Securing your GenieACS TR069 server with HTTPS is essential for ensuring that data transmitted between the server and clients is encrypted. In scenarios where you don’t have a publicly resolvable domain name (perhaps because your server is on a local network), you can use self-signed certificates instead of certificates from authorities like Let’s Encrypt. Here’s how to do it:
Table of Contents

Step 1: Update Your GenieACS TR069 Ubuntu Server
Before making any changes, it’s important to ensure that your server is up to date. This keeps your system secure and ensures that all packages are up to date with the latest security patches and features.
Command:
sudo apt update
Explanation:
sudo apt update
: This command updates the list of available packages and their versions, but it does not install or upgrade any packages.
Updating your server is a good habit as it helps prevent potential issues with outdated software or dependencies.
Step 2: Generate Self-Signed Certificates
A self-signed certificate is an SSL/TLS certificate that you create and sign yourself, rather than obtaining it from a Certificate Authority (CA). It’s useful for testing, development environments, or internal networks where you don’t need a public CA to validate your domain.
Command:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/server.key -out /etc/ssl/certs/server.crt -subj "/CN=YOUR_IP"
Explanation:
openssl req -x509
: This tells OpenSSL to generate a self-signed certificate (using the X.509 standard).-nodes
: This skips the option to protect the private key with a passphrase, which can be cumbersome for services that need to restart without manual input.-days 365
: The certificate will be valid for 365 days.-newkey rsa:2048
: Creates a new RSA key pair with a 2048-bit length.-keyout /etc/ssl/private/server.key
: Specifies the file where the private key will be saved.-out /etc/ssl/certs/server.crt
: Specifies the file where the certificate will be saved.-subj "/CN=YOUR_IP"
: This sets the subject of the certificate, withCN
(Common Name) being the IP address of your server.
Replace YOUR_IP
with the actual IP address of your ACS server. This is important because it ties the certificate to the server’s IP address.
Step 3: Configure GenieACS TR069 to Use the Self-Signed Certificate
Now that you have the self-signed certificate, you need to tell GenieACS to use it for HTTPS connections.
Steps:
- Open the
genieacs.env
file in a text editor. This file contains the environment variables used by GenieACS.
Command:
sudo nano /opt/genieacs/genieacs.env
- Add the following lines to the file:
GENIEACS_UI_SSL_CERT=/etc/ssl/certs/server.crt
GENIEACS_UI_SSL_KEY=/etc/ssl/private/server.key
Explanation:
GENIEACS_UI_SSL_CERT
: This specifies the path to the SSL certificate that will be used by GenieACS.GENIEACS_UI_SSL_KEY
: This specifies the path to the private key associated with the SSL certificate.
These lines instruct GenieACS to use your self-signed certificate for HTTPS.
Step 4: Set Permissions
GenieACS TR069 needs permission to read the certificate and private key files. By default, these files are stored in directories that are restricted to root access. You need to adjust the permissions to allow GenieACS to access them.
Commands:
sudo chmod 710 /etc/ssl/certs/
sudo chmod 710 /etc/ssl/private/
sudo chgrp genieacs /etc/ssl/certs/
sudo chgrp genieacs /etc/ssl/private/
sudo chown genieacs /etc/ssl/certs/server.crt
sudo chown genieacs /etc/ssl/private/server.key
Explanation:
chmod 710
: Changes the directory permissions torwx--x---
, which means the owner can read, write, and execute, while the group can only execute. This is done to allow thegenieacs
group to access the certificate directories.chgrp genieacs
: Changes the group ownership of the directories and files togenieacs
.chown genieacs
: Changes the ownership of the certificate and key files to thegenieacs
user.
These steps ensure that GenieACS can access the SSL certificate and key without exposing them to unauthorized users.
Step 5: Restart GenieACS
After configuring the environment variables and setting the correct permissions, you need to restart the GenieACS TR069 service for the changes to take effect.
Command:
sudo systemctl restart genieacs-ui
Explanation:
systemctl restart genieacs-ui
: This command restarts the GenieACS UI service, applying the new configuration.
Restarting the service ensures that GenieACS starts using the self-signed certificate you configured.
Conclusion
By following these steps, you can successfully secure your GenieACS TR069 server using HTTPS with a self-signed certificate. While self-signed certificates are not trusted by default in web browsers and are not suitable for production environments, they are an excellent solution for testing, development, or internal use within a controlled environment.
If you plan to move to production or need a trusted setup, consider using a certificate from a recognized Certificate Authority like Let’s Encrypt, which provides free SSL/TLS certificates for publicly resolvable domain names.