Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
SSL certificate help
#1
I am now the proud owner of a shiny new SSL certificate from Let's Encrypt, and I've extracted it to a pfx file.  I've read the websockets document and overall it looks pretty straightforward, but I want to confirm a few things before I take the last steps.

First off, do I just run the installer again, and specify the SSL stuff during installation?  Second, if it's not working right, can I revert to the non-SSL version by just running the installer once more and removing the SSL stuff?  And finally, it sounds like I'll still be able to access from my internal network without using https.  Is that right?  I would rather not have to reconfigure all my tablets right now.
Reply
#2
You do just run the installer and enable the secure port stuff, and yeh you can go back and disable again if you need to. CQC itself doesn't have anything to do with certificates. It uses its own security. Only the web server would care. And you can of course access the web server either way, depending on whether you use an http:/ or https:/ style URL.
Dean Roddey
Explorans limites defectum
Reply
#3
Excellent.   Thanks for the fast response Dean!
Reply
#4
Now that I have SSL working with a Let's Encrypt certificate, I would like to automate the renewal process.  I'm using the ACMESharp PowerShell module.  I found a PowerShell script written by someone else that does most of the work.  It's written for IIS, but I will just remove that part.

It's easy to stop and start services using PowerShell, but what I'm wondering is how easy would it be to programmatically update the certificate information in CQC, and if that's something you would be willing to share.
Reply
#5
I don't think you'd need to do anything in CQC per se. Presumably the renewal doesn't actually change the public and private keys, and you reference the certificate by name within CQC. I guess the web server would need to be told to reload the certificate, but that could be done easily enough I guess by just watching for an error when loading it, just try it again. I assume you have yours for a year or some such?
Dean Roddey
Explorans limites defectum
Reply
#6
The Let's Encrypt certificates are only good for 90 days.  And apparently the way the process works with Let's Encrypt is that you create a new certificate tied to the same DNS name.  This means that it will have a different name in the Windows certificate store.

The PowerShell script I linked to automatically updates IIS and then deletes the old certificates.  To automate this with CQC, I presume I would need to edit a configuration file somewhere, but I don't know if this is something an end-user could do without going through the installer UI.
Reply
#7
As long as the certificate has the same name, then our web server wouldn't know it has changed. Looking at how it works, it looks like Window's secure channel stuff actually loads the certificate. I'm sure it caches it for performance, but hopefully it also sees if it has changed. If so, presumably it will just pick up whichever one is there. So, let's see if there's any failures once you hit the first update. If not, all is good. Else, we can dig into it.
Dean Roddey
Explorans limites defectum
Reply
#8
Ok - I'll try the renewal process in 60 days or so and see how it goes.
Reply
#9
I got a new Let's Encrypt certificate over the weekend, and tonight my Echo integration is no longer working. Also, browsing to the CQC site gives a cert error. I cycled the service but that didn't help. I looked for the documentation on SSL that you wrote, but I couldn't remember what it was called and wasn't able to find it. In any case, it appears that CQC needs more than just replacing the cert. Suggestions?
Reply
#10
Browsing to the CQC site shouldn't have anything to do with any certificate installed on your system. It would only be used for incoming connections to your machine, so I'm not sure why that would be happening.

BTW, I saw that Amazon was reporting issues with their servers that are affecting the Echo, IFTTT, and other services based there, so that might be what you are experiencing:

https://www.reddit.com/r/homeautomation/...ing_quora/
Dean Roddey
Explorans limites defectum
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  SSL Certificate Question gReatAutomation 1 463 10-26-2020, 07:48 AM
Last Post: gReatAutomation
  Certificate snafu Dean Roddey 1 303 09-02-2020, 05:52 PM
Last Post: Dean Roddey
  SSL certificate for HTTP trigger driver RichardU 7 3,308 01-16-2018, 09:50 AM
Last Post: Dean Roddey

Forum Jump:


Users browsing this thread: 1 Guest(s)