Ok, I'm missing something abut HTTPS settings

So, in the settings.js file there is mention of https.

    // The following property can be used to enable HTTPS
    // See http://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
    // for details on its contents.
    // See the comment at the top of this file on how to load the `fs` module used by
    // this setting.
    //
    //https: {
    //    key: fs.readFileSync('privatekey.pem'),
    //    cert: fs.readFileSync('certificate.pem')
    //},

    // The following property can be used to cause insecure HTTP connections to
    // be redirected to HTTPS.
    //requireHttps: true

So I edit the line and remove the // from the line //requireHttps: true

Restart NR but then can't log in.
After a couple of words, I thought maybe it meant the webpage rather than the edit page.

NEITHER work.

So what else am I missing?

Have you uncommented the https setting immediately above? That's the one you use to enable https.

Well, I now changed the settings.js file to this (part)


    https: {
        key: fs.readFileSync('privatekey.pem'),
        cert: fs.readFileSync('certificate.pem')
    },

    // The following property can be used to cause insecure HTTP connections to
    // be redirected to HTTPS.
    requireHttps: true

Still won't connect.

I'm guessing it is something to do with the keys, which aren't explained how to do it.
(Yeah, my fault/problem.)

But help would be appreciated.

A few things to try...

  1. How are you trying to connect? I assume that you are using the https://your domain.com:1880 address?

  2. Where have you stored your certificates? I store mine in a 'certs' folder located at /home/pi/.node-red/certs and then in the NR settings file, show the path to the certificates;

    https: {
    key: fs.readFileSync('/home/pi/.node-red/certs/privkey.pem'),
    cert: fs.readFileSync('/home/pi/.node-red/certs/fullchain.pem')
           },
  1. Have you ensured that node-RED has access to the certificates, ie who owns the certificates - is it root:root? (in which case node-RED will not have sufficient permissions to access them.)
    To ensure access;
    cd /home/pi/.node-red/certs
    ls -la
    sudo chown pi * (assuming 'pi' is the user)
    ls -la

I don't have any certificates.... Because I don't know how to make them and don't know to make them because it is implied.

Though this may be easy for some, I am still learning a lot about Raspbian (Linux/Ubuntu) and there is a lot of implied things that are to be done but not really explained.

Yes, the line of what to declare and what doesn't is blurry. But being on this side of it, it is frustrating when I read things and half of what is needed is simply not there.

So I guess I need to learn how to make said certificates. (No, I don't know)

I have set up secure SSH between machines with a universal password and certificates.
That was painful as half of it also wasn't really explained.
I don't remember how I made them, so can't fall back on that to know what to do.

So I shall really have to stick my hand up saying I just don't know all the steps needed to do this by reading what is written.

Could you please walk me through it at some stage?

It's 21:20 local time and I think I will call it a day for now.
Though your help would be appreciated.
I may not reply today (my time).

And tomorrow is . . . . . another day. (24'th December) so I am not sure what is in store for me then.
(Sorry, been a bad day with the runaway flow I had to debug earlier and I am a bit stressed.)
And I think I am starting to rant. Again: sorry.

Well that's why it's not working.

I did document my journey if it helps - Node-RED SSL using Letsencrypt & Certbot

1 Like

Thanks.

Nice.

Alas I am using Stretch on most of my RPI's.

I tried following your commands on one, but the install of certbot failed.

Setting up python3-parsedatetime (2.1-3+deb9u1) ...
Setting up python3-rfc3339 (1.0-4) ...
Setting up python3-zope.component (4.3.0-1) ...
Setting up python3-acme (0.28.0-1~deb9u1) ...
Setting up python3-certbot (0.28.0-1~deb9u2) ...
Setting up certbot (0.28.0-1~deb9u2) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
Error: Timeout was reached
pi@BedPi:~ $ s

(No, not your problem)

But I was hoping that it would/may work.

Seems not.

I'll have to do some digging.

Did you follow my guide, especially the first command sudo su?

certbot
Looking at your post above, it looks like maybe you didn't...

Sorry.... My fault for that.

Rather than sudo su I prefix all commands sudo as a bit of precaution to getting carried away with the power and doing something wrong.

pi@BedPi:~ $ sudo apt install certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
certbot is already the newest version (0.28.0-1~deb9u2).
The following packages were automatically installed and are no longer required:
  gyp libc-ares2 libhttp-parser2.8 libjs-inherits libjs-node-uuid libssl-dev libssl-doc libuv1 libuv1-dev nodejs-doc realpath
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
pi@BedPi:~ $ 

So does that mean it is installed?

