread"
>Comments</a>
</div>
</header>
<p>Exposing your Home Assistant instance outside of your network always has been tricky. You have to set up port forwarding on your router and most likely add a dynamic DNS service to work around your ISP changing your IP. After this you would be able to use Home Assistant from anywhere but there is one big red flag: no encryption.</p>
<p>This tutorial will take you through the steps to setup a dynamic DNS for your IP and allow trusted encrypted connection to it - for free using <a href="https://duckdns.org">DuckDNS</a> and <a href="https://letsencrypt.org">Lets Encrypt</a>.</p>
<p class="img">
<img src="/images/blog/2015-12-lets-encrypt/letsencrypt-secured.png" />
</p>
<a name="read-more"></a>
<p><strong>Updated 2016-06-18</strong></p>
<h3><a class="title-link" name="requirements" href="#requirements"></a> Requirements</h3>
<p>The DuckDNS part of this tutorial has no requirements but there are a few requirements as of now to run the Lets Encrypt client.</p>
<ul>
<li>Direct connection to the internet or admin access to your router to set up port forwarding.</li>
<li>A machine running a Unix-ish OS that include Python 2.6 or 2.7 (Docker can be used).</li>
<li>Root access, to write to default config, log and library directories and bind port 80.</li>
</ul>
<p><img src="/images/supported_brands/duckdns.png" style="clear: right; border:none; box-shadow: none; float: right; margin-left: 8px; margin-bottom: 8px;" width="60" /></p>
<h3><a class="title-link" name="duckdns" href="#duckdns"></a> DuckDNS</h3>
<p>The first step is to set up <a href="https://duckdns.org">DuckDNS</a>. This is a free dynamic DNS service that you can use to get a DuckDNS.org subdomain to point at your house. A dynamic DNS service works by having your home computer tell DuckDNS.org every 5 minutes what its IP is so that DuckDNS can make sure your domain name is set up correctly.</p>
<p>For this example we will assume our domain is hass-example.duckdns.org.</p>
<p>First step is to acquire and set up our domain name. For this, go to <a href="https://duckdns.org">DuckDNS</a>, log in with any of the supported login providers and add a domain. After this check out their <a href="https://www.duckdns.org/install.jsp">installation instructions</a> to finish your installation of DuckDNS. If youre on a Raspberry Pi, see Pi in the category Operating Systems.</p>
<p><img src="/images/supported_brands/letsencrypt.png" style="clear: right; border:none; box-shadow: none; float: right; margin-left: 8px; margin-bottom: 8px;" width="60" /></p>
<h3><a class="title-link" name="lets-encrypt" href="#lets-encrypt"></a> Lets Encrypt</h3>
<p><a href="https://letsencrypt.org">Lets Encrypt</a> is a free, automated, and open certificate authority (CA). We will use this to acquire a certificate that can be used to encrypted our connection with Home Assistant.</p>
<p>Lets Encrypt will give you a free 90-day certificate if you pass their domain validation challenge. Domains are validated by having certain data be accessible on your domain for Lets Encrypt (<a href="https://letsencrypt.org/how-it-works/">they describe it better themselves</a>).</p>
<p>Assuming that your home is behind a router, the first thing to do is to set up port forwarding from your router to your computer that will run Lets Encrypt. For the Lets Encrypt set up we need to forward external port <code class="highlighter-rouge">80</code> to internal port <code class="highlighter-rouge">80</code> (http connections). This can be set up by accessing your router admin interface (<a href="http://portforward.com">Site with port forwarding instructions per router</a>). This port forward must be active whenever you want to request a new certificate from Lets Encrypt, typically every three months. If you normally dont use or have an app that listens to port <code class="highlighter-rouge">80</code>, it should be safe to leave the port open. This will make renewing certificates easier.</p>
