Configuration of the PicApport Server for SSL with Letsencrypt
The following documentation is for a PicApport version which will be available for our beta testers in late summer 2019.
Who would like to take part in this test simply write a mail to info@picapport.de
Background Information
The offline mode of PicApport is supported by modern browsers only for SSL connections. The keyword here is „progressive Web App“ (PWA).
PicApport uses depending on the configuration either:
- Application Cache (AppCache)
- or the more modern „service workers“.
The effort and the costs for private users and small companies to equip servers with a valid certificate via DynDns is relatively high.
https://letsencrypt.org/ offers a solution via the standardized ACME protocol which we have implemented from version 7.6.x in PicApport.
The goal is:
- Configure SSL once in PicApport for Letsencrypt
- Once configured, PicApport automatically updates the certificates
Everything works fully automatic.
Configuration
The following diagram shows how to configure SSL for Letsencrypt:

As shown in the picture above, 5 parameters must be entered in the picapport.properties. After a restart of the server everything should be set up automatically.
The Letsencrypt activities are documented in the log files under de.contecon.picapport.security.utils.LetsEncryptService:: (from version 7.6 also queryable via the web interface if you are authorized)
MSG @ 02:53:53.040 de.contecon.picapport.security.utils.LetsEncryptService:: OK: valid certificate found. No renew necessary. MSG @ 02:53:55.008 de.contecon.picapport.security.utils.LetsEncryptService:: UPDATE: certificate expired.Tue Jul 09 02:53:55 CEST 2019-Mon Oct 07 02:53:55 CEST 2019 MSG @ 02:53:55.008 de.contecon.picapport.security.utils.LetsEncryptService:: UPDATE: no matched entries in keystore found MSG @ 02:53:55.008 de.contecon.picapport.security.utils.LetsEncryptService:: UPDATE: starting renew MSG @ 02:53:56.571 de.contecon.picapport.security.utils.LetsEncryptService:: UPDATE: challenge accepted MSG @ 02:53:59.008 de.contecon.picapport.security.utils.LetsEncryptService:: OK: challenge has been completed |
Important notice
server.port and server.letsencrypt.challenge.port can be chosen freely.
However, it must be ensured that the challenge port can always be reached from „outside“ via port 80.
This is a default of Letsencrypt and cannot be changed.
Please also note that port numbers < 1024 under Linux (incl. Apple) are so-called privileged ports and must be handled accordingly.
see also: https://stackoverflow.com/questions/413807/is-there-a-way-for-non-root-processes-to-bind-to-privileged-ports-on-linux