Installation of Certbot on Loxberry

Einklappen
X
Einklappen
 
  • Seite von 1
  • Zeit
  • Anzeigen
Alles löschen
neue Beiträge
Vorherige template Weiter
  • Tico
    Lox Guru
    • 31.08.2016
    • 1035
    #1

    Installation of Certbot on Loxberry

    I wish to install a Node-Red node that provides a self-hosted Fulfillment Service for Google voice control -

    node-red-contrib-google-smarthome
    https://flows.nodered.org/node/node-red-contrib-google-smarthome
    Lets you control Node-Red via Google Assistant or the Google Home App


    The node requires an SSL certificate -

    Klicke auf die Grafik für eine vergrößerte Ansicht Name: Prerequisites.png Ansichten: 489 Größe: 29,5 KB ID: 278326

    I have a Loxberry running v2.2.0.4 and wish to understand whether the instance of Apache on the Loxberry is sufficient for running the Certbot instructions here -

    404 Not Found
    https://certbot.eff.org/lets-encrypt/debianbuster-apache
    Tagline


    I don't want to compromise my Loxberry installation by installing 'non-standard' packages that might break on the next update.

    I'm also a bit confused by the overall architecture of this Node-Red node. Given that it needs an SSL certificate, does that mean my domain needs to become HTTPS? Or does the Google Fulfillment service just need to have the certficates in the defined path on the Loxberry behind a HTTP domain (ie. using the http Node-RED root path).


    Klicke auf die Grafik für eine vergrößerte Ansicht Name: Web Server Settings.png Ansichten: 378 Größe: 61,0 KB ID: 278327



    I'm a bit confused by the SSL certificate stuff, so asking for any clarification on the 'big picture' and whether this is do-able on the Loxberry?
    Ich spreche kein Deutsch. Gib Google Translate die Schuld, wenn ich unverständlich bin.
    Stichworte: -
    • Christian Fenzl
      Lebende Foren Legende
      • 31.08.2015
      • 11225
      #2
      letsencrypt requires you to have
      - a public avaliable DNS hostname, and
      - a public avaliable Webserver.

      As 1. is easily done with dyndns stuff, we think that 2. is a major security vulnerability on LoxBerry, putting your LoxBerry to the web.
      LoxBerry and it's plugins are made for LAN access and aren't hardened to be made public. Letsencrypt is made for public websites.

      On the Roadmap of LoxBerry-Core is to have https with a self-signed certificate to access LoxBerry via https. In a local network this is quite secure, as the chance of
      ​​​​​a man-in-the-middle attack in your closed LAN is very little.

      LoxBerry manages the Apache config. Your changes might be overwritten at some day, especially when we roll-out https on Apache.

      About the Node-Red node I cannot help.



      ​​​​
      Hilfe für die Menschen der Ukraine: https://www.loxforum.com/forum/proje...Cr-die-ukraine

        Kommentar

        • Prof.Mobilux
          #2.1
          Prof.Mobilux kommentierte
          06.12.2020, 06:01
          Kommentar bearbeiten
          He can use a seperate Apache config in /etc/apache2/sites-available. That shouldn't be overwritten if he does not use the same name for the file then we will do :-)
          • Christian Fenzl
            #2.2
            Christian Fenzl kommentierte
            06.12.2020, 06:05
            Kommentar bearbeiten
            But we will overwrite the port configuration 😉
          • Prof.Mobilux
            Supermoderator
            • 25.08.2015
            • 4682
            #3
            Letsencrypt does not provide "private" SSL certs. So don't know if this works with your installation. As Christian Fenzl already mentioned it is a very very bad idea to make LoxBerry available from "outside". If you have checked the requirements and are risky enough, you can give "getssl" a try: https://github.com/srvrco/getssl

            It should not destroy the LoxBerry's Apache config (make a backup before testing!!!!).
            Zuletzt geändert von Prof.Mobilux; 06.12.2020, 06:03.
            🇺🇦 Hilfe für die Menschen der Ukraine: https://www.loxforum.com/forum/proje...Cr-die-ukraine

            LoxBerry - Beyond the Limits

              Kommentar

              • Tico
                Lox Guru
                • 31.08.2016
                • 1035
                #4
                Thanks for the info. I'll have a look at getssl.