<p>Now youre ready to install and run the client that requests certificates from Lets Encrypt. The following example will use the platform independent script to install and run the <a href="https://certbot.eff.org/">certbot</a> client from Lets Encrypt. If there is a certbot package for your OS, its recommended to install the package instead of the platform independent script. Read the <a href="https://certbot.eff.org/">docs</a> for more information. There are also other clients that might offer more customization and options. See the <a href="https://letsencrypt.org/docs/client-options/">client options page</a> at Lets Encrypt.</p>
<div class="language-bash highlighter-rouge"><pre class="highlight"><code><span class="gp">$ </span>mkdir certbot
<span class="gp">$ </span><span class="nb">cd </span>certbot/
<span class="gp">$ </span>wget https://dl.eff.org/certbot-auto
<span class="gp">$ </span>chmod a+x certbot-auto
<span class="gp">$ </span>./certbot-auto certonly --standalone <span class="se">\</span>
--standalone-supported-challenges http-01 <span class="se">\</span>
--email your@email.address <span class="se">\</span>
-d hass-example.duckdns.org
</code></pre>
</div>
<p>If youre using Docker, run the following command to generate the required keys:</p>
<div class="language-bash highlighter-rouge"><pre class="highlight"><code>sudo mkdir /etc/letsencrypt /var/lib/letsencrypt
sudo docker run -it --rm -p 80:80 --name certbot <span class="se">\</span>
-v <span class="s2">"/etc/letsencrypt:/etc/letsencrypt"</span> <span class="se">\</span>
-v <span class="s2">"/var/lib/letsencrypt:/var/lib/letsencrypt"</span> <span class="se">\</span>
quay.io/letsencrypt/letsencrypt:latest certonly <span class="se">\</span>
--standalone --standalone-supported-challenges http-01 <span class="se">\</span>
--email your@email.address -d hass-example.duckdns.org
</code></pre>
</div>
<p>With either method your certificate will be generated and put in the directory <code class="highlighter-rouge">/etc/letsencrypt/live/hass-example.duckdns.org</code>. As the lifetime is only 90 days, you will have to repeat this every 90 days. Theres a special command to simplify renewing certificates:</p>
<div class="language-bash highlighter-rouge"><pre class="highlight"><code>./certbot-auto renew --quiet --no-self-upgrade --standalone <span class="se">\</span>
--standalone-supported-challenges http-01
</code></pre>
</div>
<p><img width="60" src="/images/favicon-192x192.png" style="float: right; border:none; box-shadow: none;" /></p>
<h3><a class="title-link" name="home-assistant" href="#home-assistant"></a> Home Assistant</h3>
<p>Before updating the Home Assistant configuration, we have to forward port <code class="highlighter-rouge">443</code> (https connections) to port <code class="highlighter-rouge">8123</code> on the computer that will run Home Assistant. Do this in your router configuration as previously done for port <code class="highlighter-rouge">80</code>.</p>
<p>The final step is to point Home Assistant at the generated certificates. Before you do this, make sure that the user running Home Assistant has read access to the folder that holds the certificates.</p>
<div class="language-yaml highlighter-rouge"><pre class="highlight"><code><span class="s">http</span><span class="pi">:</span>
<span class="s">api_password</span><span class="pi">:</span> <span class="s">YOUR_SECRET_PASSWORD</span>
<span class="s">ssl_certificate</span><span class="pi">:</span> <span class="s">/etc/letsencrypt/live/hass-example.duckdns.org/fullchain.pem</span>
<span class="s">ssl_key</span><span class="pi">:</span> <span class="s">/etc/letsencrypt/live/hass-example.duckdns.org/privkey.pem</span>
</code></pre>
</div>
<p>You can now navigate to https://hass-example.duckdns.org and enjoy encryption!</p>
<p><em>Big thanks to Fabian Affolter for his help and feedback on this article.</em></p>
</article>
<section id="disqus">
<h3 class="indent title">Comments</h3>
<div id="disqus_thread" aria-live="polite"><noscript>Please enable JavaScript to view the <a href="http://disqus.com/?ref_noscript">comments powered by Disqus.</a></noscript></div>
</section>
</div>
<aside id="sidebar" class="grid__item one-third lap-one-whole palm-one-whole">
<div class="grid">
<section class="aside-module grid__item one-whole lap-one-half">
<h1 class="title delta">About Home Assistant</h1>
<ul class="divided">
<li>
Home Assistant is an open-source home automation platform running on Python 3. Track and control all devices at home and automate control.
