So, in the settings.js file there is mention of https.
// The following property can be used to enable HTTPS
// See http://nodejs.org/api/https.html#https_https_createserver_options_requestlistener
// for details on its contents.
// See the comment at the top of this file on how to load the `fs` module used by
// this setting.
//
//https: {
// key: fs.readFileSync('privatekey.pem'),
// cert: fs.readFileSync('certificate.pem')
//},
// The following property can be used to cause insecure HTTP connections to
// be redirected to HTTPS.
//requireHttps: true
So I edit the line and remove the // from the line //requireHttps: true
Restart NR but then can't log in.
After a couple of words, I thought maybe it meant the webpage rather than the edit page.
Well, I now changed the settings.js file to this (part)
https: {
key: fs.readFileSync('privatekey.pem'),
cert: fs.readFileSync('certificate.pem')
},
// The following property can be used to cause insecure HTTP connections to
// be redirected to HTTPS.
requireHttps: true
Still won't connect.
I'm guessing it is something to do with the keys, which aren't explained how to do it.
(Yeah, my fault/problem.)
Where have you stored your certificates? I store mine in a 'certs' folder located at /home/pi/.node-red/certs and then in the NR settings file, show the path to the certificates;
Have you ensured that node-RED has access to the certificates, ie who owns the certificates - is it root:root? (in which case node-RED will not have sufficient permissions to access them.)
To ensure access; cd /home/pi/.node-red/certs ls -la sudo chown pi * (assuming 'pi' is the user) ls -la
I don't have any certificates.... Because I don't know how to make them and don't know to make them because it is implied.
Though this may be easy for some, I am still learning a lot about Raspbian (Linux/Ubuntu) and there is a lot of implied things that are to be done but not really explained.
Yes, the line of what to declare and what doesn't is blurry. But being on this side of it, it is frustrating when I read things and half of what is needed is simply not there.
So I guess I need to learn how to make said certificates. (No, I don't know)
I have set up secure SSH between machines with a universal password and certificates.
That was painful as half of it also wasn't really explained.
I don't remember how I made them, so can't fall back on that to know what to do.
So I shall really have to stick my hand up saying I just don't know all the steps needed to do this by reading what is written.
Could you please walk me through it at some stage?
It's 21:20 local time and I think I will call it a day for now.
Though your help would be appreciated.
I may not reply today (my time).
And tomorrow is . . . . . another day. (24'th December) so I am not sure what is in store for me then.
(Sorry, been a bad day with the runaway flow I had to debug earlier and I am a bit stressed.)
And I think I am starting to rant. Again: sorry.
I tried following your commands on one, but the install of certbot failed.
Setting up python3-parsedatetime (2.1-3+deb9u1) ...
Setting up python3-rfc3339 (1.0-4) ...
Setting up python3-zope.component (4.3.0-1) ...
Setting up python3-acme (0.28.0-1~deb9u1) ...
Setting up python3-certbot (0.28.0-1~deb9u2) ...
Setting up certbot (0.28.0-1~deb9u2) ...
Created symlink /etc/systemd/system/timers.target.wants/certbot.timer → /lib/systemd/system/certbot.timer.
Error: Timeout was reached
pi@BedPi:~ $ s
Rather than sudo su I prefix all commands sudo as a bit of precaution to getting carried away with the power and doing something wrong.
pi@BedPi:~ $ sudo apt install certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
certbot is already the newest version (0.28.0-1~deb9u2).
The following packages were automatically installed and are no longer required:
gyp libc-ares2 libhttp-parser2.8 libjs-inherits libjs-node-uuid libssl-dev libssl-doc libuv1 libuv1-dev nodejs-doc realpath
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
pi@BedPi:~ $
So does that mean it is installed?
(BTW)
What's the difference between prefixing all commands with sudo as opposed to sudo su then doing the commands?
I just tried the next part (after making the directory)
pi@BedPi:~ $ sudo su
root@BedPi:/home/pi# certbot certonly --standalone -d
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument -d/--domains/--domain: expected one argument
root@BedPi:/home/pi#
No offense Andrew, but I suppose it comes down to this...
