Securing Let's Encrypt SSL keys in AIO install: or how not to -R 777?

Configuration
1

I followed > this guide to setup duckdns and Lets Encrypt SSL keys, however, in this step it says:

“Type sudo chmod -R 777 /etc/letsencrypt to allow homeassistant to read the certificates.”

I’m certain this is not a good idea. Reading some of the comments on the reddit thread and elsewhere, it seems like the best approach would be to move the keys into the homeassistant virtual environment and chown them to the homeassistant user rather than open them up to anyone on the Pi. Unfortunately that’s a little over my head. I think the guide would really benefit the community more if someone could add some clear instructions (aimed at linux rookies) on how to manage the keys safely in the context of the Pi AIO installation.

Another point of confusion for many seems to revolve around internal and external DNS conflicts, trying to access the front end from home and away. It would be excellent to add some info on setting up our routers to deal with this.

Any linux power users care to chime in? Thanks

2

For routers there are too many to just put a guide on here for. What you want to look into is either:

A) NAT Loopback (aka NAT hairpining, NAT reflection)
I personally avoided this because it looked to me like I would either have to SSH into my DD-WRT router or enter the commands on every boot, and option B below was easy
B) Add a DNSMasq entry pointing to your server IP

Google those and see if either is available on your router of choice. If not, then your next two options are to:
A) either put dd-wrt on it (or open-wrt, tomato, whatever flavor of open source you want really) and use it there.
B) Buy a new router

I’m not sure with let’s encrypt, because (I’ve only used it a short time) I believe that you will either need to automate changing privileges or manually update them every 3 months. Neither of which I want to do. Either way, I don’t believe I had to do a chmod -R 777 /etc/letsencrypt, since I believe the public/private keys are accessible to anyone by default with 444 privileges.

1 Like
3

Thanks for your help, I got it working. For any searchers ending up on this thread, here’s what I found:

I’m running a Ubiquiti EdgeRouter X. Getting to ‘https:example.duckdns.org:8123’ from the internal network was as simple as logging into the router, clicking “Firewall/NAT”, checking “Enable hairpin NAT”, clicking “apply”

Now I have one homesceen bookmark on my iPhone that works at home or away!

As for the SSL keys, the default privileges that are generated when the keys are made will not work for AIO installs. You will need to change permissions or change ownership to get them working. What I did was make a copy of the keys into the homeassistant virtual environment, created a group called ‘hass’ with homeassistant and pi as users, then chown’d the keys to homeassistant:hass. Here’s how:

Copy Keys into homeassistant virtual environment:

sudo cp -R /etc/letsencrypt /home/homeassistant/.homeassistant/letsencrypt/

Create new group called ‘hass’ with users ‘homeassistant’ and ‘pi’:

sudo groupadd hass sudo usermod -aG hass pi sudo usermod -aG hass homeassistant

Give ownership of SSL keys to homeassistant:hass (I did the whole ‘live’ and ‘archive’ folders because I read other posters doing that)…no idea if that’s best practices:

sudo chown -R homeassistant:hass /home/homeassistant/.homeassistant/www/letsencrypt/live/ sudo chown -R homeassistant:hass /home/homeassistant/.homeassistant/www/letsencrypt/archive/

Add SSL keys to home assistant config:

http:
  ssl_certificate: /home/homeassistant/.homeassistant/letsencrypt/live/example.duckdns.org/fullchain.pem
  ssl_key: /home/homeassistant/.homeassistant/letsencrypt/live/example.duckdns.org/privkey.pem

Log into router and forward external 443 to internal 8123 on host IP
Test that it worked by visiting from outside network: https://hass-example.duckdns.org:8123
Test that it worked by visiting from inside network: https://192.168.1.111:8123

After setting up NAT hairpin or DNSMasq on your router, test that duckdns address works inside the network. All set!

4

Some tips on what I did. You do not need to chmod 777 you just need to give the user running hass perms to these 2 folders. All the other read only perms were already setup by Letsencrypt when you initially created your certs.

sudo chown homeassistant:homeassistant /etc/letsencrypt/archive/ /etc/letsencrypt/live/

As for the port forwarding what I’ve done is on my router is forward ports 80 and 8123 to my pi. I keep hass running/listening to port 8123 which is how I access it externally I just bookmark the URL Ex: https://hass.example.com:8123. I leave 80 forwarded but nothing is listening on that port so until I renew my Letsencrypt cert. That means if someone tries to connect on port 80 they get nothing. When my Letsencrypt fires up to renew the cert its uses standalone mode and it listening on that already forwarded port 80 to authenticate. When that finishes the Letsencrypt program ends and again nothing is listening on port 80. Fairly elegant I think.