Feature: HTTPS (Let's Encrypt)

From Yombo
Jump to: navigation, search

Every installation can generate and request a secure certificate (SSL/TLS) to be signed by Let's Encrypt. This protects all data traveling over the internet to your installation when communicating with the web interface, it's API, or Internet of Things (IoT). During the setup wizard, you will be prompted to create a dynamic DNS name for the installation. Once complete, the system will automatically register your DNS and complete the encryption process.

What is the purpose?

Keep connections to your home automation secure. Without TLS/SSL, anyone can control your automation system. When visiting a website without a signed SSL certificate, the browser will warn that the connection will not be secure.

Why not use self-sign?

When visiting a website without a signed SSL certificate, the browser will alert you that the connection will not be secure in a non-user friendly way. Using Let's Encrypt certificates helps you know that your connection to your installation is secure.

What is required?

You must have selected a DNS name for your gateway through the setup wizard or the configuration section. If you did not complete this step, see: Setting up dynamic DNS (Domain).

How does it work?

Once the system has a configured domain name (DNS), the gateway will generate a new private encryption key as well as a signature request. The private key never leaves your system and is used as part of the web encryption (TLS/SSL) while the signature request is forwarded to Yombo servers.  We will validate the signature request and ownership of the DNS to your system. Once the checks are complete, our servers will forward the request to Let's Encrypt. They will, in turn, perform their own validations and return a signature to Yombo; which we forward to the gateway for installation.

Is it secure?

Yombo servers do not have access to your private certificate. You should also make sure only trusted people have access to the machine that runs the gateway software so that they cannot copy the private certificate.

How long is the cert good for?

The certificate is valid for 90 days. However, the gateway will automatically submit a new certificate request 30 days before the current one expires.

How long does the process take?

The complete signing process from the time we receive the request can be as fast as 30 seconds, to as long as 6 hours. In most cases, it takes less then 60 to 90 seconds to complete.

What do I need to do?

Once a dynamic DNS name is set, there nothing to do as it's 100% automated.

Can I get more certificates?

You can request additional certificates through the modules system. On bootup, the system looks for any SSL requests from modules. The certificate will be made available through the file system and allows other software packages to utilize it.

Is there a limit?

See the Let's Encrypt limits page.