Overview
In this tutorial, I will show you how to:
- Create a new self-signed SSL certificate on your OctoPrint instance
- Teach you how to forward any HTTP request to HTTPS (“forcing all connections to use HTTPS”)
- How to have your PC/Mac/iOS device trust the certificate
Though this isn’t the right term, “Enabling HTTPS” can be a way of describing what we are doing here. OctoPrint comes with HTTPS enabled already and a default SSL certificate. We are just making updates to what already exists.
Apologies in advance, I'm a new user here and can't post screen shots in this post 
Disclaimer
I am NOT a security expert or security professional. This tutorial is not intended to setup a secure way to access your OctoPrint instance outside of your network. This is intended to only be used to secure in-network traffic to your OctoPrint instance. If you procced with this tutorial, you understand the risks and take full responsibility for any security risks/incidents that might occur.
Pre-Requisites
Before we get started this is what you will need
-
An instance of OctoPrint with SSH enabled or a way to access the command line
- In my example I will be using OctoPi. I’m using a “dummy” OctoPi, so all usernames/passwords will be the default. I suggest setting up more secure passwords for better security
-
Luckily the tools we need, OpenSSL & HAProxy, come with OctoPi by default. This is how to check to make sure they are installed (run the following in the terminal). If these are not installed, a quick Google will show you how-to install them
openssl version
haproxy -v
- Please make sure your OctoPi is updated. This is a simple command I run to ensure it’s up to date
sudo apt update && sudo apt dist-upgrade && sudo apt-get autoremove && sudo apt clean && sudo reboot now
- Assign your OctoPi a static IP and note what that IP is (we need it later)
One Last Note Before We Start
- Anywhere below I reference "octopi.local", you should use the local DNS entry your OctoPi uses (such as printer.customdomain).
- Just using the IP and not a custom domain? No worries, though it may vary depending on your network, octopi.local is a common default
Lets get started already!
Create a Self-Signed SSL Certificate
- Connect to the terminal, and CD into the following folder
cd /etc/ssl
This folder is where the default .pem (snakeoil.pem) file OctoPi comes with is located. We will be storing all the SSL related items in here
- Generate a RSA private key
sudo openssl genrsa -out octopi.local.key 2048
This is needed to generate the certificate requests in the next steps
- Generate the certificate file (.cer)
MAKE SURE YOU ADD IN YOUR STATIC in place of "STATIC_IP"
sudo openssl req -new -x509 -sha256 -key octopi.local.key -out octopi.local.cer -days 365 -subj /CN=octopi.local -addext "subjectAltName = DNS.1:octopi.local, IP.1:STATIC_IP"
This creates the .cer file needed. It's important the DNS.1 & IP.1 values are correct for your environment. If these are off, your browser will see the difference and not trust the certificate.
- We need to concatenate the .key/.cer files and replace the contents of snakeoil.pem
Optional: You can go with a different name other than snakeoil.pem. I have found changing the name of this file can cause issues later, so I wouldn't recommend it.
For this step, we need to be running as the root account. Not sure why, but I get permision issues even if I run as sudo
sudo -i
Need to go back to the SSL folder
cd /etc/ssl
Concatenate the .cer/.key files
cat octopi.local.cer octopi.local.key > snakeoil.pem
Stop being the root account
exit
Yay! we have all the SSL files setup on the OctoPi. Next, lets modify HAProxy to force HTTP to be redirected to HTTPS
HAProxy - Forward all HTTP requests to HTTPS
- Open the haproxy.cfg file
sudo nano /etc/haproxy/haproxy.cfg
- Navigate to the row that says
option forwardfor except 127.0.0.1
- Under the line mention above add
redirect scheme https if !{ hdr(Host) -i 127.0.0.1 } !{ ssl_fc }
The final result should look like this
...
frontend public
bind :::80 v4v6
bind :::443 v4v6 ssl crt /etc/ssl/snakeoil.pem
option forwardfor except 127.0.0.1
redirect scheme https if !{ hdr(Host) -i 127.0.0.1 } !{ ssl_fc }
use_backend webcam if { path_beg /webcam/ }
default_backend octoprint
...
The redirect sends any HTTP request to HTTPS, unless it is the localhost (127.0.0.1) connecting. This allows OctoDash or other local UI's to connect (they usually don't support HTTPS connections).
Optional: If you changed snakeoil.pem to a different name, make sure to change the reference above. Again I would avoid changing the name because that kept causing issues for me.
- Save (CTRL + O) & Exit (CTRL + X)
Just a few more steps before we are done with OctoPi
-
Copy the octopi.local.cer file to a flash drive/shared folder/etc (personally I use scp).
We need to use this file later to establish the trust between your other devices and OctoPi. -
Reboot your OctoPi
sudo reboot now
This is the command just to restart HAProxy if you need it. Any time you modify haproxy.cfg, you need to restart HAProxy or you OctoPi.
sudo systemctl restart haproxy
We are now done with OctoPi! Time to setup your devices to trust this self-signed SSL
Trust Self-Signed Certificate on Windows
-
Have the octopi.local.cer file somewhere you can access it
-
Open "Manage user certificates"
-
Expand "Trusted Root Certification Authorities" > Right click on "Certificates" > "All Tasks" > "Import..."
-
Click next on the first screen
-
Select the .cer file > Next
-
Next (leave defaults)
-
Click "Finish "on the last screen
-
Click "Yes" if you get a security warning
If you look at the certificate list, you should see a record called "octopi.local"
- Open a browser and test the following
Type in http://IP and/or DNS. Make sure it forwards to HTTPS
Type in https://IP and or DNS. Make sure the connection works
Your browser should show the connection is secured!
Trust Self-Signed Certificate on iOS
-
Have the octopi.local.cer file somewhere you can access it
-
Click on the file > Select the device you want to install it on (iPhone/iPad)
-
Open Settings > Click on the "Profile Downloaded" Option
-
Click on the Profile > Install
-
Click Install (accept any security warnings that popup)
-
Go to Setting > General > About > Certificate Trust Settings (all the way at the bottom)
-
Turn on the octopi.local option (accept any security warnings)
-
Open a browser and test the following
Type in http://IP and/or DNS. Make sure it forwards to HTTPS
Type in https://IP and or DNS. Make sure the connection works
Your browser should show the connection is secured!
Trust Self-Signed Certificate on MacOS
-
Have the octopi.local.cer file somewhere you can access it
-
Follow this guide Getting OS X to trust self-signed SSL certificates
-
Open a browser and test the following
Type in http://IP and/or DNS. Make sure it forwards to HTTPS
Type in https://IP and or DNS. Make sure the connection works
Your results should show that accessing the site is Secure!
Trust Self-Signed Certificate on Android
I do not own an Android, but a quick Google search can get you there!
Trust Self-Signed Certificate on Linux
Quick Google search can get you there!
You have reached the end!
@jneilliii has a very cool tutorial on how to setup client certificates. Go check it out! I owe them credit too, their tutorial helped me figure out a few things 
Please comment any feedback or questions you might have
