Startek Posted October 14, 2017 Share Posted October 14, 2017 Why is SSL so hard. We have developed an accounts backend web interface with uniGUI and would like to use SSL/HTTPS for public access (the right way to do things). We built this as a standalone EXE running on port 8077. letsencrypt.org offer free certificates but I can't get any of the ACME clients to work. The simplest to use is ZeroSSL web interface (I can generate a CSR and account/email key but then when I hit "next" it says "failed to retrieve resource directory" WTF). The ZeroSSL downloadable stand-alone executables are hideous command line programs, as are most of the other Windows downloads (ZeroSSL make this pretty web interface but can't make a nice Windows GUI?) Has anybody used letsencrypt.org? I realise at some point I will have to copy some files into a directory on my server (the one running on port 80) but I never even seem to get that far. Since I have wasted a day on this so far I think I'll just have to buy a certificate from godaddy as there is some help here about how to go about this (although it assumes you know what to do with the files). Quote Link to comment Share on other sites More sharing options...
Sherzod Posted October 14, 2017 Share Posted October 14, 2017 Hi, Which version and build are you using ? http://www.unigui.com/doc/online_help/ssl_configuration.htm http://www.unigui.com/doc/online_help/obtain_ssl_certificates_from_a.htm \FMSoft\Framework\uniGUI\Demos\Desktop\SSL Demo Best regards, Quote Link to comment Share on other sites More sharing options...
stas Posted October 14, 2017 Share Posted October 14, 2017 nginx reverse proxy + unigui 1 Quote Link to comment Share on other sites More sharing options...
Startek Posted October 14, 2017 Author Share Posted October 14, 2017 Thanks for the reply. We're using a fairly recent version as we only bought it within the last couple of months. Perhaps I will go down the route of generating a self-signed certificate in the first instance. My difficulty at this stage seems mostly to do with actually generating the files I need for a standalone exe running on Windows (lots of the letsencrypt site is geared towards linux and many of the Windows tools are geared towards IIS), Since developers use unigui we are used to building things ourselves and I was hoping someone here had used the free letsencrypt service. PS. I'm not getting back to work until later in the week so won't reply to any replies for a few days now. Quote Link to comment Share on other sites More sharing options...
pedrisco Posted October 15, 2017 Share Posted October 15, 2017 Hi, here i go, this is the (hard) way i'm doing with letsencrypt, i'm getting an "A-" (cause Forward Secrecy), but if you see any wrong or unsecure thing please tell me. REM Environment = Micro$oft Windows 7 64bits + OpenSSL-Win64 1.0.2h. REM first we make the request, the private and public keys... openssl req -nodes -newkey rsa:2048 -keyout key.pem -out request.csr -subj "/C=CL/ST=Santiago/L=Santiago/O=My Company Name/CN=mydomain.ddns.net"openssl genrsa 4096 > account.keyopenssl rsa -in account.key -pubout > accountPub.key REM here you've got key.pem, what you can put directly in uniServerModule.SSLOptions.KeyFile . REM copy and paste accountPub.key content in step 1 (Account Public Key) and press the button. REM copy and paste request.csr content in step 2 (Certificate Signing Request) and press the button. REM copy the text echoed by the 3 lines in the step 3 in each KEY variable at the next "set KEY" commands and run it. set KEY1="blahblahblah....blah"set KEY2="blehblehbleh....bleh"set KEY3="blihblihblih........................blih" set PRIV_KEY=account.key echo|set /p=%KEY1% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 1.inecho|set /p=%KEY2% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 2.inecho|set /p=%KEY3% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 3.in REM copy the content of the files 1.in, 2.in and 3.in, and paste them in the right input text in the step 3, and press button. REM copy the text echoed by the line in the step 4 in the KEY4 variable at the next "set KEY" commands and run it. set PRIV_KEY=account.keyset KEY4="blohblohbloh....bloh"echo|set /p=%KEY4% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 4.in REM copy the 4.in content and paste in the input text in step 4. REM go to "Option 2 - file-based". REM write the content in the right file, with the right file name, with the right path. REM prepare your server for serving the right content, with something like this.... REM procedure TUniServerModule.UniGUIServerModuleHTTPDocument( const Document: string; const InParams: TStrings; REM ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean);REM var fileName:String;REM beginREM fileName := FilesFolderPath + stringReplace( Document , '/' , '\',[rfReplaceAll]);REM if fileExists( fileName ) then beginREM AResponseInfo.ContentStream := TFileStream.Create( fileName, fmOpenRead OR fmShareDenyNone);REM Handled := True;REM end;REM end; REM press the button. REM copy the "Signed Certificate" text in the file signed.crt, and "Intermediate Certificate" text in the Intermediate.crt. openssl x509 -in signed.crt -out cert.pem -outform PEMopenssl x509 -in intermediate.crt -out root.pem -outform PEM REM here you've finally got the fricking cert.pem and root.pem that you can put in uniServerModule.SSLOptions.CertFile and uniServerModule.SSLOptions.RootCertFile. REM optionally you can make the dhparam... openssl dhparam -outform PEM -out dhparam.pem 2048 Good Luck Quote Link to comment Share on other sites More sharing options...
