使用LetsEncrypt生成SSL证书：修订间差异

2017年3月4日 (六) 17:20的版本

This article shows you how to add a Lets Encrypt certificate to Domoticz so you can access your server over a secure HTTPS channel.

The provided steps are executed using a Raspberry Pi, but they should work on every Linux OS.

Prerequisites (see here : http://www.domoticz.com/wiki/Native_HTTPS_/_SSL_support)

Port 80 (HTTP) and 443 (HTTPS) are forwarded to your Domoticz server
You own a domain name
The (sub)domain name for Domoticz has a DNS entry that points to your external IP address

Startup script

If you want Domoticz to use only HTTPS, you will need to edit the startup script.

sudo vi /etc/init.d/domoticz.sh

DAEMON_ARGS="-daemon -sslwww 443"

安装Let’s Encrypt

git clone https://github.com/letsencrypt/letsencrypt

生成证书

cd letsencrypt sudo ./letsencrypt-auto certonly --manual --email 你的邮箱 -d 你的域名 注意：域名需要写全，比如使用 home.domoticz.cn，就不能只写 domotiz.cn。

如果你有多个域名，可以在命令后面继续添加-d参数，每个-d参数后面对应一个域名。

如果显示以下信息，不要按回车键：

If you don't have HTTP server configured, you can run the following command on the target server (as root):
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
cd /tmp/letsencrypt/public_html
printf "%s" <some random string> > .well-known/acmechallenge/<some random string>
# run only once per server:
$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
"import BaseHTTPServer, SimpleHTTPServer; \
s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
s.serve_forever()" 
Press ENTER to continue

新打开一个Shell窗口，执行以下命令将Let's Encrypt之前给出的随机字符文件加入网站，以通过Let's Encrypt的域名验证：

mkdir -p /home/pi/domoticz/www/.well-known/acme-challenge/
cd /home/pi/domoticz/www/
printf "%s" 随机字符 > .wellknown/acmechallenge/随机字符

注意：此操作需要你的Domoticz能够在外网通过80端口访问。如果你的80端口在路由器中设置了端口转发也无法在外网打开，可能是你的网络运营商没有开放80端口。这时你需要另一台可以通过80端口访问的虚拟主机或服务器，绑定你的域名后将验证文件放到网站内。

确认在浏览器中打开 http://你的域名/.well-known/acme-challenge/随机字符可以正常访问。然后回到之前的Shell窗口，按回车键继续生成证书。如果一切正常，应该返回以下信息：

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/<your domain>/fullchain.pem. Your
   cert will expire on <date>. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - If you like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Add the certificate to Domoticz

The last thing to do is adding the created certificate to Domoticz. This is easily done with the following commands:

sudo rm ~/domoticz/server_cert.pem sudo cat /etc/letsencrypt/live/<your domain>/privkey.pem >> ~/domoticz/server_cert.pem sudo cat /etc/letsencrypt/live/<your domain>/fullchain.pem >> ~/domoticz/server_cert.pem

When there's a domoticz error after rebooting the service like : Error: [web:443] missing SSL DH parameters from file Add the DHparam :

sudo cat /etc/ssl/certs/dhparam.pem >> ~/domoticz/server_cert.pem

@@ 第21行： / 第21行： @@
 <code>cd letsencrypt
-sudo ./letsencrypt-auto certonly --manual --email  <your email> -d <your domain name></code>
+sudo ./letsencrypt-auto certonly --manual --email  你的邮箱 -d 你的域名</code>
+注意：域名需要写全，比如使用 home.domoticz.cn，就不能只写 domotiz.cn。
+如果你有多个域名，可以在命令后面继续添加-d参数，每个-d参数后面对应一个域名。
-You can specify multiple domain names using another -d parameter and domain name for each additional domain name.
+如果显示以下信息，不要按回车键：
-If the following message shows don't press enter:
 <syntaxhighlight lang="text">
@@ 第41行： / 第41行： @@
 </syntaxhighlight>
-Open another shell window and execute the given commands to validate the ownership of the server.
+新打开一个Shell窗口，执行以下命令将Let's Encrypt之前给出的随机字符文件加入网站，以通过Let's Encrypt的域名验证：
 <syntaxhighlight lang="text">
-mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge
+mkdir -p /home/pi/domoticz/www/.well-known/acme-challenge/
-cd /tmp/letsencrypt/public_html
+cd /home/pi/domoticz/www/
-printf "%s" <some random string> > .wellknown/acmechallenge/<some random string>
+printf "%s" 随机字符 > .wellknown/acmechallenge/随机字符
-$(command -v python2 || command -v python2.7 || command -v python2.6) -c \
-"import BaseHTTPServer, SimpleHTTPServer; \
-s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \
-s.serve_forever()"
 </syntaxhighlight>
+注意：此操作需要你的Domoticz能够在外网通过80端口访问。如果你的80端口在路由器中设置了端口转发也无法在外网打开，可能是你的网络运营商没有开放80端口。这时你需要另一台可以通过80端口访问的虚拟主机或服务器，绑定你的域名后将验证文件放到网站内。
-'''Edit Nov 4 2016'''. Alternative : Domoticz is a web server, so the direct registration is possible. Simply put the file /tmp/letsencrypt/public_html/.well-known/acme-challenge/<some random string>  to /home/pi/domoticz/www/.well-known/acme-challenge/
+确认在浏览器中打开 http://你的域名/.well-known/acme-challenge/随机字符 可以正常访问。
-and check that your domoticz is accessible on the port HTTP 80. (aka : NAT forwarding in your router)
+然后回到之前的Shell窗口，按回车键继续生成证书。
+如果一切正常，应该返回以下信息：
-Now press enter on the other shell. If everything is OK this message shows:
 <syntaxhighlight lang="text">
 IMPORTANT NOTES: