question

Christopher Durham avatar image
Christopher Durham asked

Certificate for Cerbo/Venus Remote Console/letsencrypt certbot

I am using 3.12 VenusOS on a pi4.

I want to add a certificate signed by an external CA for my gui on the cerbo/rpi itself.

I do this on my linux box via letsencrypt's certbot. Doing so automatically renews the free certificate before it expires.

I checked the package repo at https://updates.victronenergy.com/feeds/venus/releaase/packages/dunfell and there is no certbot/letsencrypt package.

Neither do I see a certbot package with the third party SetupHelper.

Is this available somewhere? I know I can create the cert elsewhere and push the cert into the cerbo, but it would be nice to have this natively.

Similar question for NodeRed on the large image.

As for the cert location, I see in the nginx configuration where I can change it to use my cert. However, I doubt that would survive an upgrade. Any 'official' way for such a change to survive an upgrade?

Consider all of this a feature request if not already one (how do I file one if needed?). I apologize if this has already been discussed.


certificate
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

1 Answer
matt1309 avatar image
matt1309 answered ·

Hi @Christopher Durham

I'm using a work around for this. I use nginx running on my debian based server that forwards connection to the cerbo via reverse proxy. And then main server manages all the certs as you would normally as debian has all the packages you'd need.


Might be worth checking if certbot is inlcuded on opkg the package manager that's on venus os. If not you could compile it yourself.


Whichever way you do it he issue you'll run into is the cerbo gui uses websockets. And by default this is not an encrypted websockets connection. (ws not wss).

The work around i did for this was I edited the js in index.php on the cerbo to check if the connection to the page is https if it is then i change WebUtil.getQueryVar 'encrypt' to true.

I then had to open that wss port on router and again using nginx reverse proxy forward that wss port back to ws connection on lan side.


Here's exactly how I did it:

Nginx reverse proxy - Victron Community (victronenergy.com)


You're right though the limitation is the change you make to index.php wont stay after update but given it's only one line it's quick enough to add back in. Which you could write a script to edit if you were desperate.


4 comments
2 |3000

Up to 8 attachments (including images) can be used with a maximum of 190.8 MiB each and 286.6 MiB total.

Christopher Durham avatar image Christopher Durham commented ·
Thank you, matt. I certainly could do what you suggest, or even run certbot elsewhere and push the cert into the Cerbo, modifying the nginx config as I go.


It would be nice for Victron to have a native way to do this, hence my question.

0 Likes 0 ·
matt1309 avatar image matt1309 Christopher Durham commented ·
No worries. Thought I'd share as i had a headache working out the whole wss thing.


Suppose other route is vpn.

Or use their victorn cloud. That would be my only guess of why they've not implemented some other soltuion already.


I agree would be really nice to have seamless solution though.

I suppose they might also be worried about securing it. Like if they let users who maybe haven't thought about it too much easily expose their power system to wider Internet.


Just guessing though. I have no idea really

0 Likes 0 ·
jeroen avatar image jeroen ♦ commented ·

Hello @matt1309, I think you misunderstood what this user is asking. The index.php does support https / wss nowadays, but its certificate is self signed. Unfortunately certbot is a bloated piece of software.

0 Likes 0 ·
matt1309 avatar image matt1309 jeroen ♦ commented ·

I didn't realise they'd update the index.php to use wss/ssl. I'm on v3 and didn't work so had to edit it myself.


Surprised cert bot with let's encrypt is seen as so heavy. Can't say I've noticed any issues running on pi's (with debian based os ie easily installed) in the past but maybe you guys have systems far more optimised than anything I mess with.


Out of curiosity what is the optimised/light way of solving the problem?

0 Likes 0 ·

Related Resources

Additional resources still need to be added for this topic