Where to get CA certificate for Venus SSL self-signed certificate

Modifications
, , ,
21

It seems the latest cerbo firmware (3.52) only supports SSL connections for MQTT. Plain text is no longer an option that is shown in the configuration menu.That means your second option was not available for me. I only started to set up MQTT after I had updated the cerbo to the latest firmware.

I can’t completely test your scenario since my HA is container based, and I run a separate mosquitto broker. That one has no problem with the bridge connection, with

bridge_insecure true

and using the certificate I extracted from the cerbo with the command I gave in my previous reply. I only gave the bridge_cafile. No need to specify a bridge_capath if the file is fully specified.

I don’t know why the in-built Mosquitto in HA would not work the same way, unless they used different compile options and the bridge_insecure is ignored. Seems unlikely.

22

For reference, this is the actual mosquitto config file that works for me:

connection victron
address 192.168.xxx.xxx:8883

remote_username victron
remote_password xxxxxxxxxxx

topic N/# in 0 victron/
topic R/# out 0 victron/
topic W/# out 0 victron/

try_private true

bridge_tls_version tlsv1.3
bridge_insecure true
bridge_cafile /etc/mosquitto/conf.d/cerbo.crt
2 Likes
23

Hello again,

I’ve tried your steps to get the certificate and this works! It seems that the only difference was the certificate/cafile - I previously extracted the certificate as whole chain, tried different methods (openssl, download it from browser etc.).

I don’t understand why, but extracting the certificate using your openssl options resulted in slightly different certificate than I got previously (I compared them carefully), and putting it into config as ca_file works.

I did not complete the whole integration with HA, just checked if the values are coming to HA, and it works, and Mosquitto shows successfull connection using bridge in the log.

Not sure if this will persist until further Victron updates, if the certificate changes, but now it shows it expires in 2123, so hopefully it won’t change :slight_smile:

Thanks milion times! Now I can finally play with the HA integration! :- :partying_face:

1 Like
24

Since this post seems to be about changing the certificate on the Venus OS, here are the steps I took to get it working:

My setup:

  • Using Cloudflare as my DNS provider
  • My DNS A record points to gx.mydomain.com which is an internal IP (172.16.x.x)
  • I have a CF_Token configured for my account
  • I have SSH access to my CerboGX with a SSH key.

Setup:

  • Login via SSH
  • Make sure you are in the root’s home directory (/data/home/root)
  • Create a script (i.e. /data/home/root/cert.sh)

Paste and edit as required:

export LE_WORKING_DIR="/data/home/root/.acme.sh"
export CF_Token="your CF token"
ACME_EXEC="/data/home/root/.acme.sh/acme.sh"
DOMAIN="gx.yourdomain.com"
MAIL="youremail@yourdomain.com"
CA="letsencrypt"
if [ ! -f "$ACME_EXEC" ]; then
    curl https://get.acme.sh | sh -s email=$MAIL
fi
$ACME_EXEC --issue --dns dns_cf --keylength 4096 --server $CA -d $DOMAIN --fullchainpath /data/etc/ssl/venus.local.crt --keypath /data/etc/ssl/venus.local.key  --reloadcmd "/etc/init.d/nginx restart" --log
  • Change the file attributes to 700 since it contains your CF token and it must be executable.
  • Run the cert.sh file: $> ./cert.sh
  • You should see some details of the running acme.sh script.

Notes: You can add the script to the rc.local file in /data (/data/rc.local) to make sure it runs at every reboot. I haven’t spend time debugging, it seems that acme.sh can’t configure the crontab on installation, something to look into…
The ‘sleep’ command is to wait 30 seconds if the script is used at boot, it waits to have Internet. Safely remove it as needed.

Technically once you have created your certificate, you don’t need the cron.sh. I used this option to make sure acme.sh is installed and if not, install it. You can simply use the cron command since all the keys and domains are now stored in .acme.sh.
To renew, simply run:

/home/root/.acme.sh/acme.sh --cron --home /home/root/.acme.sh
1 Like
25

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.