How can we help?


Provide custom SSL Certificate

Comments

6 comments

  • Avatar
    Nicholas (Edited )

    For local LAN RainMachine uses a self signed certificate since it's not really possible to have  a authority signed certificate for private local lan IPs. This doesn't mean the SSL is not encrypted, just that the certificate can't be verified with a CA (which is expected).

    If you have a certificate for your domain and you actually do a FQDN for the RainMachine private IP it's possible to add that certificate by ssh (you need to enable SSH from Settings) in /rainmachine-app/RMNetworkFramework/resources/sslCert.pem using for example something like:

     

    scp mycert.pem root@<rainmachine ip>:/rainmachine-app/RMNetworkFramework/resources/sslCert.pem

     

    and restart the device.

     

    If you have configured Remote Access feature it's possible to access the API though our server instead of direct local connection. In this way you won't have certificate warnings. 

     

  • Avatar
    Larry Gregory

    That is exactly what I was looking for - thank you Nicholas!

  • Avatar
    Dean Ferreyra

    Copying to

    /rainmachine-app/RMNetworkFramework/resources/sslCert.pem

    on the device did not work for me.  What did work was copying to

    /system/etc/lighttpd/sslCert.pem

    This is on a RainMachine Touch HD-16 running firmware version 4.0.925, though I found this to be true several months ago, too.

  • Avatar
    Ralph Becker-Szendy (Edited )

    A: Agree with Dean.  Don't bother with the /rainmachine...resources/ directory, that certificate doesn't seem to be used.  But copying it to /system/etc/lighttpd/ works great.  EDIT: See comment from Nicholas below: the Mini-8 uses the former location, the HD12/16 uses the latter.  Probably good idea to update both in either case.

    B: Here are the steps.  First, you need to get an SSL certificate, which has to match the host name of the sprinkler controller.  In my case, that's sprinkler1.int.example.com (replace example.com with my real domain name), and "int" stands for internal network.  I like to use LetsEncrypt for my SSL certificates, because they are easy and free; and I use the "certbot" script to get and renew certificates, because that can be done with a single command.  The problem with that is: this only works because certbot is able to modify files in the web server directory to implement the authentication challenge, and certbot is running on the machine for which the certificate is intended.  This won't work on a RainMachine.

    So the alternative I used is: I got a wildcard certificate for *.int.example.com, which I will apply to all my RainMachines (in the future, there will be more than one).  And I use the DNS challenge technique for authentication; unfortunately, that can't be automated with my DNS service, but it is just a handful commands, every three months.  Once that's done, you get your certificates, for example in /etc/letsencrypt/live/*.pem.  Now copy them to the RainMachine directory shown above, and reboot.

    BUT WARNING: The pem file on the RainMachine needs to contain both the private key and the certificate!  This is different from an apache server, which wants those two ingredients in two separate files.  No problem, concatenate privkey.pem and fullchain.pem (from the letsencrypt directory shown above), and copy them to sslCert.pem on the RainMachine.

    Victory!  No more web browser warnings.

  • Avatar
    Nicholas

    Ralph great guide, but it's location of the certificate is valid only for HD12/16 family for Mini-8 the cert is the one from /rainmachine-app/RMNetworkFramework/resources/sslCert.pem

  • Avatar
    Ralph Becker-Szendy

    Thank you for the correction; I edited my post to clarify.

    How hard would it be to add the logic into the RainMachine to get a real SSL certificate itself?  In some cases, it would be pretty easy: The device already contains a web server (duh, obviously), and it has a normal full-function OS which can run programs, so it could run certbot to get a real certificate from LetsEncrypt.  The easiest way to implement the ACME challenge would be to use the web server challenge, with certbot depositing a file on the RainMachine's web server, and LetsEncrypt's authentication machine checking it.  The problem with this idea is: it only works if the RainMachine is accessible via IP from the outside world (from LetsEncrypt servers) on a long-term stable DNS name, which requires it to have a semi-permanent IP address, no NAT (or a tunnel) and DNS.  That's probably not true in the majority of the households.  Another problem is that certbot doesn't support Android.  So even implementing this for the easy case would be quite a bit of work; and generalizing it for all manner of network setups and handling edge cases would be really difficult.  Therefore, I will not request this feature, and continue to do it by hand.

Please sign in to leave a comment.