</li>
<li><a href='/getting-started/'>Get started with Home Assistant</a></li>
<li><a href='/demo/'>Try the online demo</a></li>
<li><a class="twitter-follow-button" href="https://twitter.com/Home_Assistant">Follow Home Assistant on Twitter</a></li>
<li><div class="fb-like" data-href="https://www.facebook.com/homeassistantio/" data-layout="standard" data-action="like" data-size="small" data-show-faces="true" data-share="false"></div></li>
</ul>
</section>
<div id="fb-root"></div>
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.async=true;js.src='//platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
<script>(function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(d.getElementById(id)){return;}js=d.createElement(s);js.id=id;js.async=true;js.src="//connect.facebook.net/en_US/all.js#appId=338291289691179&xfbml=1";fjs.parentNode.insertBefore(js,fjs);}(document,'script','facebook-jssdk'));</script>
<section class="sharing aside-module grid__item one-whole lap-one-half">
<h1 class="title delta">Share this post</h1>
<a href="//twitter.com/share"
class="twitter-share-button"
data-via="home_assistant"
data-related="home_assistant"
data-url="https://home-assistant.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/"
data-counturl="https://home-assistant.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/" >Tweet</a>
<div class="fb-share-button" style='top: -6px;'
data-href="https://home-assistant.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/"
data-layout="button_count">
</div>
<div class="g-plusone" data-size="standard"></div>
</section>
<script src="https://apis.google.com/js/platform.js" async defer></script>
<section id="recent-posts" class="aside-module grid__item one-whole lap-one-half">
<h1 class="title delta">Recent Posts</h1>
<ul class="divided">
<li class="post">
<a href="/blog/2016/10/02/hacktoberfest/">Participating in Hacktoberfest</a>
</li>
<li class="post">
<a href="/blog/2016/10/01/we-have-raspberry-image-now/">We have a Raspberry Pi image now</a>
</li>
<li class="post">
<a href="/blog/2016/09/29/async-sleepiq-emoncms-stocks/">0.29: 🎈 Async, SleepIQ, OpenALPR, EmonCMS, stocks, and plants</a>
</li>
<li class="post">
<a href="/blog/2016/09/10/notify-group-reload-api-pihole/">0.28: Reload automation and groups, API documentation, car tracking, Pi-Hole stats</a>
</li>
<li class="post">
<a href="/blog/2016/08/31/esp8266-and-micropython-part2/">ESP8266 and MicroPython - Part 2</a>
</li>
</ul>
</section>
</div>
</aside>
</div>
</div>
<footer>
<div class="grid-wrapper">
<div class="grid">
<div class="grid__item">
<div class="copyright">
<a rel="me" href='https://twitter.com/home_assistant'><i class="icon-twitter"></i></a>
<a rel="me" href='https://facebook.com/homeassistantio'><i class="icon-facebook"></i></a>
<a rel="me" href='https://plus.google.com/110560654828510104551'><i class="icon-google-plus"></i></a>
<a rel="me" href='https://github.com/home-assistant/home-assistant'><i class="icon-github"></i></a>
<div class="credit">
Contact us at <a href='mailto:hello@home-assistant.io'>hello@home-assistant.io</a>.<br>
Website powered by <a href='http://jekyllrb.com/'>Jekyll</a> and the <a href='https://github.com/coogie/oscailte'>Oscalite theme</a>.<br />
Hosted by <a href='https://pages.github.com/'>GitHub</a> and served by <a href='https://cloudflare.com'>CloudFlare</a>.
</div>
</div>
</div>
</div>
</div>
</footer>
<script>
var _gaq=[['_setAccount','UA-57927901-1'],['_trackPageview']];
(function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];
g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js';
s.parentNode.insertBefore(g,s)}(document,'script'));
</script>
<script>
var disqus_shortname = 'home-assistant';
// var disqus_developer = 1;
var disqus_identifier = 'https://home-assistant.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/';
var disqus_url = 'https://home-assistant.io/blog/2015/12/13/setup-encryption-using-lets-encrypt/';
var disqus_script = 'embed.js';
(function () {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/' + disqus_script;
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
}());
</script>
</body>
</html>
Reference in a new issue View git blame Copy permalink