Let’s Encrypt with NGINX and pfSense

I’ve been using self-signed certificates for a few of the applications and services I run at home on the local network for a year now and with Firefox it’s not an issue as you accept the risk the very first time and never get asked again. However in the kitchen, the Splunk dashboard runs using the Chrome browser because it’s a little more stable running 24/7 on the tablet. Chrome treats self-signed certificates in a different manner to Firefox – every week it pops up the same boring warning screen and you have to press Advanced then proceed to carry on to the site…

Chrome self signed certificate warning

So to fix the issue with the annoying warning screen, I need to get hold of a non-self-signed certificate.

To get a non-self signed certificate, I need to use a domain that I own or can prove I have control over so that rules out the local network fake domain set in pfSense which is “.home”. I have a few other domains but don’t want to mix those up with internal addresses, so I purchased a new domain from HOST-IT.co.uk.

Next up, trying out Let’s Encrypt – I’d read about Let’s Encrypt about two years ago and wanted to use it in a project at work for test environments but since we have a paid for wildcard certificate, we used that for all the test environments instead. This little project at home gives me a the perfect opportunity to try out Let’s Encrypt and get a non-self-signed certificate for free 🙂

I started with the docker image certbot/certbot but since I’ve never used certbot before, I decided after a few attempts to install certbot on my server instead and at least that way it prompts you to complete the certificate registration. For those interested, the command I used can be found below.

certbot certonly --config-dir config/ --work-dir work/ --logs-dir logs/ --manual --preferred-challenges dns --email email@address.com --agree-tos -d test.example.co.uk

To request a wildcard certificiate instead of a specific host certificate, use: -d *.example.co.uk

Once you run the above, you’ll get prompted to agree to your IP address being logged – entering No will cancel your certificate request! After you’ve agreed to your IP being logged, it will display a DNS TXT record that you need to place on your domain.

certbot request certificate dns challenge

Take the challenge code and put a DNS TXT file on your domain, e.g.

acme challenge text example

I’d highly recommend testing whether the TXT file can be found at this point before pressing enter on the certbot window. I found that the TTL on my hosting account was set to a day by default and had to change it to 1 minute. To test the DNS TXT can be seen, run something similar to:

dig -t TXT _acme-challenge.example.co.uk
dig text check

Once you’ve got your certificate, there’s a whole bunch more commands that may come in useful like:

certbot --config-dir config/ --work-dir work/ --logs-dir logs/ certificates

For listing all the certificates you own.

certbot list certificates
certbot --config-dir config/ --work-dir work/ --logs-dir logs/ renew

For renewing all the certificates you own.

certbot renew certificates
certbot --config-dir config/ --work-dir work/ --logs-dir logs/ --help

For a list of all the other commands available.

Next up, I’m keeping my home network domain as “.home” because I have too many services to change over now, so I need to override any requests in pfSense that go to specific hosts on the new domain name. To do this, go to the DNS Forwarder -> Host Override section and add a new entry, e.g. if a request to splunk.example.co.uk is received, use IP address locally.

pfSense host override

And finally, the NGINX config needs to be updated to use the new certificates. Temporarily while I’ve been testing out these new certificates, I’ve left in the server_name configuration that I previously used “splunk.home” but in addition added the new domain so either could work.

nginx config

And the result is that the Chrome browser on the tablet no longer objects to the certificate. Cool 🙂

Splunk dashboard with new certificate

p.s. for those trying to use this guide, some of the images show an example whereas others are based off my real splunk setup – sorry! So the first set of certbot images I’ve asked for test.example.co.uk and therefore if you wanted to put a corresponding record into pfSense, you’d need to put host=test, domain=example.co.uk and in the nginx config it would say server_name test.example.co.uk.

Nissan leaf 2.zero – 1 year and 16,000 miles update

I’ve now had my Nissan Leaf 2.zero for exactly one year and in that time I’ve driven 16000 miles, so it’s about time I did another update on how I’m finding the car and any issues with it.

First service
The car went in for it’s first service in February to my local dealership as I didn’t fancy a day out in Cambridge. The cost of the first year service was £149. I tried ringing around to see if there was a cheaper 1st year service but there seems to be no competition between the dealerships – all of them quoted £149.

When I picked up the car after the service, the dealership had included a page on signing up for the next three services at a fixed rate of £427 which at first glance didn’t seem too good but then I realised later that night it actually worked out significantly cheaper than paying for the next three services individually. The next three services are major, minor, major with the cost of a major being £199 and a minor £149, so £120 saving using a service plan. The only trouble about signing up to the service plan is that it’s effectively locked me in to keeping the car for another 3 years! Not sure whether that’s a wise decision or not…

Winter vs. Summer range
The range in winter is around 33% less than the summer! Whereas in the summer the GOM (guess-o-meter) was displaying 150 miles when fully charged, in the winter when the temperature is less than 5C, it’s consistently 100 miles on the GOM and I certainly wouldn’t drive it beyond 90 miles!! Having said that, my cabin temperature is set to 24C and it’s set to pre-heat in the mornings, so I don’t think 100 mile range in the winter is all that bad 😀

Pre-heating the car in the mornings has meant I haven’t had to scrape the car once this winter! It’s lovely being able to walk out of the house in -4C weather without a coat or jacket and get straight into a 24C car – AHHHH 😀

Eco button
In the last week I have started to use the eco button every time I drive the car. The eco button has the effect of sucking the life out of the car but it should mean I keep my license clean! The car without the eco button enabled is a beast and makes it very tempting to prove a point to every Audi driver at roundabouts.