pedrisco Posted October 18, 2017 Share Posted October 18, 2017 Hi, look what i've found...https://github.com/ebekker/ACMESharp/wiki/Quick-StartIt really works.So after you get "Status Valid" you can...Get-ACMECertificate your_cert_alias -ExportKeyPEM "key.pem" -ExportCertificatePEM "cert.pem" -ExportIssuerPEM "root.pem" Quote Link to comment Share on other sites More sharing options...
Startek Posted October 25, 2017 Author Share Posted October 25, 2017 Unfortunately it doesn't "really work" for me. After having to change some things in PowerShell I eventually got to "(7) Request and Retrieve the Certificate". The first step works: New-ACMECertificate dns1 -Generate -Alias cert1 But the next line: Submit-ACMECertificate cert1 always generates the same error regardless if I have run PowerShell as Admin or normally, changed all the permissions and whatever. Submit-ACMECertificate : Access to the path 'C:\Users\[User]\AppData\Local\ACMESharp\userVault\45-KEYPM\[...]-key.pem' is denied. I can create files fine in that folder and if I create the file it errs on then it says "asset file already exists". I have wasted WAY to much time on this. I will now try the paid godaddy route and see if that works... It really works. Quote Link to comment Share on other sites More sharing options...
jahlxx Posted November 11, 2017 Share Posted November 11, 2017 Hi. I'new with this. I'd like to generate my own certificate, and generate the files cert.pem, key.pem and root.pem, needed to access by https instead of http. Someone can help me? I have openssl in a debian machine, and genetated the files server.crt, server.csr and server.key. Now, I don't know next steps. Some help? Thanks. Quote Link to comment Share on other sites More sharing options...
jahlxx Posted November 11, 2017 Share Posted November 11, 2017 Forget it !! Found this: http://www.unigui.com/doc/online_help/generate_a_self-signed_certifi.htm And it works perfect. Thanks everyway. Quote Link to comment Share on other sites More sharing options...
jahlxx Posted November 13, 2017 Share Posted November 13, 2017 This works in ISAPI? I'm testing, and works with standalone, but can't make it work in ISAPI (under apache). Any idea? Thanks. Quote Link to comment Share on other sites More sharing options...
allenchow Posted December 8, 2017 Share Posted December 8, 2017 I can use letsencrypt cert inisde the SSL demo , but not my own program, Event log says: Service failed on start: EIdOSSLLoadingRootCertError : Could not load root certificate. error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib : Addr: $0075B315 Any idea ? p.s. It's ok when I run server mode, but not when using service mode (even using default root cert). Quote Link to comment Share on other sites More sharing options...
allenchow Posted December 8, 2017 Share Posted December 8, 2017 When in 32bit service mode, it does not work even using the demo SSL . Quote Link to comment Share on other sites More sharing options...
allenchow Posted December 8, 2017 Share Posted December 8, 2017 Any help ? Quote Link to comment Share on other sites More sharing options...
allenchow Posted December 11, 2017 Share Posted December 11, 2017 Is it only me with this problem ? Quote Link to comment Share on other sites More sharing options...
allenchow Posted December 12, 2017 Share Posted December 12, 2017 Maybe I restate my problem : I can run the SSL DEMO in general server mode I cannot start the SSL DEMO in servicer mode. Please help and test ,. Thanks ! Quote Link to comment Share on other sites More sharing options...
