Webserver with SSL support

Runtime
2014-08-06
2020-03-18
  • eschwellinger

    eschwellinger - 2014-08-06

    Hi,

    Communication encryption for CODESYS WebVisu

    In order to prevent communication from being hacked between a CODESYS compatible controller, which
    supports the CODESYS WebVisu, and an internet browser on a PC or mobile device, an HTTPS connection
    with encryption is available. It protects the integrity of the displayed data.

    What is needed to publish a SSL encrypted Webvisualisation with the Raspberry Pi or any >= Version 3.5SP5 CODESYS plc?
    For example you want to have access from internet to your home where your pi Webvisu is running

    Sure for doing this you need a official ssl certificate and sure if you do not have a official certificate I would prefer a VPN connection additional
    Passwort/UserManagement is needed in any case.
    For testing purpose you could generate a ssl certificate to see how SSL Webvisu could be established/activated

    On the pi runtime side you have the setting 'ConnectionType' in /etc/CODESYSControl.cfg
    [CmpWebServer] ConnectionType=3

    HTTP_ONLY, / = 0 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm
    HTTPS_ONLY, / = 1 / -->access your visu by https://RaspiIpAdress:443/webvisu.htm gehen
    HTTP_AND_HTTPS, / = 2 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm und https://localhost:443/webvisu.htm gehen
    REDIRECT_HTTP_TO_HTTPS / = 3 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm will be redirected to https://localhost:443/webvisu.htm

    for testing purpose you could generate on the pi a certificate by the following bash script (attached):
    copy this to the pi (this could be done by CODESYS plc file browser) then connect by ssh (putty) to the pi
    and execute the script (after make it executable by chmod +x generateKeys.sh ).
    Generate process take some time, be patient.
    After that long long key generation process and restart of the plc, you could connect by ssl encrypted connection to the Webvisu.

    \#!/bin/bash
    openssl genrsa -out server.key 2048
    openssl req -new -key server.key -out server.csr
    openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
    rm server.csr
    openssl x509 -noout -in server.crt -fingerprint
    openssl dhparam -outform pem -out dhparams.pem 1024
    \#copy the generated key to the runtime location
    echo "make dirs"
    mkdir /root/PKI
    mkdir /root/PKI/cert
    mkdir /root/PKI/crl
    mkdir /root/PKI/private
    mkdir /root/PKI/trusted
    echo "move certificate"
    mv server.crt /root/PKI/cert/server.cer
    echo "move key"
    mv server.key /root/PKI/private/
    echo "move dhparams"
    mv dhparams.pem /root/PKI/private/
    

    Check the documentation here for more details:
    "c:\Program Files (x86)\3S CODESYS\GatewayPLC\Documentation\WebServerSSL_en.pdf"

    Update:
    These steps are not needed anymore use the Security Agent from CODESYS Store to generate the certificates.

    Best Regards
    Edwin

    IMG: genkey.jpg

    generateKeys.zip [397 Bytes]

     
  • jinx

    jinx - 2018-01-11

    Hi,
    I tried this, created certificates, but without success (web page is redirected to https, but nothing is displayed)

    ---------Unable to connect
    Firefox can't establish a connection to the server at "IP_ADDRESS"
    The site could be temporarily unavailable or too busy. Try again in a few moments.
    If you are unable to load any pages, check your computer's network connection.
    If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
    ----------------

    I tried setting connection back to 0 (ConnectionType=0), but web server is still redirecting to https!!!

    Also PDF is not installed with V3.5 SP12 x64...

    BR,
    Gregor

     
  • jinx

    jinx - 2018-01-12

    Some more problems & diagnosys.

    1) I created OpenSSL certificate and I see it in /root/KPI directory. This is OK.
    When I set .cfg file ConnectionType=3, web server redirects to https protocol. This works OK.
    But when I reset ConnectionType=0 (set from 3 back to 0), webserver is allways (still) redirecting to https. With settings back to 0, only http protocol should be used, so resetting this setting doesn't work.
    I also did system restart, without success. Still webserver redirects to https.

    2) Then I installed security agent. I managed to create webserver certificate on the RPi. https redirection works, and now I got connection erorr: ERR_SSL_VERSION_OR_CIPHER_MISMATCH (both in FF and Chrome). In my knowledge this is a problem with certificate not beeing trusted, outdated technology ...
    At least now I see connection to https protocol works and webserver on RPi knows where certificate is installed.

    Once again I set ConnectionType back to 0. Still there is a problem of webserver allways redirects to https.

    Best Regards,
    Gregor

     
  • eschwellinger

    eschwellinger - 2018-01-12

    Hi,

    yes this is an open point you need to execute:

    cert-gendhparams 1024

    in the plc Shell.
    Then it will work at least with IE and Firefox.
    It is an open point which need to be fixed.

    BR
    Edwin

     
  • sumkrnboy

    sumkrnboy - 2019-07-20

    I have found that the PKI directory placed in /root will not allow the certificate and private key to load.

    I have moved the entire PKI directory from /root/ to /var/opt/codesys/ and now the SSL certificate properly loads.

     
  • lwalbert

    lwalbert - 2019-08-10

    Hi is it possible to set ssl port in codesyscontrol.cfg?
    Couldn´t find any documents describing parameters an settings that can be done in the cfg file.
    I have a webserver running on port 80,443 and would like to have webvisu ssl on port 8443

    Br
    Lennart

     
  • eschwellinger

    eschwellinger - 2019-08-12

    Hi,

    you could give this a try:

    [CmpWebServer]
    WebServerSecurePortNr=8443

    BR
    Edwin

     
  • nothinrandom

    nothinrandom - 2020-03-16

    @Edwin,

    Are we still able to generate certificate without needing to use the IDE? I noticed that the certificate is only valid for 30 days. It looks like there's no way of increasing this?

    Thanks,

     
  • eschwellinger

    eschwellinger - 2020-03-16

    Hi,
    guess you could set it up here by the security Agend or as a plcshell command:
    Without IDE -> not except you apply your own company certificate - which is probably the correct way to handle the thing.

    BR
    Edwin

     

    Last edit: eschwellinger 2020-03-16
    • nothinrandom

      nothinrandom - 2020-03-18

      I would like to apply my own certificate, but I'm not sure how to do so. I've tried to use openssl to generate a self signed certificate that matches the exact same output as the one that gets automatically created, converted private key and cert to der format, and moved them both into the ./pki/own/key and ./pki/own/cert. However, when I restart codesys runtime, I get these errors in the logs.

      • TlsCreateContext2: Private key for certificate jg?{U not available.
      • Get TLS context failed!
       
  • nothinrandom

    nothinrandom - 2020-03-16

    @Edwin,

    Thanks for your response. I'm running on 3.5.15.30 64b, and I followed your instructions. The issue that I'm noticing is that even if I create own certificate via Codesys IDE (delete or not delete previous cert), the IDE also creates its own certificate (30 days) on the controller with value of "Encrypted communication" under the Information column and uses that as default (/etc/CODESYSControl.cfg). If you manually delete .der file from /var/opt/codesys/.pki/own/cert and .key file from /var/opt/codesys/.pki/own/key. When you restart codesys service, it also generates a set of files and use that as default. Essentially, whatever information you use is overwritten by codesys. Maybe it's a bug?

    Thanks,

     

Log in to post a comment.