Secure indi-allsky with a genuine SSL certificate from Letsencrypt

Posted on : Posted in : Software (EN)

Letsencrypt LogoIf you run an indi-allsky installation on a Raspberry Pi and want to make it publicly accessible via your own domain, you will quickly encounter two typical challenges:

  • The Raspberry is behind a Fritz!Box with a dynamic IP.
  • indi-allsky comes with its own self-signed web server, which does not provide a valid TLS certificate by default.

In this article, I will show you the complete, working solution: A Let’s-Encrypt certificate for a subdomain such as access.allsky-rodgau.de, delivered via Apache as a reverse proxy, including a functioning auto-renewal routine via HTTP-01 challenge.

***This guide was updated in December 2025 and works perfectly for me***

1. initial situation

The setup consists of:

  • Raspberry Pi with indi-allsky
  • public subdomain (e.g. access.allsky-rodgau.de)
  • DNS at all-inkl.com
  • Fritz!Box with DynDNS
  • Apache as reverse proxy

The goal: HTTPS access without certificate errors and automatic renewal of the certificate.

2. prepare the Fritz! box for certificate retrieval

In order for Let’s Encrypt to validate the domain, port 80 must be accessible externally. To do this, we set up a port share on the Fritz!Box under Internet → Shares → Port shares:

  • Port 80 → Raspberry Pi
  • Port 443 → Raspberry Pi

External test

With the smartphone (WLAN off) easy:

http://access.allsky-rodgau.de

If an Apache page or the indi-allsky interface appears, port 80 is open. In the meantime, the http:// page automatically redirects to https:// – see below for how to do this!

Alternatively, you can also test the whole thing under https://www.yougetsignal.com/tools/open-ports/ – in my case: https://access.allsky-rodgau.de and port 80.

3. do not let indi-allsky speak its own SSL

For installations via Docker, indi-allsky does not have its own HTTPS module. The internal web server only delivers HTTP – SSL always comes via Apache. SSL should be deactivated in indi-allsky for non-Docker installations.
Check whether indi-allsky speaks SSL: 

sudo lsof -i :443

If only apache2 appears here, everything is correct.

You may have to install lsof:

sudo apt update
sudo apt install lsof

4. configure Apache as a reverse proxy

Apache delivers the Let’s Encrypt certificate and forwards requests internally to indi-allsky.

Example for /etc/apache2/sites-available/indi-allsky.conf:

<VirtualHost *:80>
    ServerName access.allsky-rodgau.de
    DocumentRoot /var/www/html
</VirtualHost>

<VirtualHost *:443>
    ServerName access.allsky-rodgau.de

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/access.allsky-rodgau.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/access.allsky-rodgau.de/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf

    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>

Then activate:

sudo a2enmod ssl proxy proxy_http rewrite
sudo a2ensite indi-allsky.conf
sudo systemctl reload apache2

5. install Certbot

sudo apt update
sudo apt install certbot python3-certbot-apache

6. generate the Let’s Encrypt certificate correctly

For automatic renewal, it is important to create the certificate with the Apache plugin, not by “manual” challenge.

sudo certbot --apache -d access.allsky-rodgau.de

Certbot:

  • creates files under /etc/letsencrypt/live
  • configures Apache automatically
  • sets auto-renewal, i.e. the automatic updating of the SSL certificate, correctly

7. check delivered certificate

openssl s_client -connect access.allsky-rodgau.de:443 -servername access.allsky-rodgau.de | grep "CN="

Then shows…

CN = access.allsky-rodgau.de

8. test automatic renewal

Certbot automatically installs a systemd timer for the renewal.

systemctl status certbot.timer

Dry run:

sudo certbot renew --dry-run

If it displays this, everything worked:

Congratulations, all simulated renewals succeeded.

9. redirect HTTP to HTTPS

Now we want to forward all incoming HTTP requests to HTTPS. To do this, we need to edit the configuration:

sudo nano /etc/apache2/sites-available/indi-allsky.conf

Then add the following line to the section:

Redirect permanent / https://access.allsky-rodgau.de/

This will redirect all requests to access.allsky-rodgau.de to https. The “Challenge” for the automatic SSL certificate renewal remains unaffected.

It works! Simply go to https://access.allsky-rodgau.de!

10. Maintain SSL during indi-allsky updates

When updating indi-allsky, you can actually choose not to overwrite the server data. However, this only worked to a limited extent for me, so I wrote my own custom-setup.sh routine.

Enjoyed this post?

You can support allsky-rodgau.de with a small coffee on BuyMeACoffee.

Buy me a coffee!