Jump to content
uniGUI Discussion Forums

LetsEncrypt & uniGUI

Recommended Posts

Why is SSL so hard. :(


We have developed an accounts backend web interface with uniGUI and would like to use SSL/HTTPS for public access (the right way to do things). We built this as a standalone EXE running on port 8077.


letsencrypt.org offer free certificates but I can't get any of the ACME clients to work. The simplest to use is ZeroSSL web interface (I can generate a CSR and account/email key but then when I hit "next" it says "failed to retrieve resource directory" WTF). The ZeroSSL downloadable stand-alone executables are hideous command line programs, as are most of the other Windows downloads (ZeroSSL make this pretty web interface but can't make a nice Windows GUI?)


Has anybody used letsencrypt.org? I realise at some point I will have to copy some files into a directory on my server (the one running on port 80) but I never even seem to get that far. :(


Since I have wasted a day on this so far I think I'll just have to buy a certificate from godaddy as there is some help here about how to go about this (although it assumes you know what to do with the files).

Share this post

Link to post
Share on other sites

Thanks for the reply. We're using a fairly recent version as we only bought it within the last couple of months. Perhaps I will go down the route of generating a self-signed certificate in the first instance. My difficulty at this stage seems mostly to do with actually generating the files I need for a standalone exe running on Windows (lots of the letsencrypt site is geared towards linux and many of the Windows tools are geared towards IIS),


Since developers use unigui we are used to building things ourselves and I was hoping someone here had used the free letsencrypt service.


PS. I'm not getting back to work until later in the week so won't reply to any replies for a few days now.

Share this post

Link to post
Share on other sites

Hi, here i go, this is the (hard) way i'm doing with letsencrypt, i'm getting an "A-" (cause Forward Secrecy), but if you see any wrong or unsecure thing please tell me.


REM Environment = Micro$oft Windows 7 64bits + OpenSSL-Win64 1.0.2h.


REM first we make the request, the private and public keys...


openssl req -nodes -newkey rsa:2048 -keyout key.pem -out request.csr -subj "/C=CL/ST=Santiago/L=Santiago/O=My Company Name/CN=mydomain.ddns.net"
openssl genrsa 4096 > account.key
openssl rsa -in account.key -pubout > accountPub.key


REM here you've got key.pem, what you can put directly in uniServerModule.SSLOptions.KeyFile .

REM copy and paste accountPub.key content in step 1 (Account Public Key) and press the button.

REM copy and paste request.csr content in step 2 (Certificate Signing Request) and press the button.


REM copy the text echoed by the 3 lines in the step 3 in each KEY variable at the next "set KEY" commands and run it.


set KEY1="blahblahblah....blah"
set KEY2="blehblehbleh....bleh"
set KEY3="blihblihblih........................blih"


set PRIV_KEY=account.key

echo|set /p=%KEY1% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 1.in
echo|set /p=%KEY2% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 2.in
echo|set /p=%KEY3% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 3.in


REM copy the content of the files 1.in, 2.in and 3.in, and paste them in the right input text in the step 3, and press button.


REM copy the text echoed by the line in the step 4 in the KEY4 variable at the next "set KEY" commands and run it.

set PRIV_KEY=account.key
set KEY4="blohblohbloh....bloh"
echo|set /p=%KEY4% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 4.in

REM copy the 4.in content and paste in the input text in step 4.

REM go to "Option 2 - file-based".

REM write the content in the right file, with the right file name, with the right path.

REM prepare your server for serving the right content, with something like this....

REM procedure TUniServerModule.UniGUIServerModuleHTTPDocument( const Document: string; const InParams: TStrings;

REM      ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean);
REM      var fileName:String;
REM begin
REM    fileName := FilesFolderPath + stringReplace( Document , '/' , '\',[rfReplaceAll]);
REM    if fileExists( fileName ) then begin
REM        AResponseInfo.ContentStream := TFileStream.Create( fileName, fmOpenRead OR fmShareDenyNone);
REM        Handled := True;
REM    end;
REM end;


REM press the button.

REM copy the "Signed Certificate" text in the file signed.crt, and "Intermediate Certificate" text in the Intermediate.crt.


openssl x509 -in signed.crt -out cert.pem -outform PEM
openssl x509 -in intermediate.crt -out root.pem -outform PEM

REM here you've finally got the fricking cert.pem and root.pem that you can put in uniServerModule.SSLOptions.CertFile and uniServerModule.SSLOptions.RootCertFile.


REM optionally you can make the dhparam...

openssl dhparam -outform PEM -out dhparam.pem 2048


Good Luck

Share this post

Link to post
Share on other sites

Unfortunately it doesn't "really work" for me. After having to change some things in PowerShell I eventually got to "(7) Request and Retrieve the Certificate". The first step works:

New-ACMECertificate dns1 -Generate -Alias cert1

But the next line:

Submit-ACMECertificate cert1

always generates the same error regardless if I have run PowerShell as Admin or normally, changed all the permissions and whatever. :(

Submit-ACMECertificate : Access to the path
'C:\Users\[User]\AppData\Local\ACMESharp\userVault\45-KEYPM\[...]-key.pem' is denied.

I can create files fine in that folder and if I create the file it errs on then it says "asset file already exists".


I have wasted WAY to much time on this. I will now try the paid godaddy route and see if that works...



It really works.


Share this post

Link to post
Share on other sites



I'new with this.


I'd like to generate my own certificate, and generate the files cert.pem,  key.pem and root.pem, needed to access by https instead of http.



Someone can help me? I have openssl in a debian machine, and genetated the files server.crt, server.csr and server.key.


Now, I don't know next steps.


Some help?




Share this post

Link to post
Share on other sites

This works in ISAPI?


I'm testing, and works with standalone, but can't make it work in ISAPI (under apache).


Any idea?



Share this post

Link to post
Share on other sites

I can use letsencrypt cert inisde the SSL demo , but not my own program,


Event log says:

Service failed on start: EIdOSSLLoadingRootCertError : Could not load root certificate.
error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib : Addr: $0075B315
Any idea ?
p.s. It's ok when I run server mode, but not when using service mode (even using default root cert).

Share this post

Link to post
Share on other sites

Maybe I restate my problem :


I can run the SSL DEMO in general server mode

I cannot start the SSL DEMO in servicer mode.


Please help and test ,. Thanks !

Share this post

Link to post
Share on other sites

allenchow - maybe your service doesn't have access rights to the certificate files?


PS Since I started this thread I might as well finish it by saying I never got a letsencrypt certificate (unable to generate one) so went and paid godaddy lots of money. :(


PPS Why do people keep adding to threads with their own (usually unrelated) problems. If you have an issue start a new thread.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now