Tricks sharing
Some tips below would help to speed up implementation. Most topics are general speaking and would propably be usefull in other situations. Topics below will be enriched over time.
SSL Certificat – Let’s Encrypt
As already mentioned, the push notification process allowing the server to be updated in real time about any meeting rooms bookings modification, requires a https access to the server. The SSL certificate must be installed on the server device. Access is configured into the config.json file.
But a SSL certicat is very expensive. Mainly if a wildcard (sub-domain support) is mandatory because of your domain DNS settings (e.g. your base-domain name already points to a hosting).
One option consist on using let’s encrypt certificats. These ones are free and supported by most of the major web browsers.
Moreover, certificat management (initial request and renewal) are performed form command lines, meaning that automatic processes can be initiated.
In the following, I will show you how to obtain a generic SSL certificate from an OVH project. Indeed, Let’s Encrypt uses ACME protocole to verify domain name owneship and delive the necessary files. Multiple ACME clients are available, but I have decided (only because I found-out the right documentation on the web) to use acme.sh.
Luckily, my domain name provider is OVH which support DNS API access, a good point with acme.sh in order to handle automatic DNS integration.
Let’s start :
1) Install acme.sh
If your domain provider is OVH, go to https://eu.api.ovh.com/createApp/ and follow the few steps in order to create an API project and get back an application key and an application secret. Otherwise, visit acme.sh github official.
pi@raspberrypi: ~$ curl https://get.acme.sh | sh
then exit the terminal and reopen a new one.
3) Set environment application key and secret
pi@raspberrypi: ~$ export OVH_AK=”<application-key>”
pi@raspberrypi: ~$ export OVH_AS=”<application-secret>”
4) Domain name ownership validation, e.g. raspimeetingroom.fr and *.raspimeetingroom.fr (wildcard)
pi@raspberrypi: ~$ acme.sh –issue -d raspimeetingroom.fr -d ‘*.raspimeetingroom.fr’ –dns dns_ovh
After a while, the output console contains a request for the API key authentication. A URL link is provided and must be copied into your web browser. After the key is validated, just come back and re-enter the previous command:
pi@raspberrypi: ~$ acme.sh –issue -d raspimeetingroom.fr -d ‘*.raspimeetingroom.fr’ –dns dns_ovh
5) Build and install required certificate files (PEM output for our topic).
First create the folder:
pi@raspberrypi: ~$ mkdir /home/pi/ssl
then, issue the files:
pi@raspberrypi: ~$ acme.sh –install-cert -d raspimeetingroom.fr –cert-file /home/pi/ssl/raspimeetingroom.fr.cert.pem –key-file /home/pi/ssl/raspimeetingroom.key.pem –fullchain-file /home/pi/ssl/raspimeetingroom.fr.fullchain.pem –renew-hook “bash updateKeystore.sh”
which produces 3 files: raspimeetingroom.fr.cert.pem, raspimeetingroom.key.pem and raspimeetingroom.fullchain.pem. SSL certificat are valid for 90 days.
6) Renewal.
The renewal is automatically performed before the date of the expiration date. But if you want handle this process manually, the command is the one below. Moreover, the https server must be restarted. Otherwise, the new SSL files will remain unsued. But as see previously, a cronjon has been setted in order to reboot the device every nights.
pi@raspberrypi: ~$ acme.sh –renew -d raspimeetingroom.fr -d ‘*.raspimeetingroom.fr’ –force
IMPORTANT: keep in mind that only few issue and renew commands are allowed per week. I guess 5 maximum. Therefore, if you attempt to perform multiple requests (incl. failed ones), it would conduct consume all your weekly credit, and you should be blocked for 1 week. In such situation, just create a new OVH API project and get your new application key and secret.