Startek Posted December 12, 2017 Author Share Posted December 12, 2017 allenchow - maybe your service doesn't have access rights to the certificate files? PS Since I started this thread I might as well finish it by saying I never got a letsencrypt certificate (unable to generate one) so went and paid godaddy lots of money. PPS Why do people keep adding to threads with their own (usually unrelated) problems. If you have an issue start a new thread. Quote Link to comment Share on other sites More sharing options...
likemike Posted March 9, 2021 Share Posted March 9, 2021 Hello! I'm wasting 2 days do get a SSL certificate from Let's encrypt to work with UniGui while using a DynDns IP to access my own local server. Finally it's done. If anyone is interested I could post a little tutorial. It's espacially for those you use dynamic IPs. Mike 2 2 Quote Link to comment Share on other sites More sharing options...
epos4u Posted March 9, 2021 Share Posted March 9, 2021 30 minutes ago, likemike said: Hello! I'm wasting 2 days do get a SSL certificate from Let's encrypt to work with UniGui while using a DynDns IP to access my own local server. Finally it's done. If anyone is interested I could post a little tutorial. It's espacially for those you use dynamic IPs. Mike that would be great, will it work with VPN too Quote Link to comment Share on other sites More sharing options...
david_navigator Posted March 9, 2021 Share Posted March 9, 2021 Here's my tutorial which I send to customers - don't know if it's any help to you ? https://navigator.zendesk.com/hc/en-us/articles/360018956973-Purchasing-an-SSL-certificate-to-use-with-the-HireTrack-NX-Integration-Service Quote Link to comment Share on other sites More sharing options...
likemike Posted March 9, 2021 Share Posted March 9, 2021 OK! I assume, your server is a Windows based computer (for ex. Windows 10). This tutorial depends on the free of charge SSL certificate from zerossl ( https://app.zerossl.com/dashboard ). a. Create an account on https://app.zerossl.com/dashboard b. Certificates->New certificate c. switch off CSR autogenerates d. insert your company etc. e. you have 3 possibilities to verify, that your are the owner of the domain f. (only needed, when you use dynamic IP service like Noip.com or DynDns) In this case you can only verify your domain with the HTTP-Upload method. Therefore you have to install a webserver on the host computer. So load and install XAMPP (https://www.apachefriends.org/de/index.html) and run it minimally (clear every hook possible ). Then forward port 80 in the router to your host computer IP. If an error occurs with port 443, set the listen port to “Listen 8078” in the file “c:\xampp\apache\conf\extra\httpd-ssl.conf” (line 36). Start xampp-control.exe and start Apache. Now copy the file created by ZeroSSL in the directory “c:\xampp\htdocs\.well-known\pki-validation” (the last two directories have to be created first) g. now perform the validation at zerossl. h. download the certificate now (Server=Default). i. unpack the certificate in your HyperServer-directory j. rename private.key to key.pem now you have to convert the CRT-files to x509 encryption k. install OpenSSL (https://sourceforge.net/projects/openssl/files/latest/download) l. start Win64-OpenSSL Command Prompt m. from the OpenSSL command line, switch to the hyperserver directory and call: openssl x509 -in certificate.crt -out cert.pem -outform PEM openssl x509 -in ca_bundle.crt -out root.pem -outform PEM n. then do a right-click on both CRT files and install the certificate (for local computer). o. because SSL-versions lower than TLS1_2 are rejected by modern browsers it's important to set in UniGui: SSL.SSLOptions.Method = sslvTLSv1_2 SSL.SSLOptions.SSLVersions = [sslvTLSv1_2] That's it. I recommend the use of NoIP.COM if you need a Dynamic IP-Service. It's free and easy to install. I hope, this helps a bit to handle the SSL-stuff with UniGui. Regards Mike 3 Quote Link to comment Share on other sites More sharing options...
x11 Posted March 10, 2021 Share Posted March 10, 2021 On 11/11/2017 at 8:47 PM, jahlxx said: Found this: http://www.unigui.com/doc/online_help/generate_a_self-signed_certifi.htm And it works perfect. not for Google Chrome Quote Link to comment Share on other sites More sharing options...
likemike Posted March 10, 2021 Share Posted March 10, 2021 5 hours ago, x11 said: not for Google Chrome ...and self-signed certificates are useless in internet (only suitable for use in intranet). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.