Letsencrypt on Omega2
-
Do you really need an externally signed certificate for this?
You might consider being your own CA and putting the root certificate in the clients to verify your broker.
If you needed to interact with an off-the-shelf web browser things might be different, but you're talking about MQTT and presumably control the clients.
-
@Douglas-Kryder said in Letsencrypt on Omega2:
so, either you have no compiler or setup can not find it so that is first thing i would look into.
exactly what I thought but I don't know which package brings mipsel-openwrt-linux-musl-gcc in omega2. Searching it on google seems it comes with openwrt but there is no openwrt package for omega. Any idea?
-
@Chris-Stratton See I would like to run mqtt broker for sensor in my apartment, and have a Home Assistant deployed on a VPS. Since MQTT is unencrypted protocol (also, user and password are in clear), I thing TLS is necessary. What do you suggest?
-
@Giuseppe-Battista said in Letsencrypt on Omega2:
@Chris-Stratton See I would like to run mqtt broker for sensor in my apartment, and have a Home Assistant deployed on a VPS. Since MQTT is unencrypted protocol (also, user and password are in clear), I thing TLS is necessary. What do you suggest?
A signed certificate doesn't get you encryption, it allegedly gets you authenticity.
But if you generate the certificate, sign it yourself, and configure your clients to accept specifically that, you have more evidence of authenticity that you do with a 3rd party signing it. With something like Let's Encrypt, all you are really demonstrating is control of wherever the domain name points, which is far less secure than knowing you only used your key to sign one certificate before locking it away.
However, if you need to inter-operate with something you can't configure to accept your certificate, then you would need something signed by a 3rd party it recognizes.
-
@Chris-Stratton Thanks for explanation!!! Just to be clear, even if I generate a certificate on Omega, I can't accept it on VPS side, right?
-
@Giuseppe-Battista from the searching i have done related to the error it seems that eventually the omega2 will need to have, if it does not already, additional resources available through overlay. so i'd set that up. i know that suggestion offers no specific help rather it takes a general view of what will be needed.
-
@Douglas-Kryder ok so there is no solutions for the moment, right?
-
@Giuseppe-Battista said in Letsencrypt on Omega2:
@Chris-Stratton Thanks for explanation!!! Just to be clear, even if I generate a certificate on Omega, I can't accept it on VPS side, right?
No, you can, there or anywhere else, if you control the system that needs to do the accepting.
-
@Chris-Stratton said in Letsencrypt on Omega2:
No, you can, there or anywhere else, if you control the system that needs to do the accepting.
Yes but still I have the problem because I'm not in able to find openssl command.
-
@Giuseppe-Battista said in Letsencrypt on Omega2:
@Chris-Stratton said in Letsencrypt on Omega2:
No, you can, there or anywhere else, if you control the system that needs to do the accepting.
Yes but still I have the problem because I'm not in able to find openssl command.
On which system? And for what exact step are you trying to use that?
Technically, you can generate keys off device and copy them over, if you trust they won't be intercepted in flight.