This Raspberry Pi SSL certificate project will walk you through the steps to installing and setting up the Let’s Encrypt Certbot client on the Pi.
This Certbot client allows the user to grab an SSL certificate from Let’s Encrypt by either utilizing your web server or running a temporary server.
Let’s Encrypt is the best way to easily obtain a secure and certified SSL certificate for your Raspberry Pi completely free.
Before you get started with setting up SSL on your Raspberry Pi, make sure that you have a domain name already set up and pointed at your IP address as an IP Address cannot have a certified SSL Certificate.
If you are using Cloudflare as your DNS provider, make sure you have the DNS set to bypass Cloudflare’s proxy. The proxy hides your IP address meaning the Let’s Encrypt tool will fail to verify your Raspberry Pi’s IP address and generate an SSL certificate.
Below are all the bits and pieces that I used for setting up Let’s Encrypt SSL on my Raspberry Pi. You also will need an internet connection to be able to complete this tutorial.
This tutorial on acquiring an SSL Certificate was last tested on Raspberry Pi OS Bullseye and the Raspberry Pi 3.
Installing and Running LetsEncrypt
1. Before we setup LetsEncrypt on our Raspberry Pi we should first ensure everything is up to date.
We can do this by running the following two commands.
2. Now we can go ahead and install the actual LetsEncrypt software to our Raspberry Pi by running one of the following commands.
This piece of software is called “Cerbot”. If you are running Apache, you can install the certbot module for it otherwise install the standard version of certbot.
Apache
Everything Else
3. With Certbot finally installed we can proceed with grabbing an SSL certificate for our Raspberry Pi from Let’s Encrypt. There is a couple of ways of handling this.
If you are not using Apache, you can skip this step. If you are using Apache, then the easiest way of grabbing a certificate is by running the command shown below, this will automatically grab and install the certificate into Apache’s configuration.
Before you do that, you will first have to make sure port 80 and port 443 are port forwarded. Also, if you are using Cloudflare as your DNS provider, you will need to temporarily bypass it as it hides your real IP address.
4. If you are not running Apache, there are two different ways we can go about grabbing a certificate from Let’s Encrypt. Thanks to the certbot software, we can either grab the server using a standalone python server.
Alternatively, if you are running another web server such as NGINX, we can also utilize that to grab the certificate as well. Though you will have to set up the certificate manually once it has been grabbed.
Go to step 5a if you are not running another web server, otherwise go to step 5b.
5a. Utilizing the standalone built-in web server is incredibly easy, though first, you will have to make sure your port 80 is unblocked and forwarded. Make sure you replace example.com with the domain name you intend on utilizing.
5b. Using web root requires a bit more knowledge then using the built-in web server. Make sure /var/www/example points to a working website directory that can be reached from the internet. Also, make sure to replace example.com with the domain name you are using for your website.
6. After running these commands, you will be prompted to enter some details, such as your email address. These details are required for Let’s Encrypt to keep track of the certificates it provides and also allow them to contact you if any issues arrive with the certificate.
Once you have filled out the required information, it will proceed to grab the certificate from Let’s Encrypt.
If you run into any issues, make sure you have a valid domain name pointing at your IP, make sure port 80 and port 443 are not blocked. Finally, if you are using Cloudflare as your DNS provider, ensure that you have the DNS currently set to bypass the proxy servers.
The certificates that are grabbed by the certbot client will be stored in the following folder. Of course, swapping out example.com
with your own domain name.
You will find both the full chain file (fullchain.pem) and the certificate’s private key file (privkey.pem) within these folders. Make sure you don’t allow others to access these files as they are what keep your SSL connection secure and identify it as a legitimate connection.
With the files now successfully grabbed you can proceed to set up any piece of software you need to use them. For instance, if you wanted to setup NGINX to utilize the SSL certificates then follow our Raspberry Pi SSL Nginx guide below.
Using your new SSL Certificate with NGINX
1. Begin by opening your NGINX configuration file. These are typically stored in /etc/nginx/ or /etc/nginx/sites-available/
Once you have found your configuration file, open it up using your favorite text editor, mine, for instance, is nano. Once you are within the file search for a text block like what is display below.
Make sure you swap out our example.com with the domain name that you are using.
2. To this block of code, we will need to make some changes. Follow our steps and read our explanations of why we are making the change below.
Find
Add Below
This change tells NGINX to start listening on port 443. Port 443 is important as it is the port that handles HTTPS/SSL traffic and will be the port web browsers try to connect over when using https://.
Find
Add Below
This change tells NGINX where to find our certificate files. It will use these to set up the SSL/HTTPS connection.
The private key secures the actual connection. Only your server can read and see this file, and this file should be kept secure otherwise, people could potentially intercept and decrypt your traffic.
The fullchain contains all the information needed to talk with the server over the HTTPS connection. It also contains the information needed to verify it is a legitimately signed SSL file.
3. With all those changes done, you should end up with something similar to what is displayed below. Of course, make sure you replaced example.com with your domain name.
Once you are satisfied that you have entered the new data correctly, you can save and quit out of the file and then restart NGINX so it loads in the new configuration.
4. You should now have a fully operational HTTPS connection for your NGINX web server utilizing the certificate we generated with Let’s Encrypt.
You should now hopefully have a fully validated SSL certificate that is provided to you from Let’s Encrypt. You will find this tutorial pretty handy across a wide range of projects, especially the server based Raspberry Pi projects.
Hopefully, you have found this Raspberry Pi SSL tutorial helpful, if you have any issues or feedback feel free to leave a comment below.
沒有留言:
張貼留言