Private network setup running on Arduino


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: franklynam.com

I ran this command:

It produced this output:

My web server is (include version): ESP8266

The operating system my web server runs on is (include version): ESP8266

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi there,

I have a question about how LetsEncypt handles an authenticator validation and then how the resultant certs can be subsequently used. I am trying to setup an SSL web server on an ESP8266 Arduino variant board. I can get this working using a self-signed cert but this is no good to me because all browsers nowadays by default block access to web servers delivered via self-signed SSL links.

My question is, is it possible to create a LetsEncrypt cert using certbot and associate it with a Domain A that I own - I can run the certbot command on a machine that is pointed to by Domain A - and then take this cert and use it as the cert for the Arduino web server? I have a DNS server running on the Arduino that can be set up to point Domain A to the address of the Arduino.

Does that make sense? Any help would be greatly appreciated.

Thanks,
Frank


#2

Sure… That’s fine.

You could use the certificate anywhere you would like to use… (Just make sure it is not leaked so noone else could use your certificate)

Thank you


#3

Thanks Steven. So, is this the way SSL Trust works for a browser?

-Browser 1 requests a page from example.com on port 443.

-The DNS server points example.com to 192.168.0.1.

-Browser 1 gets the SSL cert from the web server at 192.168.0.1. It checks that the cert is registered to example.com and that its parent CA is trusted.

-If Browser 1 is satisfied, it downloads and displays the site without warnings.

i.e. the SSL cert is not tied to any IP address?

Thanks,

Frank


#4

The cert is not tied to any IP address at all. It can be used on any IP address and can be used on more than one server at once if necessary. Indeed, the browser just checks whether the name on the certificate matches the name of the service that the browser is trying to access, without regard to what IP address was used to reach that service (or even whether it was reached via an IP address at all—for example, with a SOCKS proxy there is no remote IP address visible to the browser).

One thing to consider when using the certificate on your Arduino is that Let’s Encrypt certificates are only valid for 90 days (possibly shorter times at some point in the future), so you’ll also need a plan for getting new certificates onto the device before the old ones expire.


#5

Thanks Schoen. That’s very clear. And yes, your point about the 90 days expiration is well made. I wonder how much work would be involved in writing a cert renew function for the ESP8266. Would you know of a good resource that explains the cert renew process?


#6

The cert renewal process basically just involves requesting a new certificate. Most existing clients support it; the more complicated part is typically remembering the settings that need to be used to obtain the certificate and also deciding when to request the new certificate and where to save it.

Assuming you’re obtaining the certificate using a device other than the Arduino, could you use that device for renewals as well? It seems like running a full client on an Arduino might be a lot of effort.


#7

That’s an interesting idea - to use an intermediary system to handle the certs. Food for thought.

Thanks again,
Frank


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.