Skip to content

HTTPS

Jump to bottom
Calin Crisan edited this page Feb 2, 2020 · 10 revisions

Why HTTPS?

The "S" in HTTPS stands for secure. HTTPS will ensure:

  • an end-to-end encrypted traffic, meaning that no one can read the data exchanged between the web app that runs on your mobile phone (or laptop) and your qToggleOS device that lives inside your home
  • that your web app connects to your qToggleOS device and no other device

This page will help you set up HTTPS with certificates issued by the free Let's Encrypt authority.

Requirements

Before proceeding, make sure you have:

  • A public IP address that can be used to reach the (normally HTTPS) server that runs on your system; ports 443 and 80 must particularly be accessible on/forwarded to your qToggleOS device.
  • A fully qualified domain name that points to your public IP address. If dealing with dynamic public addresses, you may want to configure a Dynamic DNS service first.
  • An email address that you can supply when registering your domain with Let's Encrypt (it won't be used to spam you).

Configuration

You'll need to run the following commands on your qToggleOS device. For that, you'll have to log in remotely to your device via SSH.

  1. Make sure port 80 is free by stopping the qtoggleserver service:

     # service qtoggleserver stop

  2. Create the /data/etc/ssl directory:

     # mkdir -p /data/etc/ssl

  3. Create the /data/etc/ssl/domain file, containing your fully qualified domain name (e.g. john-doe.duckdns.org):

     # echo "john-doe.duckdns.org" > /data/etc/ssl/domain

  4. Create the /data/etc/ssl/email file, containing your email address:

     # echo "[email protected]" > /data/etc/ssl/email

  5. Register your domain with Let's Encrypt (make sure to read the terms first):

     # dehydrated-wrapper --register --accept-terms

    You should now have a folder called /var/lib/dehydrated/accounts:

     # ls /var/lib/dehydrated/accounts
 abcdefgh1234567890abcdefgh1234567890abcdefgh1234567890abcdefgh1/

  6. Obtain the certificates for the first time:

     # dehydrated-wrapper -c

    You should now have the certificate files as follows:

     # ls /data/etc/ssl/*.pem
 /data/etc/ssl/cert.pem     /data/etc/ssl/privkey.pem

  7. Configure your qToggleServer to use the certificates for HTTPS:

    /data/etc/qtoggleserver.conf:
    ...
server = {
    port = 443
    https = {
        cert_file = "/data/etc/ssl/cert.pem"
        key_file = "/data/etc/ssl/privkey.pem"
    }
}
...

  8. Start the qtoggleserver service:

     # service qtoggleserver start

    Alternatively, reboot the entire device:

     # reboot

Remarks

If you messed up the HTTPS certificates configuration and you want to start over, simply do a:

# rm -r /var/lib/dehydrated

You may also want to check out the thingOS wiki page on HTTPS.

Home

Installation

Configuration

Common Peripherals

Clone this wiki locally