Jump to content


Photo

LetsEncrypt & uniGUI

letsencrypt

  • Please log in to reply
9 replies to this topic

#1 Startek

Startek

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 14 October 2017 - 12:33 AM

Why is SSL so hard. :(

 

We have developed an accounts backend web interface with uniGUI and would like to use SSL/HTTPS for public access (the right way to do things). We built this as a standalone EXE running on port 8077.

 

letsencrypt.org offer free certificates but I can't get any of the ACME clients to work. The simplest to use is ZeroSSL web interface (I can generate a CSR and account/email key but then when I hit "next" it says "failed to retrieve resource directory" WTF). The ZeroSSL downloadable stand-alone executables are hideous command line programs, as are most of the other Windows downloads (ZeroSSL make this pretty web interface but can't make a nice Windows GUI?)

 

Has anybody used letsencrypt.org? I realise at some point I will have to copy some files into a directory on my server (the one running on port 80) but I never even seem to get that far. :(

 

Since I have wasted a day on this so far I think I'll just have to buy a certificate from godaddy as there is some help here about how to go about this (although it assumes you know what to do with the files).


  • 0

Evaluating uniGUI


#2 Delphi Developer

Delphi Developer

    Advanced Member

  • Moderators
  • 3432 posts

Posted 14 October 2017 - 01:35 AM

Hi,

 

Which version and build are you using ?

 

http://www.unigui.co...nfiguration.htm

http://www.unigui.co...ates_from_a.htm

 

\FMSoft\Framework\uniGUI\Demos\Desktop\SSL Demo

 

Best regards,


  • 0

#3 Stas

Stas

    Advanced Member

  • uniGUI Subscriber
  • PipPipPipPip
  • 176 posts
  • LocationKiev Ukraine

Posted 14 October 2017 - 04:02 AM

nginx reverse proxy + unigui


  • 1

#4 Startek

Startek

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 14 October 2017 - 04:17 AM

Thanks for the reply. We're using a fairly recent version as we only bought it within the last couple of months. Perhaps I will go down the route of generating a self-signed certificate in the first instance. My difficulty at this stage seems mostly to do with actually generating the files I need for a standalone exe running on Windows (lots of the letsencrypt site is geared towards linux and many of the Windows tools are geared towards IIS),

 

Since developers use unigui we are used to building things ourselves and I was hoping someone here had used the free letsencrypt service.

 

PS. I'm not getting back to work until later in the week so won't reply to any replies for a few days now.


  • 0

Evaluating uniGUI


#5 pedrisco

pedrisco

    Member

  • Members
  • PipPip
  • 13 posts

Posted 15 October 2017 - 03:47 AM

Hi, here i go, this is the (hard) way i'm doing with letsencrypt, i'm getting an "A-" (cause Forward Secrecy), but if you see any wrong or unsecure thing please tell me.

 

REM Environment = Micro$oft Windows 7 64bits + OpenSSL-Win64 1.0.2h.

 

REM first we make the request, the private and public keys...

 

openssl req -nodes -newkey rsa:2048 -keyout key.pem -out request.csr -subj "/C=CL/ST=Santiago/L=Santiago/O=My Company Name/CN=mydomain.ddns.net"
openssl genrsa 4096 > account.key
openssl rsa -in account.key -pubout > accountPub.key

 

REM here you've got key.pem, what you can put directly in uniServerModule.SSLOptions.KeyFile .

REM copy and paste accountPub.key content in step 1 (Account Public Key) and press the button.

REM copy and paste request.csr content in step 2 (Certificate Signing Request) and press the button.

 

REM copy the text echoed by the 3 lines in the step 3 in each KEY variable at the next "set KEY" commands and run it.

 

set KEY1="blahblahblah....blah"
set KEY2="blehblehbleh....bleh"
set KEY3="blihblihblih........................blih"

 

set PRIV_KEY=account.key

echo|set /p=%KEY1% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 1.in
echo|set /p=%KEY2% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 2.in
echo|set /p=%KEY3% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 3.in

 

REM copy the content of the files 1.in, 2.in and 3.in, and paste them in the right input text in the step 3, and press button.