(BTW)

What's the difference between prefixing all commands with sudo as opposed to sudo su then doing the commands?

I just tried the next part (after making the directory)

pi@BedPi:~ $ sudo su
root@BedPi:/home/pi# certbot certonly --standalone -d
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: argument -d/--domains/--domain: expected one argument
root@BedPi:/home/pi# 

Errrrr..... I'm confused.

No offense Andrew, but I suppose it comes down to this...
Either follow my write-up, or go your own way.
I spent a lot of time doing the write-up, and tried to make it an easy install for others, but if you want to start changing things for your own install, then no problem, go ahead & good luck.

EDIT - this was in answer to your earlier post

3 Likes

Ok.

It was I was once told that the sudo su track can take you into nasty places if you forget where you are and the mode.
Though the black and white scheme does kind of give it away. I guess this was in the days prior to colour monitors.

Anyway, to get things back on a level field:
I removed certbot and re-installed it - as you showed.

This is the result.

root@BedPi:/home/pi# sudo apt remove certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  gyp libc-ares2 libhttp-parser2.8 libjs-inherits libjs-node-uuid libssl-dev libssl-doc libuv1 libuv1-dev nodejs-doc python3-acme python3-certbot
  python3-configargparse python3-configobj python3-josepy python3-mock python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339
  python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface realpath
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  certbot
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 66.6 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 120565 files and directories currently installed.)
Removing certbot (0.28.0-1~deb9u2) ...
Processing triggers for man-db (2.7.6.1-2) ...
root@BedPi:/home/pi# sudo apt install certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  gyp libc-ares2 libhttp-parser2.8 libjs-inherits libjs-node-uuid libssl-dev libssl-doc libuv1 libuv1-dev nodejs-doc realpath
Use 'sudo apt autoremove' to remove them.
Suggested packages:
  python3-certbot-apache python3-certbot-nginx python-certbot-doc
The following NEW packages will be installed:
  certbot
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 37.7 kB of archives.
After this operation, 66.6 kB of additional disk space will be used.
Get:1 http://mirror.datamossa.io/raspbian stretch/main armhf certbot all 0.28.0-1~deb9u2 [37.7 kB]
Fetched 37.7 kB in 1s (32.2 kB/s)  
Selecting previously unselected package certbot.
(Reading database ... 120554 files and directories currently installed.)
Preparing to unpack .../certbot_0.28.0-1~deb9u2_all.deb ...
Unpacking certbot (0.28.0-1~deb9u2) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up certbot (0.28.0-1~deb9u2) ...
root@BedPi:/home/pi# certbot certonly --standalone -d
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: argument -d/--domains/--domain: expected one argument
root@BedPi:/home/pi# 

So the certbot certonly --standalone -d is still not playing the game.
Or could it be that it doesn't like stretch?

Though that would seem weird.

Maybe because the install has been run more than once.
Try certbot certonly --standalone -d yourdomainename.com

(Making myself look even dumber than I am)
Luckily that isn't hard for me.

yourdomainename.com

Is that literal or an example? I don't have a domain name.
I think I have a workgroup (old windows term)

To check myself and my stupidity, I logged into a NEW RasPi.
(TelePi as opposed to BedPi)

Doing it all the way you showed and have never had certbot installed - to the best of my knowledge this is what happened:

Ok, I also only did apt install rather than apt-get install.
That couldn't be a problem.

