Jump to content

LetsEncrypt & uniGUI


Startek

Recommended Posts

Why is SSL so hard. :(

 

We have developed an accounts backend web interface with uniGUI and would like to use SSL/HTTPS for public access (the right way to do things). We built this as a standalone EXE running on port 8077.

 

letsencrypt.org offer free certificates but I can't get any of the ACME clients to work. The simplest to use is ZeroSSL web interface (I can generate a CSR and account/email key but then when I hit "next" it says "failed to retrieve resource directory" WTF). The ZeroSSL downloadable stand-alone executables are hideous command line programs, as are most of the other Windows downloads (ZeroSSL make this pretty web interface but can't make a nice Windows GUI?)

 

Has anybody used letsencrypt.org? I realise at some point I will have to copy some files into a directory on my server (the one running on port 80) but I never even seem to get that far. :(

 

Since I have wasted a day on this so far I think I'll just have to buy a certificate from godaddy as there is some help here about how to go about this (although it assumes you know what to do with the files).

Link to comment
Share on other sites

Thanks for the reply. We're using a fairly recent version as we only bought it within the last couple of months. Perhaps I will go down the route of generating a self-signed certificate in the first instance. My difficulty at this stage seems mostly to do with actually generating the files I need for a standalone exe running on Windows (lots of the letsencrypt site is geared towards linux and many of the Windows tools are geared towards IIS),

 

Since developers use unigui we are used to building things ourselves and I was hoping someone here had used the free letsencrypt service.

 

PS. I'm not getting back to work until later in the week so won't reply to any replies for a few days now.

Link to comment
Share on other sites

Hi, here i go, this is the (hard) way i'm doing with letsencrypt, i'm getting an "A-" (cause Forward Secrecy), but if you see any wrong or unsecure thing please tell me.

 

REM Environment = Micro$oft Windows 7 64bits + OpenSSL-Win64 1.0.2h.

 

REM first we make the request, the private and public keys...

 

openssl req -nodes -newkey rsa:2048 -keyout key.pem -out request.csr -subj "/C=CL/ST=Santiago/L=Santiago/O=My Company Name/CN=mydomain.ddns.net"
openssl genrsa 4096 > account.key
openssl rsa -in account.key -pubout > accountPub.key

 

REM here you've got key.pem, what you can put directly in uniServerModule.SSLOptions.KeyFile .

REM copy and paste accountPub.key content in step 1 (Account Public Key) and press the button.

REM copy and paste request.csr content in step 2 (Certificate Signing Request) and press the button.

 

REM copy the text echoed by the 3 lines in the step 3 in each KEY variable at the next "set KEY" commands and run it.

 

set KEY1="blahblahblah....blah"
set KEY2="blehblehbleh....bleh"
set KEY3="blihblihblih........................blih"

 

set PRIV_KEY=account.key

echo|set /p=%KEY1% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 1.in
echo|set /p=%KEY2% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 2.in
echo|set /p=%KEY3% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 3.in

 

REM copy the content of the files 1.in, 2.in and 3.in, and paste them in the right input text in the step 3, and press button.

 

REM copy the text echoed by the line in the step 4 in the KEY4 variable at the next "set KEY" commands and run it.

set PRIV_KEY=account.key
set KEY4="blohblohbloh....bloh"
echo|set /p=%KEY4% | openssl dgst -sha256 -hex -sign %PRIV_KEY% > 4.in
 

REM copy the 4.in content and paste in the input text in step 4.

REM go to "Option 2 - file-based".

REM write the content in the right file, with the right file name, with the right path.

REM prepare your server for serving the right content, with something like this....

REM procedure TUniServerModule.UniGUIServerModuleHTTPDocument( const Document: string; const InParams: TStrings;

REM      ARequestInfo: TIdHTTPRequestInfo; AResponseInfo: TIdHTTPResponseInfo; var Handled: Boolean);
REM      var fileName:String;
REM begin
REM    fileName := FilesFolderPath + stringReplace( Document , '/' , '\',[rfReplaceAll]);
REM    if fileExists( fileName ) then begin
REM        AResponseInfo.ContentStream := TFileStream.Create( fileName, fmOpenRead OR fmShareDenyNone);
REM        Handled := True;
REM    end;
REM end;

 

REM press the button.

REM copy the "Signed Certificate" text in the file signed.crt, and "Intermediate Certificate" text in the Intermediate.crt.

 

openssl x509 -in signed.crt -out cert.pem -outform PEM
openssl x509 -in intermediate.crt -out root.pem -outform PEM
 

REM here you've finally got the fricking cert.pem and root.pem that you can put in uniServerModule.SSLOptions.CertFile and uniServerModule.SSLOptions.RootCertFile.

