Letsencrypt on Omega2



  • I'm trying to setup a MQTT broker with TLS integration (Mosquitto+TLS).
    After installed python-pip with:

    opkg install python-pip
    

    I'm trying to install certbot with

    pip install certbot
    

    I got an error with package cffi. The following is pip log output:

    Downloading from URL https://pypi.python.org/packages/5b/b9/790f8eafcdab455bcd3bd908161f802c9ce5adbf702a83aa7712fcc345b7/cffi-1.10.0.tar.gz#md5=2b5fa41182ed0edaf929a789e602a070 (from https://pypi.python.org/simple/cffi/)
      Running setup.py (path:/tmp/pip-build-RtG6TC/cffi/setup.py) egg_info for package cffi
        Running command python setup.py egg_info
        unable to execute 'mipsel-openwrt-linux-musl-gcc': No such file or directory
        unable to execute 'mipsel-openwrt-linux-musl-gcc': No such file or directory
    
            No working compiler found, or bogus compiler options
            passed to the compiler from Python's distutils module.
            See the error messages above.
            (If they are about -mno-fused-madd and you are on OS/X 10.8,
            see http://stackoverflow.com/questions/22313407/ .)
    Cleaning up...
      Removing source in /tmp/pip-build-RtG6TC/zope.interface
      Removing source in /tmp/pip-build-RtG6TC/cryptography
      Removing source in /tmp/pip-build-RtG6TC/ConfigArgParse
      Removing source in /tmp/pip-build-RtG6TC/configobj
    Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-RtG6TC/cffi/
    Exception information:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/site-packages/pip/basecommand.py", line 215, in main
        status = self.run(options, args)
      File "/usr/lib/python2.7/site-packages/pip/commands/install.py", line 324, in run
        requirement_set.prepare_files(finder)
      File "/usr/lib/python2.7/site-packages/pip/req/req_set.py", line 380, in prepare_files
        ignore_dependencies=self.ignore_dependencies))
      File "/usr/lib/python2.7/site-packages/pip/req/req_set.py", line 634, in _prepare_file
        abstract_dist.prep_for_dist()
      File "/usr/lib/python2.7/site-packages/pip/req/req_set.py", line 129, in prep_for_dist
        self.req_to_install.run_egg_info()
      File "/usr/lib/python2.7/site-packages/pip/req/req_install.py", line 439, in run_egg_info
        command_desc='python setup.py egg_info')
      File "/usr/lib/python2.7/site-packages/pip/utils/__init__.py", line 707, in call_subprocess
        % (command_desc, proc.returncode, cwd))
    InstallationError: Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-RtG6TC/cffi/
    

    Any suggestion to fix it? Or alternative solutions to download/generate certificate for mosquitto?



  • @Giuseppe-Battista error message states "no working compiler found"
    so, either you have no compiler or setup can not find it so that is first thing i would look into.



  • Do you really need an externally signed certificate for this?

    You might consider being your own CA and putting the root certificate in the clients to verify your broker.

    If you needed to interact with an off-the-shelf web browser things might be different, but you're talking about MQTT and presumably control the clients.



  • @Douglas-Kryder said in Letsencrypt on Omega2:

    so, either you have no compiler or setup can not find it so that is first thing i would look into.

    exactly what I thought but I don't know which package brings mipsel-openwrt-linux-musl-gcc in omega2. Searching it on google seems it comes with openwrt but there is no openwrt package for omega. Any idea?



  • @Chris-Stratton See I would like to run mqtt broker for sensor in my apartment, and have a Home Assistant deployed on a VPS. Since MQTT is unencrypted protocol (also, user and password are in clear), I thing TLS is necessary. What do you suggest?



  • @Giuseppe-Battista said in Letsencrypt on Omega2:

    @Chris-Stratton See I would like to run mqtt broker for sensor in my apartment, and have a Home Assistant deployed on a VPS. Since MQTT is unencrypted protocol (also, user and password are in clear), I thing TLS is necessary. What do you suggest?

    A signed certificate doesn't get you encryption, it allegedly gets you authenticity.

    But if you generate the certificate, sign it yourself, and configure your clients to accept specifically that, you have more evidence of authenticity that you do with a 3rd party signing it. With something like Let's Encrypt, all you are really demonstrating is control of wherever the domain name points, which is far less secure than knowing you only used your key to sign one certificate before locking it away.

    However, if you need to inter-operate with something you can't configure to accept your certificate, then you would need something signed by a 3rd party it recognizes.



  • @Chris-Stratton Thanks for explanation!!! Just to be clear, even if I generate a certificate on Omega, I can't accept it on VPS side, right?



  • @Giuseppe-Battista from the searching i have done related to the error it seems that eventually the omega2 will need to have, if it does not already, additional resources available through overlay. so i'd set that up. i know that suggestion offers no specific help rather it takes a general view of what will be needed.



  • @Douglas-Kryder ok so there is no solutions for the moment, right?



  • @Giuseppe-Battista said in Letsencrypt on Omega2:

    @Chris-Stratton Thanks for explanation!!! Just to be clear, even if I generate a certificate on Omega, I can't accept it on VPS side, right?

    No, you can, there or anywhere else, if you control the system that needs to do the accepting.



  • @Chris-Stratton said in Letsencrypt on Omega2:

    No, you can, there or anywhere else, if you control the system that needs to do the accepting.

    Yes but still I have the problem because I'm not in able to find openssl command.



  • @Giuseppe-Battista said in Letsencrypt on Omega2:

    @Chris-Stratton said in Letsencrypt on Omega2:

    No, you can, there or anywhere else, if you control the system that needs to do the accepting.

    Yes but still I have the problem because I'm not in able to find openssl command.

    On which system? And for what exact step are you trying to use that?

    Technically, you can generate keys off device and copy them over, if you trust they won't be intercepted in flight.


Log in to reply
 

Looks like your connection to Onion Community was lost, please wait while we try to reconnect.