                I did recognise that opening port 80 through to the Loxberry will be a significant security risk. Not something I want to do.

                I'm currently using NORA for voice control within Node-Red. This is hosted by an unknown enthusiast somewhere in the world. It works well except for latency. For all I know, my packets might be travelling half-way around the world before they're even directed towards Google.

                The main goal is to have a self-hosted Fulfillment service for Google voice to improve latency. Node-red-contrib-google-smarthome appears to provide this.

                I'm just not quite sure how to have both a publicly available web-server that will pull down the certificates and a private device like Loxberry running Node-Red. Lots more research to do...
                Ich spreche kein Deutsch. Gib Google Translate die Schuld, wenn ich unverständlich bin.

                  Kommentar

                  • svethi
                    Lebende Foren Legende
                    • 25.08.2015
                    • 6301
                    #5
                    On the amazon alexa services you can upload your own self-singed cert. Maybe google does this to?
                    Sure, you can configure another Website on another Port on the apache. That website also have another document root dir, but apache run always as user loxberry. Your node-red installation has to be installed in the other webspace and it is more complicated to transfer data’s between this webspaces and this is than a security risk. I think it’s easier to build an own raspi for that.
                    Miniserver; KNX; Vitogate; EnOcean (EnOceanPi); Loxone Air; Caldav-Kalenderanbindung; RaspberryPi und für keine Frickellösung zu schade :-)

                      Kommentar

                      • Tico
                        #5.1
                        Tico kommentierte
                        06.12.2020, 09:16
                        Kommentar bearbeiten
                        I have a second unused Rapsberry Pi. So I set this up as a standalone device (perhaps running full Raspian) in the de-militarised zone of my router? That then provides the public web-server. Then transfer the SSL certificates (FTP?) to the Loxberry on the home network?

                        I haven't researched getssl fully yet. But if I understand correctly, it operates in the private network, then transfers the SSL certficates (via FTP) to the public facing server. Or in my case, to the Node-Red directory running the Node-red-contrib-google-smarthome server.
                        • svethi
                          #5.2
                          svethi kommentierte
                          06.12.2020, 09:34
                          Kommentar bearbeiten
                          I think you forgot the voice service. In your case google will have access to you node-red installation. So your loxberry has to be accessible from the web. Your voice client record the voice and push it to the the voice server (google). Google translate it and open a connection to your client (node-red) over https (ssl/cert) for giving the needed informations.
                          You should you the standalone raspi completely for the voice controll.
                          This raspi only needs the port 80 and 443 to be forwarded from your router not a fully DMZ ;-)
                        Vorherige template Weiter
                        Lädt...

                        Wir verarbeiten personenbezogene Daten über Nutzer unserer Website mithilfe von Cookies und anderen Technologien, um unsere Dienste bereitzustellen, Werbung zu personalisieren und Websiteaktivitäten zu analysieren. Wir können bestimmte Informationen über unsere Nutzer mit unseren Werbe- und Analysepartnern teilen. Weitere Einzelheiten finden Sie in unserer Datenschutzrichtlinie.

                        Wenn Sie unten auf "Einverstanden" klicken, stimmen Sie unserer Datenschutzrichtlinie und unseren Datenverarbeitungs- und Cookie-Praktiken wie dort beschrieben zu. Sie erkennen außerdem an, dass dieses Forum möglicherweise außerhalb Ihres Landes gehostet wird und Sie der Erhebung, Speicherung und Verarbeitung Ihrer Daten in dem Land, in dem dieses Forum gehostet wird, zustimmen.

                        Einverstanden