Let's Encrypt TLS certificate configuration for the Turris Omnia
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE.txt
README.md
allow-port-80.gw
cert-issue.sh
cert-renew.sh
lighttpd_custom.conf
post-hook.sh
pre-hook.sh
reloadcmd.sh
renew-hook.sh

README.md

Let's Encrypt Certificates for Turris Omnia

This config utilises the Acme.sh client to issue a Let's Encrypt certificate for use wtih the Turris Omnia web interface.

Adapted in part from the instructions at https://doc.turris.cz/doc/en/public/letencrypt_turris_lighttpd for improved security and simplicity.

Key features

  • Uses Acme.sh client for free TLS certificates.

  • Uses hook scripts to simplify issue and renewal process

  • Automatically formats certificates for lighttpd

  • Reloads lighttpd to deploy certificates

  • Adds TLS improvements to lighttpd following Mozilla's config generator.

  • Opportunistically opens and closes firewall port 80 on Turris Omnia

  • Runs lighttpd on a separate HTTP port to port 80. This avoids needing to stop and start lighttpd but also fully avoids the issue of inadvertently exposing the UI to the public Internet as the firewall is opened and closed.

    • HSTS handles the odd case where you forget or are lazy to type in the https:// at the start. Just load the https:// URL once and your browser will remember for you.

Installation

  1. Download this project:

    opkg install git-http
    git clone https://github.com/davidjb/turris-omnia-tls.git /root/turris-omnia-tls
    
  2. Deterime the latest version of acme.sh by checking https://github.com/Neilpang/acme.sh/releases. Note the release version (which is the tag name); you'll use it in the next step, substituting for [VERSION].

  3. Install acme.sh client and its dependency, socat:

    opkg install socat
    git clone https://github.com/Neilpang/acme.sh.git -b [VERSION] /root/acme.sh
    cd /root/acme.sh
    ./acme.sh --install --nocron
    
  4. Disable the existing SSL configuration:

    mv /etc/lighttpd/conf.d/ssl-enable.conf /etc/lighttpd/conf.d/ssl-enable.conf.disabled
    
  5. Lighttpd needs to stop listening on port 80 so modify /etc/lighttpd/lighttpd.conf to comment out this line:

    $SERVER["socket"] == "[::]:80" {   }
    

    For note, the later custom configuration changes the IPv4 port.

  6. Stop lighttpd; we will enable it again shortly:

    /etc/init.d/lighttpd stop
    
  7. Issue the certificate and reconfigure lighttpd:

    /root/turris-omnia-tls/cert-issue.sh domain.example.com
    
    cp /root/turris-omnia-tls/lighttpd_custom.conf /etc/lighttpd/conf.d/
    # Edit this file and replace `domain.example.com` with your FQDN
    sed -i 's/domain.example.com/your.domain.com/g' /etc/lighttpd/conf.d/lighttpd_custom.conf
    
    /etc/init.d/lighttpd start
    
  8. Add crontab entry for renewal; pick a random minute and hour:

    echo '34 0 * * * /root/turris-omnia-tls/cert-renew.sh > /dev/null' >> /etc/crontabs/root
    

    The renewal process will automatically re-use the settings for certificates that were issued.

Issuing more certificates

Run the following:

/root/turris-omnia-tls/cert-issue.sh extra.example.com

Note that this will automatically configure relevant hooks to run before and after certificate issuance. If you want to adjust this behaviour your can either copy and customise the command inside cert-issue.sh before you run it the first time or go and modify the configuration that acme.sh generates in /etc/lighttpd/certs/extra.example.com/extra.example.com.conf, where extra.example.com is the name of your domain.

License

MIT. See LICENSE.txt.