Communication encryption for CODESYS WebVisu
In order to prevent communication from being hacked between a CODESYS compatible controller, which
supports the CODESYS WebVisu, and an internet browser on a PC or mobile device, an HTTPS connection
with encryption is available. It protects the integrity of the displayed data.
What is needed to publish a SSL encrypted Webvisualisation with the Raspberry Pi or any >= Version 3.5SP5 CODESYS plc?
For example you want to have access from internet to your home where your pi Webvisu is running
Sure for doing this you need a official ssl certificate and sure if you do not have a official certificate I would prefer a VPN connection additional
Passwort/UserManagement is needed in any case.
For testing purpose you could generate a ssl certificate to see how SSL Webvisu could be established/activated
On the pi runtime side you have the setting 'ConnectionType' in /etc/CODESYSControl.cfg
HTTP_ONLY, / = 0 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm
HTTPS_ONLY, / = 1 / -->access your visu by https://RaspiIpAdress:443/webvisu.htm gehen
HTTP_AND_HTTPS, / = 2 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm und https://localhost:443/webvisu.htm gehen
REDIRECT_HTTP_TO_HTTPS / = 3 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm will be redirected to https://localhost:443/webvisu.htm
for testing purpose you could generate on the pi a certificate by the following bash script (attached):
copy this to the pi (this could be done by CODESYS plc file browser) then connect by ssh (putty) to the pi
and execute the script (after make it executable by chmod +x generateKeys.sh ).
Generate process take some time, be patient.
After that long long key generation process and restart of the plc, you could connect by ssl encrypted connection to the Webvisu.
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
openssl x509 -noout -in server.crt -fingerprint
openssl dhparam -outform pem -out dhparams.pem 1024
\#copy the generated key to the runtime location
echo "make dirs"
echo "move certificate"
mv server.crt /root/PKI/cert/server.cer
echo "move key"
mv server.key /root/PKI/private/
echo "move dhparams"
mv dhparams.pem /root/PKI/private/
Check the documentation here for more details:
"c:\Program Files (x86)\3S CODESYS\GatewayPLC\Documentation\WebServerSSL_en.pdf"
These steps are not needed anymore use the Security Agent from CODESYS Store to generate the certificates.
generateKeys.zip [397 Bytes]
I tried this, created certificates, but without success (web page is redirected to https, but nothing is displayed)
---------Unable to connect
Firefox can't establish a connection to the server at "IP_ADDRESS"
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
I tried setting connection back to 0 (ConnectionType=0), but web server is still redirecting to https!!!
Also PDF is not installed with V3.5 SP12 x64...
Some more problems & diagnosys.
1) I created OpenSSL certificate and I see it in /root/KPI directory. This is OK.
When I set .cfg file ConnectionType=3, web server redirects to https protocol. This works OK.
But when I reset ConnectionType=0 (set from 3 back to 0), webserver is allways (still) redirecting to https. With settings back to 0, only http protocol should be used, so resetting this setting doesn't work.
I also did system restart, without success. Still webserver redirects to https.
2) Then I installed security agent. I managed to create webserver certificate on the RPi. https redirection works, and now I got connection erorr: ERR_SSL_VERSION_OR_CIPHER_MISMATCH (both in FF and Chrome). In my knowledge this is a problem with certificate not beeing trusted, outdated technology ...
At least now I see connection to https protocol works and webserver on RPi knows where certificate is installed.
Once again I set ConnectionType back to 0. Still there is a problem of webserver allways redirects to https.
yes this is an open point you need to execute:
in the plc Shell.
Then it will work at least with IE and Firefox.
It is an open point which need to be fixed.
I have found that the PKI directory placed in /root will not allow the certificate and private key to load.
I have moved the entire PKI directory from /root/ to /var/opt/codesys/ and now the SSL certificate properly loads.
Hi is it possible to set ssl port in codesyscontrol.cfg?
Couldn´t find any documents describing parameters an settings that can be done in the cfg file.
I have a webserver running on port 80,443 and would like to have webvisu ssl on port 8443
you could give this a try:
Are we still able to generate certificate without needing to use the IDE? I noticed that the certificate is only valid for 30 days. It looks like there's no way of increasing this?
guess you could set it up here by the security Agend or as a plcshell command:
Without IDE -> not except you apply your own company certificate - which is probably the correct way to handle the thing.
I would like to apply my own certificate, but I'm not sure how to do so. I've tried to use openssl to generate a self signed certificate that matches the exact same output as the one that gets automatically created, converted private key and cert to der format, and moved them both into the ./pki/own/key and ./pki/own/cert. However, when I restart codesys runtime, I get these errors in the logs.
Thanks for your response. I'm running on 220.127.116.11 64b, and I followed your instructions. The issue that I'm noticing is that even if I create own certificate via Codesys IDE (delete or not delete previous cert), the IDE also creates its own certificate (30 days) on the controller with value of "Encrypted communication" under the Information column and uses that as default (/etc/CODESYSControl.cfg). If you manually delete .der file from /var/opt/codesys/.pki/own/cert and .key file from /var/opt/codesys/.pki/own/key. When you restart codesys service, it also generates a set of files and use that as default. Essentially, whatever information you use is overwritten by codesys. Maybe it's a bug?
Log in to post a comment.