Either follow my write-up, or go your own way.
I spent a lot of time doing the write-up, and tried to make it an easy install for others, but if you want to start changing things for your own install, then no problem, go ahead & good luck.
It was I was once told that the sudo su track can take you into nasty places if you forget where you are and the mode.
Though the black and white scheme does kind of give it away. I guess this was in the days prior to colour monitors.
Anyway, to get things back on a level field:
I removed certbot and re-installed it - as you showed.
This is the result.
root@BedPi:/home/pi# sudo apt remove certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
gyp libc-ares2 libhttp-parser2.8 libjs-inherits libjs-node-uuid libssl-dev libssl-doc libuv1 libuv1-dev nodejs-doc python3-acme python3-certbot
python3-configargparse python3-configobj python3-josepy python3-mock python3-parsedatetime python3-pbr python3-requests-toolbelt python3-rfc3339
python3-tz python3-zope.component python3-zope.event python3-zope.hookable python3-zope.interface realpath
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
certbot
0 upgraded, 0 newly installed, 1 to remove and 0 not upgraded.
After this operation, 66.6 kB disk space will be freed.
Do you want to continue? [Y/n] y
(Reading database ... 120565 files and directories currently installed.)
Removing certbot (0.28.0-1~deb9u2) ...
Processing triggers for man-db (2.7.6.1-2) ...
root@BedPi:/home/pi# sudo apt install certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
gyp libc-ares2 libhttp-parser2.8 libjs-inherits libjs-node-uuid libssl-dev libssl-doc libuv1 libuv1-dev nodejs-doc realpath
Use 'sudo apt autoremove' to remove them.
Suggested packages:
python3-certbot-apache python3-certbot-nginx python-certbot-doc
The following NEW packages will be installed:
certbot
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 37.7 kB of archives.
After this operation, 66.6 kB of additional disk space will be used.
Get:1 http://mirror.datamossa.io/raspbian stretch/main armhf certbot all 0.28.0-1~deb9u2 [37.7 kB]
Fetched 37.7 kB in 1s (32.2 kB/s)
Selecting previously unselected package certbot.
(Reading database ... 120554 files and directories currently installed.)
Preparing to unpack .../certbot_0.28.0-1~deb9u2_all.deb ...
Unpacking certbot (0.28.0-1~deb9u2) ...
Processing triggers for man-db (2.7.6.1-2) ...
Setting up certbot (0.28.0-1~deb9u2) ...
root@BedPi:/home/pi# certbot certonly --standalone -d
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...
Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: argument -d/--domains/--domain: expected one argument
root@BedPi:/home/pi#
So the certbot certonly --standalone -d is still not playing the game.
Or could it be that it doesn't like stretch?
Until now I have never needed a domain name, so have never followed up on that.
As said: I think I have a work group name, from the days I had a M$ machine on the network as the main machine which kind of insisted of being in one or the other.
So to sum up:
To be able to use https I also need a domain name?
Ok. Too hard basket at this time.
I accept I am stupid, but I am really lost in how all these things tie in together.
I would have thought (Yes: dangerous) that a certificate was from an IP address, not a domain name.
But that is beyond the scope of this thread. Again: Silly me.
It isn't your fault. So please don't read that I am angry at you.
I am just perplexed by these abstract associations which exist.
I'll shut up now.
You need a domain name, Certbot will not function without one.
The good news is that if you purchased just one domain name, you could create numerous sub-domains for each of your servers, so no need for multiple domain registrations.
Example; andrewshome.com and you get free - bedpi.andrewshome.com homepi.andrewshome.com energypi.andrewshome.com
etc, etc
If you are only accessing your pi's locally, and not exposing them to the public internet, then I really wouldn't bother with https, just use ufw to keep others out.
Security.... Interest....... Wanting to learn.......
But it seems that it is way beyond my belief what needs to be done first.
Getting a domain will expose me to attacks more so than having non-secure links on my local network because (I'm guessing) my domain name WILL have my IP on/in it.
I don't want/need that kind of stuff.
I was just wanting to understand it and how it works.
But if it means getting a domain name and advertising who I am: forget it.
