Michel Kohanim Posted December 4, 2015 Posted December 4, 2015 whywork, I am not sure what this means. You can install any certificate in ISY. With kind regards, Michel
whywork Posted December 4, 2015 Author Posted December 4, 2015 Hi Michel, Thanks for the reply. Let me try to explain. I appreciate your/ISY's focus on security and functionality in the Internet-of-Things. I feel using SSL certificates is a selling point. However, using SSL certs come with some complexity and cost. There are posts by some noobies having trouble installing certs. And of course there is the challenge of self signed certs. Some internet sites, and services may not recognize/accept self signed certs. Most commercial vendors of SSL certs charge for them. There is of course the free non-self signed cacert.org - but cacerts are often not recognized by those same sites that don't allow self signed certs. I am cheap and add the ongoing cost for commercial ssl certs to the overall cost of using my ISY. It would be great to find free certs what would "work everwhere." letsencrypt.org is a new ssl cert authority, that has the "backing" of major players like cisco, mozilla and akami. letsencrypt ssl certs should work most everywhere. letsencrypt.org ssl certs are FREE. The downside of letsencrypt certs is that they automatically expire in 90 days, partly to enhance security. This does mean that some form of automation for cert renewal is expected. I am hoping ISY might expand its ssl cert functionality. Continue to allow self-sighed or any vendor supplied ssl certs. In addition, ISY might add new code to request and automatically renew letsencrypt.org ssl certs. Users of ISY would have the option of a free, "accepted everywhere" ssl cert with a minimum of fuss and bother. Thanks for thinking about this
fryfrog Posted December 4, 2015 Posted December 4, 2015 I think this is worth supporting. I'm a computer nerd / professional and have have occasionally worked with SSL for both hobby and work... and every time I dread it. It just isn't easy. If you guys did a little bit of work to support Let's Encrypt, everyone with an ISY would suddenly be able to get proper SSL support instead of the handful that are using it now.
MWareman Posted December 5, 2015 Posted December 5, 2015 I might have suggested the UDI consider adding a 'letsencrypt' client once it's in mainstream release a few months ago.... I think it's a great thing, especially since ISY support of intermediate certificates is now in alpha. I haven't looked at the protocol involved in automatic renewal is, but this is a necessary function given the short lifetime of the issued certs. The problem with 90 day certs is that they break mobile apps that use certificate pinning (this is a security requirement for most companies mobile apps). They don't seem to have considered that - so I'm not sure that as a FA they are going to get much traction in the enterprise space. That being said, this a not commercial space. It would lower the support costs for UDI if they implemented an optional 'letsencrypt' client into ISY so users could have single button SSL - with much lower numbers of support issues for UDI about how to correctly install SSL certs on the ISY (which seems to come up from time to time).
Michel Kohanim Posted December 6, 2015 Posted December 6, 2015 Hello all, Thanks for the details. I am still a little unclear as to what's being suggested. You can already install any type of certificate in ISY. Is the suggestion that we install one at the factory for each ISY? If not, then what is it that's being suggested? With kind regards, Michel
MWareman Posted December 6, 2015 Posted December 6, 2015 No, that's not the request at all. Letsencrypt is a trusted CA that supports an API (JSON over REST) for requesting certificates and distributing them. For free. They are sponsored by people like Cisco, Akamai, Facebook, Mozilla (on and on) with the goal of ubiquitous SSL. The catch is - the issued certs are only valid for 90 days. Why? They want to encourage automation on the server side for certificate maintenance. What's being requested is adding an ACME client to the ISY, so free publically trusted certificates can be used on ISY, also with the benefit of reducing support costs for UDI (since the certificate process is automated). Michael.
Michel Kohanim Posted December 7, 2015 Posted December 7, 2015 Hi Michael, We'll take a look. With kind regards, Michel
whywork Posted December 7, 2015 Author Posted December 7, 2015 Hi, Sorry if I was confusing. Thanks MWareman for stating it more succinctly. My wish - Please add a client to ISY for Let'sEncrypt SSL certificates - and ISY code for automatic renewal via Let'sEncrypt API of those shortish certificates. One button on ISY to get SSL up and running. Thanks.
Michel Kohanim Posted December 7, 2015 Posted December 7, 2015 Hi whywork, My concern is with auto renewal and all the corner cases arising thereof. For instance, renewing the certifacte will require ISY restart. Do we really want ISY to reboot itself? If not, we will have to make massive changes in the code to support hot swapping certificates. Also, should we assign a priority for this task? What can be stopped while we do the renewal? And many others. With kind regards, Michel
MWareman Posted December 7, 2015 Posted December 7, 2015 Hi whywork, My concern is with auto renewal and all the corner cases arising thereof. For instance, renewing the certifacte will require ISY restart. Do we really want ISY to reboot itself? If not, we will have to make massive changes in the code to support hot swapping certificates. Also, should we assign a priority for this task? What can be stopped while we do the renewal? And many others. With kind regards, Michel Eek... Forgot about the reboot! How about putting a button on the Admin Console to enroll (prompt for a reboot). Have the system note the expiration date, displaying it near a 'Renew' button. Have a prompt to renew pop-up on login a couple of weeks before expiration. Also, keep the manual cert management in Dashboard for that that want/need to use CAs other than letsencrypt.com. Personally, getting intermediate certs and zwave multi-channel is *much* more important.... I think 5.x needs to get more stable first, so your not maintaining two separate branches of code. Then, it should bump up in priority somewhat!