pi@TelePi:~ $ sudo su
root@TelePi:/home/pi# sudo apt install certbot
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  python3-acme python3-certbot python3-configargparse python3-configobj python3-josepy python3-mock python3-parsedatetime python3-pbr
  python3-requests-toolbelt python3-rfc3339 python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface
Suggested packages:
  python3-certbot-apache python3-certbot-nginx python-certbot-doc python-acme-doc python-configobj-doc python-mock-doc
Recommended packages:
  python3-pyicu
The following NEW packages will be installed:
  certbot python3-acme python3-certbot python3-configargparse python3-configobj python3-josepy python3-mock python3-parsedatetime python3-pbr
  python3-requests-toolbelt python3-rfc3339 python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface
0 upgraded, 16 newly installed, 0 to remove and 1 not upgraded.
Need to get 766 kB of archives.
After this operation, 4,166 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://mirror.datamossa.io/raspbian stretch/main armhf python3-josepy all 1.1.0-2~deb9u1 [27.8 kB]
Get:2 http://mirror.datamossa.io/raspbian stretch/main armhf python3-pbr all 1.10.0-1 [52.5 kB]
Get:3 http://mirror.datamossa.io/raspbian stretch/main armhf python3-mock all 2.0.0-3 [59.9 kB]
Get:4 http://mirror.datamossa.io/raspbian stretch/main armhf python3-requests-toolbelt all 0.7.0-1 [36.7 kB]
Get:5 http://mirror.datamossa.io/raspbian stretch/main armhf python3-tz all 2016.7-0.3 [27.1 kB]         
Get:6 http://mirror.datamossa.io/raspbian stretch/main armhf python3-rfc3339 all 1.0-4 [6,282 B]
Get:7 http://mirror.datamossa.io/raspbian stretch/main armhf python3-acme all 0.28.0-1~deb9u2 [49.9 kB]
Get:8 http://mirror.datamossa.io/raspbian stretch/main armhf python3-configargparse all 0.11.0-1 [22.3 kB]                                          
Get:9 http://mirror.datamossa.io/raspbian stretch/main armhf python3-configobj all 5.0.6-2 [35.2 kB]                                                
Get:10 http://raspbian.melbourneitmirror.net/raspbian stretch/main armhf python3-parsedatetime all 2.1-3+deb9u1 [37.7 kB]                           
Get:11 http://raspbian.melbourneitmirror.net/raspbian stretch/main armhf python3-zope.hookable armhf 4.0.4-4+b1 [10.2 kB]                           
Get:12 http://mirror.datamossa.io/raspbian stretch/main armhf python3-zope.interface armhf 4.3.2-1 [88.2 kB]                                        
Get:13 http://mirror.datamossa.io/raspbian stretch/main armhf python3-zope.event all 4.2.0-1 [8,412 B]                                              
Get:14 http://mirror.datamossa.io/raspbian stretch/main armhf python3-zope.component all 4.3.0-1 [43.0 kB]                                          
Get:15 http://mirror.datamossa.io/raspbian stretch/main armhf python3-certbot all 0.28.0-1~deb9u2 [222 kB]                                          
Get:16 http://mirror.datamossa.io/raspbian stretch/main armhf certbot all 0.28.0-1~deb9u2 [37.7 kB]                                                 
Fetched 766 kB in 11s (64.8 kB/s)                                                                                                                   
Selecting previously unselected package python3-josepy.
(Reading database ... 115019 files and directories currently installed.)
Preparing to unpack .../00-python3-josepy_1.1.0-2~deb9u1_all.deb ...
Unpacking python3-josepy (1.1.0-2~deb9u1) ...
Selecting previously unselected package python3-pbr.
Preparing to unpack .../01-python3-pbr_1.10.0-1_all.deb ...
Unpacking python3-pbr (1.10.0-1) ...
Selecting previously unselected package python3-mock.
Preparing to unpack .../02-python3-mock_2.0.0-3_all.deb ...
Unpacking python3-mock (2.0.0-3) ...
Selecting previously unselected package python3-requests-toolbelt.
Preparing to unpack .../03-python3-requests-toolbelt_0.7.0-1_all.deb ...
Unpacking python3-requests-toolbelt (0.7.0-1) ...
Selecting previously unselected package python3-tz.
Preparing to unpack .../04-python3-tz_2016.7-0.3_all.deb ...
Unpacking python3-tz (2016.7-0.3) ...
Selecting previously unselected package python3-rfc3339.
Preparing to unpack .../05-python3-rfc3339_1.0-4_all.deb ...
Unpacking python3-rfc3339 (1.0-4) ...
Selecting previously unselected package python3-acme.
Preparing to unpack .../06-python3-acme_0.28.0-1~deb9u2_all.deb ...
Unpacking python3-acme (0.28.0-1~deb9u2) ...
Selecting previously unselected package python3-configargparse.
Preparing to unpack .../07-python3-configargparse_0.11.0-1_all.deb ...
Unpacking python3-configargparse (0.11.0-1) ...
Selecting previously unselected package python3-configobj.
Preparing to unpack .../08-python3-configobj_5.0.6-2_all.deb ...
Unpacking python3-configobj (5.0.6-2) ...
Selecting previously unselected package python3-parsedatetime.
Preparing to unpack .../09-python3-parsedatetime_2.1-3+deb9u1_all.deb ...
Unpacking python3-parsedatetime (2.1-3+deb9u1) ...
Selecting previously unselected package python3-zope.hookable.
Preparing to unpack .../10-python3-zope.hookable_4.0.4-4+b1_armhf.deb ...
Unpacking python3-zope.hookable (4.0.4-4+b1) ...
Selecting previously unselected package python3-zope.interface.
Preparing to unpack .../11-python3-zope.interface_4.3.2-1_armhf.deb ...
Unpacking python3-zope.interface (4.3.2-1) ...
Selecting previously unselected package python3-zope.event.
Preparing to unpack .../12-python3-zope.event_4.2.0-1_all.deb ...
Unpacking python3-zope.event (4.2.0-1) ...
Selecting previously unselected package python3-zope.component.
Preparing to unpack .../13-python3-zope.component_4.3.0-1_all.deb ...
Unpacking python3-zope.component (4.3.0-1) ...
Selecting previously unselected package python3-certbot.
Preparing to unpack .../14-python3-certbot_0.28.0-1~deb9u2_all.deb ...
Unpacking python3-certbot (0.28.0-1~deb9u2) ...
Selecting previously unselected package certbot.
Preparing to unpack .../15-certbot_0.28.0-1~deb9u2_all.deb ...
Unpacking certbot (0.28.0-1~deb9u2) ...
Setting up python3-requests-toolbelt (0.7.0-1) ...
Setting up python3-pbr (1.10.0-1) ...
update-alternatives: using /usr/bin/python3-pbr to provide /usr/bin/pbr (pbr) in auto mode
Setting up python3-mock (2.0.0-3) ...
Setting up python3-zope.event (4.2.0-1) ...
Setting up python3-zope.interface (4.3.2-1) ...
Setting up python3-configargparse (0.11.0-1) ...
Setting up python3-zope.hookable (4.0.4-4+b1) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up python3-josepy (1.1.0-2~deb9u1) ...
Setting up python3-configobj (5.0.6-2) ...
Setting up python3-tz (2016.7-0.3) ...
Setting up python3-parsedatetime (2.1-3+deb9u1) ...
Setting up python3-rfc3339 (1.0-4) ...
Setting up python3-zope.component (4.3.0-1) ...
Setting up python3-acme (0.28.0-1~deb9u2) ...
Setting up python3-certbot (0.28.0-1~deb9u2) ...
Setting up certbot (0.28.0-1~deb9u2) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
root@TelePi:/home/pi# certbot certonly --standalone -d
usage: 
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate. 
certbot: error: argument -d/--domains/--domain: expected one argument
root@TelePi:/home/pi# 

