Hi,

Communication encryption for CODESYS WebVisu

In order to prevent communication from being hacked between a CODESYS compatible controller, which
supports the CODESYS WebVisu, and an internet browser on a PC or mobile device, an HTTPS connection
with encryption is available. It protects the integrity of the displayed data.

What is needed to publish a SSL encrypted Webvisualisation with the Raspberry Pi or any >= Version 3.5SP5 CODESYS plc?
For example you want to have access from internet to your home where your pi Webvisu is running

Sure for doing this you need a official ssl certificate and sure if you do not have a official certificate I would prefer a VPN connection additional
Passwort/UserManagement is needed in any case.
For testing purpose you could generate a ssl certificate to see how SSL Webvisu could be established/activated

On the pi runtime side you have the setting 'ConnectionType' in /etc/CODESYSControl.cfg
[CmpWebServer] ConnectionType=3

HTTP_ONLY, / = 0 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm
HTTPS_ONLY, / = 1 / -->access your visu by https://RaspiIpAdress:443/webvisu.htm gehen
HTTP_AND_HTTPS, / = 2 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm und https://localhost:443/webvisu.htm gehen
REDIRECT_HTTP_TO_HTTPS / = 3 / -->access your visu by http://RaspiIpAdress:8080/webvisu.htm will be redirected to https://localhost:443/webvisu.htm

for testing purpose you could generate on the pi a certificate by the following bash script (attached):
copy this to the pi (this could be done by CODESYS plc file browser) then connect by ssh (putty) to the pi
and execute the script (after make it executable by chmod +x generateKeys.sh ).
Generate process take some time, be patient.
After that long long key generation process and restart of the plc, you could connect by ssl encrypted connection to the Webvisu.

\#!/bin/bash
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt
rm server.csr
openssl x509 -noout -in server.crt -fingerprint
openssl dhparam -outform pem -out dhparams.pem 1024
\#copy the generated key to the runtime location
echo "make dirs"
mkdir /root/PKI
mkdir /root/PKI/cert
mkdir /root/PKI/crl
mkdir /root/PKI/private
mkdir /root/PKI/trusted
echo "move certificate"
mv server.crt /root/PKI/cert/server.cer
echo "move key"
mv server.key /root/PKI/private/
echo "move dhparams"
mv dhparams.pem /root/PKI/private/

Check the documentation here for more details:
"c:\Program Files (x86)\3S CODESYS\GatewayPLC\Documentation\WebServerSSL_en.pdf"

Update:
These steps are not needed anymore use the Security Agent from CODESYS Store to generate the certificates.

Best Regards
Edwin

generateKeys.zip [397 Bytes]

Hi,
I tried this, created certificates, but without success (web page is redirected to https, but nothing is displayed)

---------Unable to connect
Firefox can't establish a connection to the server at "IP_ADDRESS"
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
----------------

I tried setting connection back to 0 (ConnectionType=0), but web server is still redirecting to https!!!

Also PDF is not installed with V3.5 SP12 x64...

BR,
Gregor

Some more problems & diagnosys.

1) I created OpenSSL certificate and I see it in /root/KPI directory. This is OK.
When I set .cfg file ConnectionType=3, web server redirects to https protocol. This works OK.
But when I reset ConnectionType=0 (set from 3 back to 0), webserver is allways (still) redirecting to https. With settings back to 0, only http protocol should be used, so resetting this setting doesn't work.
I also did system restart, without success. Still webserver redirects to https.

2) Then I installed security agent. I managed to create webserver certificate on the RPi. https redirection works, and now I got connection erorr: ERR_SSL_VERSION_OR_CIPHER_MISMATCH (both in FF and Chrome). In my knowledge this is a problem with certificate not beeing trusted, outdated technology ...
At least now I see connection to https protocol works and webserver on RPi knows where certificate is installed.

Once again I set ConnectionType back to 0. Still there is a problem of webserver allways redirects to https.

Best Regards,
Gregor

Hi,

yes this is an open point you need to execute:

cert-gendhparams 1024

in the plc Shell.
Then it will work at least with IE and Firefox.
It is an open point which need to be fixed.

BR
Edwin

I have found that the PKI directory placed in /root will not allow the certificate and private key to load.

I have moved the entire PKI directory from /root/ to /var/opt/codesys/ and now the SSL certificate properly loads.

Hi is it possible to set ssl port in codesyscontrol.cfg?
Couldn´t find any documents describing parameters an settings that can be done in the cfg file.
I have a webserver running on port 80,443 and would like to have webvisu ssl on port 8443

Br
Lennart

Hi,

you could give this a try:

[CmpWebServer]
WebServerSecurePortNr=8443

BR
Edwin

@Edwin,

Are we still able to generate certificate without needing to use the IDE? I noticed that the certificate is only valid for 30 days. It looks like there's no way of increasing this?

Thanks,

Hi,
guess you could set it up here by the security Agend or as a plcshell command:
Without IDE -> not except you apply your own company certificate - which is probably the correct way to handle the thing.

BR
Edwin

@Edwin,

Thanks for your response. I'm running on 3.5.15.30 64b, and I followed your instructions. The issue that I'm noticing is that even if I create own certificate via Codesys IDE (delete or not delete previous cert), the IDE also creates its own certificate (30 days) on the controller with value of "Encrypted communication" under the Information column and uses that as default (/etc/CODESYSControl.cfg). If you manually delete .der file from /var/opt/codesys/.pki/own/cert and .key file from /var/opt/codesys/.pki/own/key. When you restart codesys service, it also generates a set of files and use that as default. Essentially, whatever information you use is overwritten by codesys. Maybe it's a bug?

Thanks,

Hello
Is there any fix to the https problem? I have the same problem. It generates a certificate for the website and, oddly enough, after restarting the driver, the certificate disappears from the Web Server. Appears in OWN Cert.

I followed the instructions.
1. I created a certificate for the website
2. PLC reset
3. I ran cert-gendhparams 1024 in PLC Shell
4. An attempt to log in via https ends with the ERR_SSL_PROTOCOL_ERROR error(chrome)
The connection does not work on google chrome or IE

PLC i work with is RevPi Connect + from KUNBUS GmbH