Even with the eco button enabled, if you really need the extra power you can press the accelerator beyond the first stopping point and it’ll give you the same power as if the eco button were disabled while the accelerator is within the “second zone” (as I term it).

Issues with the seat
In the 8000 mile update, I mentioned that I was having problems with the drivers seat and pains in the leg – this is still an issue. If I hadn’t had a holiday in October, I think I would have sold the car then and there as the pain was immense but luckily having the holiday helped to give me a little bit of a break. However I still get pain and there was a day last week where I just couldn’t find a comfortable position in the seat for the entire journey home 🙁

Drivers sun visor
I asked in two Nissan garages if there was a way to extend/pull out the sun visor and was told no, it’s by design! HAHAHAHA, it’s terrible and I’ve had to build mark 2* of my makeshift sun visor extender since I last posted a picture.

* To see mk1, see my 600 mile update

Lowest state of charge
Monday this week I got to work with only 5% remaining!! I was a wee bit nervous when the 10% warning came on to the screen and the GOM read 14 miles with 6 miles still to go to work! Luckily switching the lights on to side lights and the heating off helped but I’d rather not have a repeat of that again any time soon.


Money spent on one year of driving
Over the last year I’ve spent a grand total of £53.17 on electricity at home, £10 while charging out and about (two rapid charges in Bury St. Edmunds) and the £149 on the first year service (excluding the cost of the service plan I’ve paid up front for the next three years). £212.17 for an entire year of driving – not bad! In comparison I would have spent in the region of £3000 to drive my old car for another year.

Final notes
The paint on the leaf is TERRIBLE!! I’ve got some serious paint scratches in a year compared to only minor scrapes on my ceed in 10 years despite driving it harshly through some shrubs.

I have to keep my car cleaner than the ceed because of all the sensors! Hahaha, no longer can I wait a year until the next service to get the car cleaned!

There is more competition in the electric car market since I purchased my vehicle and I’d love to be able to afford to trade up but I’ve committed to another three years with this one – hopefully it’ll grow on me more over the coming years.

Updated Splunk Dashboards and Powerwall 100% charged in February!

Over the last few months since I re-wrote my home monitoring application and started logging data to Splunk (in addition to the existing two locations) there’s been an update to Splunk that seemed to fix an issue I had with updating dashboard panels in near realtime. This is a huge benefit as the lack of realtime querying with the free version that I was using was one of the reasons I’d considered purchasing a Splunk Enterprise license! The update also included the dark theme which I first thought was a bit of a gimmick but has proved really useful as having a dark background for the quick glace dashboard means you can see the colours easier when reflected in the kitchen window.

So since the first draft dashboard I posted back in July, I’ve re-written the dashboards and started using a Splunk App so I can copy the source files out into bitbucket and make sure I have a copy and also logically group my dashboards away from the default search app content. My Splunk App is called Home Monitoring (as you’ll see below in the screenshots) after the server app and the logo is a small snippet from a picture of my solar array.

Below is a screenshot of the quick glance section of a dashboard titled realtime. Although it’s titled realtime (RT), the quick glance dashboard panels aren’t actually using RT searches as I found them to be less correct than using a search combined with “head 1” and limiting the search window to around 15 seconds.

On the quick glance section I have a line for the Powerwall figures, displaying current charge percentage (taking in to account the reserved 5%), load on the battery, the amount of power in kWh in the battery (an alternative way of displaying the percentage) and a rough restimate on how long until full or empty at current load. All of these figures come from the Powerwall APIs.

On the second line is the current household load, load on the grid (both from Powerwall API), import today (from the Arduino in the meter cupboard), generation from the solar array, total enery generated today by the solar array (both of the solar figures are from the inverter data) and mains voltage (from the Arduino in the meter cupboard).

The third line displays the current temperature of the hot water tank and whether it’s going up or down based on the figure before (from the Arduino in the hot water cupboard), the status of the immersion plug (from the server code which controlls the plug) and how much data we’ve used in the month on the 4G connection (from the EE status page).

And finally on the fourth line is the wind figures from the Arduino down the garden.

The colours on the page as mentioned earlier help to be able to see at a quick glance what the state of each section is – even reflected in the kitchen window when standing at the sink!

Below the quick glance section is a graph showing the Powerwall meters API data over 48 hours and charge percentage on the Z axis. The graph showing February 26 and 27th shows that we had incredibly sunny February days and didn’t use up all of the electricity stored in the Powerwalls so we hit fully charged (100%) two days in a row! This is quite a common scenario in the summer but completely unexpected in February.

Below the Powerwall meters graph is a graph displaying daily geneartion and import over the last 30 days. As can be seen in one of the graphs, Sunday 24th to Wednesday 27th February were lovely days where the solar panels achieved near perfect output for four days in a row!

The next screenshot shows the monthly generation and import graph which sits below the daily graph along with the wind speed graph over the last 48 hours. There is one further graph on the realtime dashboard page but it’s just out of shot. It displays the Hot water temperature over the last 48 hours.

All of these screenshots are from the same realtime dashboard but only the quick glance section displays on the screen at one time and you have to scroll down to see the rest of the graphs.