Same.

certbot: error: argument -d/--domains/--domain: expected one argument

In my guide I wrote;

Did you not see that Andrew?

No, I didn't.
(There I said it.)

Until now I have never needed a domain name, so have never followed up on that.

As said: I think I have a work group name, from the days I had a M$ machine on the network as the main machine which kind of insisted of being in one or the other.

So to sum up:
To be able to use https I also need a domain name?

Ok. Too hard basket at this time.

I accept I am stupid, but I am really lost in how all these things tie in together.
I would have thought (Yes: dangerous) that a certificate was from an IP address, not a domain name.

But that is beyond the scope of this thread. Again: Silly me.
It isn't your fault. So please don't read that I am angry at you.

I am just perplexed by these abstract associations which exist.
I'll shut up now.

You need a domain name, Certbot will not function without one.
The good news is that if you purchased just one domain name, you could create numerous sub-domains for each of your servers, so no need for multiple domain registrations.
Example; andrewshome.com and you get free -
bedpi.andrewshome.com
homepi.andrewshome.com
energypi.andrewshome.com
etc, etc

If you are only accessing your pi's locally, and not exposing them to the public internet, then I really wouldn't bother with https, just use ufw to keep others out.

@Trying_to_learn taking a step back once again. Is there a specific reason you’re attempting to set up SSL/https to reach your pi?

Security.... Interest....... Wanting to learn.......

But it seems that it is way beyond my belief what needs to be done first.
Getting a domain will expose me to attacks more so than having non-secure links on my local network because (I'm guessing) my domain name WILL have my IP on/in it.

I don't want/need that kind of stuff.

I was just wanting to understand it and how it works.

But if it means getting a domain name and advertising who I am: forget it.

ufw can also be secure, interesting and a learning experience.

1 Like