Michel Kohanim Posted December 8, 2015 Posted December 8, 2015 Hi MWareman, Thanks so very much! Intermediate certificates are working beautifully! Just some stress testing to make sure nothing hangs. Multi channel is also doing great but I am afraid to ask about release date! In short, I agree with you. To do this properly it's best to allow the certs to be renewed at run time and without reboot. With kind regards, Michel
Scottmichaelj Posted December 8, 2015 Posted December 8, 2015 Hi MWareman, Thanks so very much! Intermediate certificates are working beautifully! Just some stress testing to make sure nothing hangs. Multi channel is also doing great but I am afraid to ask about release date! In short, I agree with you. To do this properly it's best to allow the certs to be renewed at run time and without reboot. With kind regards, Michel Can I also humbly request the possibility of when the cert needs to be renewed we could schedule the auto reboot and also that we have the ability to setup a notification via email/text/etc when it expires and when it renewed.
Michel Kohanim Posted December 8, 2015 Posted December 8, 2015 Hi huddadudda, Yes, but the more features requested, the higher the impact, and then the less likelihood of implementation in a short time frame. Need to keep it simple and straight forward. With kind regards, Michel
Scottmichaelj Posted December 9, 2015 Posted December 9, 2015 Hi huddadudda, Yes, but the more features requested, the higher the impact, and then the less likelihood of implementation in a short time frame. Need to keep it simple and straight forward. With kind regards, Michel Understood but if you doing some type of a notification somehow is it that difficult/time-consuming to add the ability to the message/notification section already available to us?
Michel Kohanim Posted December 9, 2015 Posted December 9, 2015 Hi huddadudda, The more intrusive (i.e. different parts of the program) the solution is, the longer it will take to develop, test and regression test. With kind regards, Michel
Scottmichaelj Posted December 9, 2015 Posted December 9, 2015 Hi huddadudda, The more intrusive (i.e. different parts of the program) the solution is, the longer it will take to develop, test and regression test. With kind regards, Michel Understood but I still think it should be a no brainer that this is added as a priority. Maybe have a release so it doesnt delay the certs on the ISY so people cab use the Amazon Echo and IFTTT maker channel and then release it subsequently as a priority part of the following release. Notifications are a must somehow if not auto renewed without rebooting. This also includes failed notification too. Would rather this be behind the scenes so the end user like me doesnt even have to worry about it at all.
Michel Kohanim Posted December 9, 2015 Posted December 9, 2015 huddadudda, We have no brains here. With kind regards, Michel
mwester Posted December 9, 2015 Posted December 9, 2015 I realize that folks would prefer that this process be performed by the ISY, on the ISY. Nevertheless, given that the ISY is NOT a general-purpose computer, but rather a home-automation controller, it seems to me that administrative convenience sorts of things should perhaps be done OUTSIDE of the ISY. There's nothing at all preventing someone from writing a bit of code that would run on a windows or apple box or even a raspberry pi to do this. And it wouldn't require an "always on" computer - just a service that runs once in a while and when it notices that enough time has elapsed since the last certificate update on the ISY it can simply go fetch a new cert, and use the published ISY API to install it in the ISY, and finally run a program on the ISY that sends an email or text message telling the owner that a new cert is installed and awaiting their issuance of the reboot command. Heck, you probably do the above with an Android app or an IOS app, and sell it on the appropriate app store! Speaking for myself, I'd rather have UDI working on home automation. Managing certificates is an administrative issue, like managing my home router's DHCP assignments and my port forwarding assignments. JMO.
Scottmichaelj Posted December 9, 2015 Posted December 9, 2015 I realize that folks would prefer that this process be performed by the ISY, on the ISY. Nevertheless, given that the ISY is NOT a general-purpose computer, but rather a home-automation controller, it seems to me that administrative convenience sorts of things should perhaps be done OUTSIDE of the ISY. There's nothing at all preventing someone from writing a bit of code that would run on a windows or apple box or even a raspberry pi to do this. And it wouldn't require an "always on" computer - just a service that runs once in a while and when it notices that enough time has elapsed since the last certificate update on the ISY it can simply go fetch a new cert, and use the published ISY API to install it in the ISY, and finally run a program on the ISY that sends an email or text message telling the owner that a new cert is installed and awaiting their issuance of the reboot command. Heck, you probably do the above with an Android app or an IOS app, and sell it on the appropriate app store! Speaking for myself, I'd rather have UDI working on home automation. Managing certificates is an administrative issue, like managing my home router's DHCP assignments and my port forwarding assignments. JMO. While I understand and can agree with your sentiment sometimes the lines like this are not clear cut. The reason for the SSL cert is for Amazon Echo, IFTTT and other "home automation" controls used in conjunction with the ISY therefore SSL management on the ISY would seem appropriate. If requiring it on another node then that could alienate other users and potential new users to the platform, including new sales. The last thing I want is another app to administer this one function. SSL should be within the ISY as it was previously with self signed certificates.
gregf Posted December 9, 2015 Posted December 9, 2015 Never hurts to ask though. Maybe an added feature to the pro version. Dealing with certs is tough if you aren't familiar with them.
memphis2k Posted July 7, 2017 Posted July 7, 2017 Any progress or update on this at all? Let's Encrypt and ISY? Thanks,
Michel Kohanim Posted July 7, 2017 Posted July 7, 2017 Hi memphis2k, Yes, we did go through sizing of a hot swappable certificate and it's just not feasible at the moment. And - especially with PLMs - the thought of having ISY rebooting itself is quite scary. With kind regards, Michel
Recommended Posts
Archived
This topic is now archived and is closed to further replies.