Tom McAdam

Let’s Encrypt SSL/TLS certificates on Webfaction

You may have noticed lately that pages that aren’t secured with HTTPS are starting to show increasingly more concerning browser icons and messages. I think this trend is set to continue until one day HTTP will no longer be supported. The problem (until recently) has been that to get a certificate that keeps web-browsers happy (I mean the software, not the humans) meant purchasing one. For small personal sites this cost was enough to put most off using SSL/TLS. I don’t know know the history of Let’s Encrypt but they look like a not for profit set up to facilitate free SSL/TLS certificates with the aim of securing the whole of the internet. This is a great idea, the only draw back for me being that setting up an HTTPS site with Webfaction and Let’s Encrypt is a serious pain. Luckily a few kind people have developed tools to help things along a bit. This is my setup which works well for the sites I manage (a couple of WP sites and a few Rails and Django apps, and my recently added IoT services).

The basic flow goes something like this:

Make an API call to Let’s Encrypt for a particular domain(s)
Let’s Encrypt sends back a key which you must make publicly available at the HTTP root of the domain
Let’s Encrypt tries to access the key, which proves to them that you are the manager for that domain
Let’s Encrypt sends you back the certificates and private key
You load these into Webfaction (through the UI or API)
Associate the certificate with a secured website in Webfaction
Renew this process every 90 days when the certificates expire.

YIKES!!!

Setup up a static app in the Webfaction web control panel
Create a HTTP website and point it to the static app, add any domains that you wish to have as HTTPS to this app (they will be redirected to the secure site). You only need one app and website for all the domains you want to use with HTTPS.
Access Webfaction via SSH and change to the static app directory.
- Create a .htaccess file with the following lines
- ```
RewriteEngine On
RewriteCond %{HTTP:X-Forwarded-SSL} !on
RewriteCond %{REQUEST_URI} !^/.well-known
RewriteCond %{QUERY_STRING} !^/.well-known
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
```
- This is basically forwarding any requests that arrive via HTTP to the same domain with HTTPS
- It is also filtering off any requests with .well-known in them. They are used for the Let’s Encrypt domain validation process.

Install the acme.sh script which is going to help us get a valid Let’s Encrypt SSL certificate.

[[code]]czoxMTM6XCJnaXQgY2xvbmUgaHR0cHM6Ly9naXRodWIuY29tL05laWxwYW5nL2FjbWUuc2guZ2l0DQo8c3BhbiBjbGFzcz1cXFwicGwtY3tbJiomXX0xXFxcIj5jZDwvc3Bhbj4gLi9hY21lLnNoDQouL2FjbWUuc2ggLS1pbnN0YWxsXCI7e1smKiZdfQ==[[/code]]

Download file called load_certs.py in your $HOME directory in Webfaction account
- ```
cd $HOME
wget https://github.com/tmcadam/webfaction-tools/load_certs.py
```
- This script is used to load the newly created certs into Webfaction using it’s API.

Create environment variables.

Open up $HOME/.bashrc and add the following line

export WEBFACTION_USER="username-here"
export WEBFACTION_PASS="password-here"
export WEBFACTION_MACHINE="Web###"

Run acme.sh script to create a certificate. Here is an example
- ```
acme.sh --issue \
-d smartworldbox.com \
-d www.smartworldbox.com \
-d node-red.smartworldbox.com \
-d mqtt.smartworldbox.com \
-w /home/username/webapps/https_redirect/ \
--reloadcmd "bash $HOME/.bashrc &amp;&amp; python2 $HOME/load_certs.py smartworldbox.com $HOME/.acme.sh/smartworldbox.com/"
```
- This is creating a certificate for the listed domains and then loading them into Webfaction using it’s API. The really really cool thing is, this will renew the certificates for us every 60 days. So once you run the command once, you should be able to forget about it.
- Make sure -w is pointing to the static app we created earlier.
- The two parameters for the python script are, domain name (I think it needs to be the first one), and the folder location of the certificates. When the the certificates are loaded to Webfaction they are named with domain name (but the dots are converted to underscores)
- Checkout https://github.com/Neilpang/acme.sh for more info
Final step is to create secure HTTPS website records
- This is done in the Webfaction control panel. Select the certificate that was just created (smartworldbox_com in this instance). Select the application that you want to secure (i.e. node-red).
- Leave the other static app and website in place to handle certificate renewals and redirect HTTP traffic to this new secure site.
- As I said before this whole process is a one off and the certificates should renew automatically every 60 days.
- Goto the browser and you should see a nice little padlock beside your domain name 🙂

Home Automation

Installing Node-RED on Webfaction

This is slightly counter-intuitive so thought I would share how I went about it. The main issue that caught me out was the standard node app in Webfaction doesn’t work with web sockets, and Node-RED uses web-sockets.

