I am developing an IoT device that exposes its own access point and shows a web page for configurations.
I bought the primary domain mydomain.com and I want to be able to use and automatically update valid SSL for my device's configuration local webpage. To be able to have SSL each device runs its own DNSmasq with a unique subdomain of my primary domain (7h35.mydomain.com).
Which challenge strategy for letsencrypt to choose to generate those certificates?
And if its DNS challenge does on each renewal the new IP address of the device will be public?
Related
I have a data collection / reporting web application hosted on an AWS Lightsail instance with Ubuntu 18.04 OS and Apache2. I use a 'Lets Encrypt' SSL certificate on the site. This all works fine.
I also have an embedded device which uploads data to the website via an API. The embedded device is currently not operating on SSL, but I need to change this. The embedded device can communicate on SSL but its not easily updateable in the field. My concern is that the CA certificate that is embedded into the device cannot be updated, and so using the same 'Lets Encrypt' certificate, means that a change in the Lets encrypt certificate will render the remote embedded device unable to connect to the server.
The common solution to this problem is a self signed certificate over which I have total control, and yes this would fix the problem, but it would create another problem. If I use a self signed certificate, then any user connecting to the site to view data from their PC would get an Untrusted Certificate warning on their browser, which is not acceptable.
So, to fix this ideally I would have my web app protected by 'Lets Encrypt', but the API protected by a separate self signed certificate. However, both web app and API need to be on the same domain. Also they should ideally also both be on the same standard 443 https port.
Is there a way to setup the web app and API to serve different SSL certificates?
I have a desktop bridge app which uses a worker service to host a PWA and WebAPI with Kestrel over https
User runs the worker, and browses to the service from ff/chrome/edge
This works fine in development as the development machine has a trusted certificate installed
However, when I package it up and deploy to test machine, there is no cert and the app crashes
So, how what is the best way to do this?
Options
Bundle a cert with the app, install it in the containers local
store? How would this work with the browser, which wouldn't trust the
cert as its not installed in the browser users context
Buy a cert from a CA. How would I distribute it?
Magic UWP trusted certs I can add to kestrel?
So, it seems you can't
In 2015 certs can not be issued to IPv4 or IPv6 address and must be a FQDN with a public top level domain
TLS is not just about encryption, but also identification, private ips can't be publicly identified
And PWA's need https to work, so options..
Self-signed certificate, which won't be trusted and show the user a
nasty message
Publicly host the PWA and certify that domain, then
call back to the loopback address 127.0.0.1 over http to communicate
with the running worker, this is considered secure. I have done this
and it does work, but means my app can only communicate with the user
on the same machine
There are other options that need you to have control of the network dns - which I won't have
I have a problem with insecure SSL certificates. My proyect consist on two parts:
ESP32 iot device with a https server
VUE2 + Vuetify PWA web app deployed to firebase hosting.
Imagine that one client buy my iot device, and connect it to the power. The device will boot in AP mode, creating a WiFi AP net.
The client login to the web app and wants to add his new device. So, for that, the iot device needs clients wifi credentials.
The web app asks to the client his ssid and password, and when the client click on 'Configure device', the web app send a https POST request to the esp32 server, and here is the problem...
Because the SSL certificate used in esp32 server is not validated by an authority, the web app can´t make the POST request...
How can I get a valid server SSL certificate for a lot of iot devices? I don´t know how to manage this situation...
Thanks everyone!!
It is possible to get a valid SSL certificate for the device, but I wouldn't recommend it. Here is how you could do it if you wanted to:
Ensure that when your device is in AP mode, it's always available at the exact same IP address. For example, ensure that the ESP32 is listening at 192.168.1.1.
Register a domain like example.com. Add an A record to your DNS server for iot.example.com, with the value 192.168.1.1.
Obtain a valid SSL certificate for iot.example.com from any trusted authority. Put that certificate and associated key on your device.
Now, when your user connects to your soft AP, they can browse to https://iot.example.com and actually see a valid certificate.
However, I would really recommend not doing this. You'll have three major issues to contend with:
The key for your SSL certificate will be on your device's flash. If anyone extracts it, they can masquerade as iot.example.com. You can mitigate this by using flash encryption, but it's still not great.
The maximum validity period for an SSL certificate is around two years. So your provisioning flow will break after a couple years.
If the CA that issued your certificate hears that the private key is floating around and could potentially be compromised, they will probably revoke your certificate.
Instead, what you should do is secure your soft AP with WPA2, and a password that you can give to users. This will ensure that the connection is encrypted, and you can serve your provisioning form over HTTP instead of HTTPS.
An even better approach rather than trying to implement this yourself, is to use the ESP-IDF unified provisioning API. It takes care of the implementation details, and supports both Wi-Fi and Bluetooth as transports.
Regardless of what you decide to do, I'd highly recommend reading the ESP-IDF documentation on unified provisioning and the documentation on Wi-Fi provisioning, since they'll give you an idea of what's going on under the hood and what all is required for a secure implementation. In particular, you'll see that the Wi-Fi provisioning library does actually use a static WPA2 password like I suggested above.
I am tryin to create a Google Managed SSL Certificate for my compute engine instance. However, I am required to enter a domain. The issue is, I do not have a domain associated with my instance, I only have its external ip address.
How can I use the ip address of my instance for the certificate, or how do I associate it with a domain?
You might be confusing what Google is asking for.
In order to create an SSL certificate, you must own / manage /control a domain name.
Next, in order to use the SSL certificate that Google created (or by other means such as Let's Encrypt), you map the Google Service, such as a load balancer, to a backend such as Google Compute Engine VM instances.
If your goal is to create an SSL certificate using an IP address - you cannot. SSL certificates require a domain name. There are exceptions to this, such as using a machine name to create a self signed certificate, but this does not apply to your situation.
Another important item. Once you create a Google Managed SSL certificate, you cannot use it on your VM instance. You can only use it for Google managed services such as Load Balancer. The Load Balancer will then sit in front of your VM instance.
If your goal is to create an SSL certificate that you can install on your VM instance, look into Let's Encrypt. Let's Encrypt is simple to work with and their certificates are free. You will still need to own a domain name, but you will be able to control where it is installed.
Once you install a Let's Encrypt SSL certificate, you modify the DNS servers that your domain registrar setup to point your domain name to an IP address.
My main site https://example.com has an SSL cert, no problem.
Now, I have developped a related application, that is hosted on a completely different server, and under : app.example.com. It has a dedicated IP.
The app uses websockets and needs SSL to function properly acros all devices. But I'm having trouble finding out how to register a new certificate for a subdomain... What's the strategy here? Should I have a wildcard cert on the main server, and somehow redirect from there? In that case, the app server wouldn't have access to the cert, and I wouldn't be able to create my secure socket connection, right?
The certificate has to be installed where the server which provides content using this certificate. This means
That the certificate for the subdomain has to be used on all servers which serve the subdomain, i.e. your websocket server.
And nowhere else, i.e. it is not needed at the main domain just to provide a redirect from the main domain away.
You are free to use any certificate which matches the subdomain, that is it can be a wildcard certificate but can also be specific for only this domain.
You can go for a wild card certificate and bind it to all the URL's who share the same domain. But keep in mind, the wildcard certificates (irrespective of any brands) supports unlimited first level sub domains .
Wild card certificates can be installed on any server where the FQDN is hosted. In situations where the the sub domains are hosted on multiple servers, the wildcard certificate will work for all of them.