Letsencrypt: restart service using systemd

If, for some reason, certbot's --renew-hook argument is not an option, you can use systemd to automatically restart any service whenever a certificate is renewed.

You need two files:


Description=Certbot service restarter

ExecStartPre=/bin/sleep 10
ExecStart=/usr/bin/systemctl restart %i.service



# Add one entry here for every certificate that should be monitored


After changing these files, execute systemctl daemon-reload to notify systemd of the changes. Now you can start a "restart trigger" for each service you want to:

$ sudo systemctl start certbot-watch@postfix.path
$ sudo systemctl start certbot-watch@dovecot.path

The "sleep 10" argument in ExecStartPre ensures that the restart is triggered only once even if multiple files where changed.

Use ETS Inside with a regular browser

ETS is a vendor independent software to configure KNX installations. However, it targets professional electricians and is quite expensive for a home user with 1000 EUR (without VAT).

Since 2017 the people of knx.org developed a new software called ETS Inside that only costs 160 EUR and targets private users. It has less features, but should be sufficient for most family house installations.

The software runs on a Windows 10 system with IIS, and is accessed with a special app that's also called ETS Inside (Windows, iOS, Android).

Unfortunately, the client cannot be accessed with a regular web browser:

"it is not possible to access an ETS Inside server using an internet browser (e.g Firefox, Chrome, Internet Explorer, Edge, etc.). In order to protect the project data, the web service communication between the client and the server needs to be encrypted and this is only done when using the ETS Inside clients mentioned above."

This means that the body of every POST request to the web service and the response is encrypted. When analysing the traffic with a network monitor you'll notice that ETS Inside seems to use a symetric encryption with a static key, because the encrypted content will be the same for each identical request. This means the key must be somewhere in the client apps and it should be possible to extract it¹.

However, this is not neccessary, because we can just disable the encryption! Go to the installation directory of the ETS Inside Server, which should be "C:\Progam Files\ETS Inside\Server", and open the file "Web.config" with a text editor. Look for the line that defines the EncryptionModul:

       <add name="EncryptionModule" type="Knx.Ets.Osprey.Iis.EncryptionModule, Knx.Ets.Osprey.Iis" />

and replace it with the following line:

       <add name="EncryptionModule" type="Knx.Ets.Osprey.Iis.AspConcurrencyModule, Knx.Ets.Osprey.Iis" />

AspConcurrencyModule does nothing relevant to the transmission, so it's basically a transparent no-op and eventually disabled the encryption. You can now open the client in a regular browser using the system's IP and Port 8081, for example I've tested it with Vivaldi, Chrome, Firefox and Edge, and it worked in every browser.

The downsite is that the dedicated app cannot be used anymore because it expects encrypted contents. But if you really require this to work in both, App and Browser, just download this file and save it as "Default.htm" into "C:\Progam Files\ETS Inside\Client". This file is preferred by IIS over "index.html" and will remove the cipher key that has been initialized by the App before loading the real "index.html". Additionally, this adds a nice progress bar while waiting for the libraries to be loaded.

¹) Of course this means that the traffic between client and server isn't really secured. HTTPS would have been a better choice, also this is hard to implement [de] for a non-public domain in a private network.