 

REM copy the text echoed by the line in the step 4 in the KEY4 variable at the next "set KEY" commands and run it.

set PRIV_KEY=account.key
set KEY4="blohblohbloh....bloh"
echo|set /p=%KEY4% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 4.in
 

REM copy the 4.in content and paste in the input text in step 4.

REM go to "Option 2 - file-based".

REM write the content in the right file, with the right file name, with the right path.

REM prepare your server for serving the right content, with something like this....

REM procedure TUniServerModule.UniGUIServerModuleHTTPDocument( const Document: string; const InParams: TStrings;

REM      ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean);
REM      var fileName:String;
REM begin
REM    fileName := FilesFolderPath + stringReplace( Document , '/' , '\',[rfReplaceAll]);
REM    if fileExists( fileName ) then begin
REM        AResponseInfo.ContentStream := TFileStream.Create( fileName, fmOpenRead OR fmShareDenyNone);
REM        Handled := True;
REM    end;
REM end;

 

REM press the button.

REM copy the "Signed Certificate" text in the file signed.crt, and "Intermediate Certificate" text in the Intermediate.crt.

 

openssl x509 -in signed.crt -out cert.pem -outform PEM
openssl x509 -in intermediate.crt -out root.pem -outform PEM
 

REM here you've finally got the fricking cert.pem and root.pem that you can put in uniServerModule.SSLOptions.CertFile and uniServerModule.SSLOptions.RootCertFile.

 

REM optionally you can make the dhparam...

openssl dhparam -outform PEM -out dhparam.pem 2048

 

Good Luck


  • 0

#6 pedrisco

pedrisco

    Member

  • Members
  • PipPip
  • 13 posts

Posted 18 October 2017 - 11:50 AM

Hi, look what i've found...

https://github.com/e...iki/Quick-Start

It really works.

So after you get "Status Valid" you can...

Get-ACMECertificate your_cert_alias -ExportKeyPEM "key.pem" -ExportCertificatePEM "cert.pem" -ExportIssuerPEM "root.pem"


  • 0

#7 Startek

Startek

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 25 October 2017 - 12:07 AM

Unfortunately it doesn't "really work" for me. After having to change some things in PowerShell I eventually got to "(7) Request and Retrieve the Certificate". The first step works:

New-ACMECertificate dns1 -Generate -Alias cert1

But the next line:

Submit-ACMECertificate cert1

always generates the same error regardless if I have run PowerShell as Admin or normally, changed all the permissions and whatever. :(

Submit-ACMECertificate : Access to the path
'C:\Users\[User]\AppData\Local\ACMESharp\userVault\45-KEYPM\[...]-key.pem' is denied.

I can create files fine in that folder and if I create the file it errs on then it says "asset file already exists".

 

I have wasted WAY to much time on this. I will now try the paid godaddy route and see if that works...

 

 

It really works.

 


  • 0

Evaluating uniGUI


#8 jahlxx

jahlxx

    Advanced Member

  • uniGUI Subscriber
  • PipPipPipPip
  • 675 posts

Posted 11 November 2017 - 06:00 PM

Hi.

 

I'new with this.

 

I'd like to generate my own certificate, and generate the files cert.pem,  key.pem and root.pem, needed to access by https instead of http.

 

 

Someone can help me? I have openssl in a debian machine, and genetated the files server.crt, server.csr and server.key.

 

Now, I don't know next steps.

 

Some help?

 

 

Thanks.


  • 0

#9 jahlxx

jahlxx

    Advanced Member

  • uniGUI Subscriber
  • PipPipPipPip
  • 675 posts

Posted 11 November 2017 - 06:47 PM

Forget it !!

 

Found this: http://www.unigui.co...ned_certifi.htm

 

And it works perfect.

 

Thanks everyway.


  • 0

#10 jahlxx

jahlxx

    Advanced Member

  • uniGUI Subscriber
  • PipPipPipPip
  • 675 posts

Posted 13 November 2017 - 11:14 AM

This works in ISAPI?

 

I'm testing, and works with standalone, but can't make it work in ISAPI (under apache).

 

Any idea?

 

Thanks.


  • 0




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users