This guide assumes that you are pretty comfortable in the Webfaction control panel and using SSH to access your server. Their documentation is good if you need clarification on how any of these steps work.

1. Go into the Webfaction control panel and create two new apps.
  - A node.js app
    - This one is going to run Node-RED and will install Node.js and NPM for us, making it very easy to install Node-RED. Leave port closed to external access.
  - A websockets custom app
    - This is the one that caught me out, and is needed to proxy web-sockets correctly to the node.js app. Make a note of the port number as we will need it later. Leave port closed to external access.
2. In the Webfaction control panel create a new website.
  - Create a HTTP website with your Node-RED domain name and point it to the web-sockets app, not the Node.js app.
3. Stop the default Node.js app from starting.
  - Access your account with SSH and type crontab -e
  - You should see a line restarting the Node.js app every 20 minutes, comment it with a #
  - Change directory to your Node.js app
    - cd ~/webapps/node-red
    - export PATH=$PWD/bin/:$PATH
    - ./bin/stop
    - rm hello-world.js
4. Install Node-RED
  - Presuming you are already in the Node.js app folder and have set the PATH variable (see above), enter the following command to install Node-RED
    - npm install -g --unsafe-perm node-red
    - If you type node-red -p 12345 (where 12345 is the port of the web-sockets application), Node-RED should start up and wait for connections.
    - If you go to your domain in a web browser (http only at this stage) you should see a working but very insecure Node-RED page, YAY!
    - If you want to test if web-sockets are working try the Creating your first flow tutorial from the Node-RED docs, you should see debug messages in the right hand pane when you hit the inject button.

Now we have a working application the next post will look at some basic configuration to secure it.

Uncategorized

What is ESP8266 and Wemos?

As I said in a previous post I was looking for a project to keep me busy for a few weeks while I have been separated from my regular tool-kit and components collection. I had been giving some thought to IoT/smart home related projects so decided to focus on that area. A bit of searching got me onto ESP8266 chips and some related boards.

What is ESP8266?

Basically it’s a programmable system-on-chip (SOC), like an Arduino but with built in WiFi and heaps of memory.

they have built in WiFi
they have a ton of memory compared to the Arduino boards (well the small ones anyway, like Nano and Pro)
they have a bunch of pins to connect to sensors, displays etc.
they are cheap
they are tiny
you have a few choices for development tools
- Arduino IDE (C++)
- NodeMCU using Lua – That’s what I am using in this blog
- MicroPython
- AT commands
- ???? Probably more I don’t know about
they are shiny

Home Automation

Home Automation – Introduction

Having recently got massively interested in the Internet of Things(IoT), smart homes and home automation, I decided to blog some of the gadgets I have been playing with and some more general thinking on home automation, like privacy and security. Previously just a buzz word I didn’t really understand I have been giving the IoT a lot of thought lately and am excited to be sharing what I have learned so far and hearing what other people think about this rapidly developing area.

Some topics I intend to blog on:

What is ESP8266 and the Wemos prototyping system
Setup the Wemos DHT22 shield with NodeMCU and Lua
Setup the Wemos relay shield with NodeMCU and Lua
MQTT and Mosquito
Publishing temperature and humidity detail via MQTT
Switching something/anything on with a relay and MQTT
Android App – MQTT Dash
MQTT vs Blynk

I guess this blog has come about as I have been separated from my regular ‘makers’ tool kit (it’s all in a couple of boxes in Seoul, South Korea), so I was looking for a little project to keep me busy for a couple of weeks….without needing many tools. It should therefore be a useful guide for someone wanting to get started in embedded programming and IoT with a minimal of fuss.