11 Replies Latest reply on May 22, 2017 6:56 AM by Bhavik Bhansali

    Raspberry Pi SSL Server

    abhijitnathwani

      Hello,

       

      We have set up a Raspberry Pi webserver as a part of our project we are working on. The domain and IP has all been routed accordingly. Now we want to implement SSL security with the domain. The little green padlock is what we want to achieve.

       

      P.S.: We have a free domain name so the service provider for domain won't help much.

       

      Could anyone please guide us how to implement this on RPi ?

       

      Abhijit

        • Re: Raspberry Pi SSL Server
          balearicdynamics

          Hello Abhijit,

          As the Raspberry PI support raspbian that is a Debian distribution, I suggest to install openssl over apache; there is also the advantage that you have all open source components and with openssl installed you can create the self-certificate. This will give you the ssl behaviour to your webserver without the need to manage an expensive certificate authority.

          There is a well described tutorial on how to setup the openssl and self-certificate over apache in Debian in the Debian wiki at the following link: https://wiki.debian.org/Self-Signed_Certificate

           

          Hope this can be helpful.

           

          Enrico

          1 of 1 people found this helpful
            • Re: Raspberry Pi SSL Server
              Roger Wolff

              On top of that, I would suggest you look into "letsencrypt".

               

              What Enrico suggests will give you a "self-signed" certificate: People who are passively intercepting the data between you and your users will not be able to see the content. But someone who can actively intercept the traffic can create his own self-signed certificate and pretend to be you (and then decrypt and re-encrypt the traffic to your server, peeking at the content when it is decrypted). That's why there will be a padlock, but red in the URL bar....

               

              letsencrypt will give you a free "official" certificate, resulting in the green padlock.

              6 of 6 people found this helpful
                • Re: Raspberry Pi SSL Server
                  balearicdynamics

                  Great suggestion Roger. I will investigate and adopt it asap

                   

                  Thank you. Enrico

                  • Re: Raspberry Pi SSL Server
                    gadget.iom

                    On top of that, I would suggest you look into "letsencrypt".

                    +1

                    Came here with the same suggestion. But you beat me to it.

                    • Re: Raspberry Pi SSL Server
                      abhijitnathwani

                      Hello Roger. Thank you for the suggestion. As per your suggestion, I looked into let's encrypt and followed a few tutorials out there. However, I was facing with some error "404. Could not find some file" in the acme-challenge folder. If you have worked on let's encrypt on RPi, please do help me here.

                      I am going away for a long weekend. I do not have the RPi with  me as of now. I'll post the error messages once I'm back to work. Let me know if you could resolve them.

                       

                      Abhijit

                        • Re: Raspberry Pi SSL Server
                          Roger Wolff

                          I am terribly sorry, but I have not personally installed the letsencrypt stuff. A colleague suggested letsencrypt for my site a while back, and I'm in the fortunate position to be able to make him voluteer for the job of actually implementing it. And from what I hear, it's not that hard.

                           

                          Still, usually on Linux you get reasonable error messages. That means that if letsencrypt is looking for a file on YOUR server and gets a 404, you can look in the logfile to see their request to your webserver, and the server will log something to the effect that file XXX/YYY/ZZZ.html was not found.

                           

                          If on the other hand, you are getting a 404 somewhere else, you need to look into what URL was requested, and why it is now "gone". Maybe start back at the homepage?

                            • Re: Raspberry Pi SSL Server
                              abhijitnathwani

                              rew, Thank you for the suggestions. Let's Encrypt was a savior and finally achieved the 'green padlock' for the domain.

                               

                              For the errors I was facing, I had already tweaked Apache configuration a lot many times to achieve the padlock and tried many different ways to generate the certs. So removing Apache and again setting up helped me resolve it. I was then able to successfully generate certificates using Let's Encrypt.

                               

                              If anybody needs the guide, let me know, I'll create a blog post.

                               

                              Abhijit.

                        • Re: Raspberry Pi SSL Server
                          abhijitnathwani

                          balearicdynamics  Thank you for the insights. I'll look into it

                           

                          Abhijit

                        • Re: Raspberry Pi SSL Server
                          Problemchild

                          rather than self sign you need to create your own CA and use that to sign your SSL cert

                          You use the cert as per a comercial or self generated one.

                          How ever if you want the green lock you need to put the public cert of the CA into the directory where the PUB certs of the comercially accepted SSL vendors are kept for your browser or other application

                           

                          John A

                            • Re: Raspberry Pi SSL Server
                              Roger Wolff

                              John,  Around five years ago, they charged like $50 per year for a fully signed certificate. A few years ago, that dropped to around $10 per year. If you're actually using it (on a small scale) that became "worth it" for me.  But nowadays, letsencrypt has automated the whole procedure, and does the whole thing for free.

                               

                              So you're not saving $50 per year, and not even $10 per year by going the self-signed, with own-root-authority route. Just get a letsencrypt certificate. Might take a bit more trouble to set up in the beginning, but then all clients suddenly have the green icon without having to install the self-signed root certificate on all of them.

                              2 of 2 people found this helpful