 

REM optionally you can make the dhparam...

openssl dhparam -outform PEM -out dhparam.pem 2048

 

Good Luck

Link to comment
Share on other sites

Unfortunately it doesn't "really work" for me. After having to change some things in PowerShell I eventually got to "(7) Request and Retrieve the Certificate". The first step works:

New-ACMECertificate dns1 -Generate -Alias cert1

But the next line:

Submit-ACMECertificate cert1

always generates the same error regardless if I have run PowerShell as Admin or normally, changed all the permissions and whatever. :(

Submit-ACMECertificate : Access to the path
'C:\Users\[User]\AppData\Local\ACMESharp\userVault\45-KEYPM\[...]-key.pem' is denied.

I can create files fine in that folder and if I create the file it errs on then it says "asset file already exists".

 

I have wasted WAY to much time on this. I will now try the paid godaddy route and see if that works...

 

 

It really works.

 

Link to comment
Share on other sites

  • 3 weeks later...

Hi.

 

I'new with this.

 

I'd like to generate my own certificate, and generate the files cert.pem,  key.pem and root.pem, needed to access by https instead of http.

 

 

Someone can help me? I have openssl in a debian machine, and genetated the files server.crt, server.csr and server.key.

 

Now, I don't know next steps.

 

Some help?

 

 

Thanks.

Link to comment
Share on other sites

  • 4 weeks later...

I can use letsencrypt cert inisde the SSL demo , but not my own program,

 

Event log says:

Service failed on start: EIdOSSLLoadingRootCertError : Could not load root certificate.
error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib : Addr: $0075B315
 
Any idea ?
 
p.s. It's ok when I run server mode, but not when using service mode (even using default root cert).
Link to comment
Share on other sites

allenchow - maybe your service doesn't have access rights to the certificate files?

 

PS Since I started this thread I might as well finish it by saying I never got a letsencrypt certificate (unable to generate one) so went and paid godaddy lots of money. :(

 

PPS Why do people keep adding to threads with their own (usually unrelated) problems. If you have an issue start a new thread.

Link to comment
Share on other sites

  • 3 years later...

Hello!

I'm wasting 2 days do get a SSL certificate from Let's encrypt to work with UniGui while using a DynDns IP to access my own local server.

Finally it's done. If anyone is interested I could post a little tutorial.

It's espacially for those you use dynamic IPs.

Mike

  • Like 2
  • Upvote 2
Link to comment
Share on other sites

30 minutes ago, likemike said:

Hello!

I'm wasting 2 days do get a SSL certificate from Let's encrypt to work with UniGui while using a DynDns IP to access my own local server.

Finally it's done. If anyone is interested I could post a little tutorial.

It's espacially for those you use dynamic IPs.

Mike

that would be great, will it work with VPN too

 

Link to comment
Share on other sites

OK!

I assume, your server is a Windows based computer (for ex. Windows 10).

This tutorial depends on the free of charge SSL certificate from zerossl ( https://app.zerossl.com/dashboard ).

a. Create an account on https://app.zerossl.com/dashboard
b. Certificates->New certificate
c. switch off CSR autogenerates
d. insert your company etc.
e. you have 3 possibilities to verify, that your are the owner of the domain
f. (only needed, when you use dynamic IP service like Noip.com or DynDns)
In this case you can only verify your domain with the HTTP-Upload method. Therefore you have to install a webserver on the host computer. So load and install XAMPP (https://www.apachefriends.org/de/index.html) and run it minimally (clear every hook possible ).
Then forward port 80 in the router to your host computer IP. If an error occurs with port 443, set the listen port to “Listen 8078” in the file “c:\xampp\apache\conf\extra\httpd-ssl.conf” (line 36). Start xampp-control.exe and start Apache.
Now copy the file created by ZeroSSL in the directory “c:\xampp\htdocs\.well-known\pki-validation” (the last two directories have to be created first)

g. now perform the validation at zerossl.
h. download the certificate now (Server=Default).
i. unpack the certificate in your HyperServer-directory
j. rename private.key to key.pem
   now you have to convert the CRT-files to x509 encryption
k. install OpenSSL (https://sourceforge.net/projects/openssl/files/latest/download)
l. start Win64-OpenSSL Command Prompt
m. from the OpenSSL command line, switch to the hyperserver directory and call:

  • openssl x509 -in certificate.crt -out cert.pem -outform PEM
  • openssl x509 -in ca_bundle.crt -out root.pem -outform PEM

n. then do a right-click on both CRT files and install the certificate (for local computer).
o. because SSL-versions lower than TLS1_2  are rejected by modern browsers it's important to set in UniGui:

  •   SSL.SSLOptions.Method = sslvTLSv1_2
  •   SSL.SSLOptions.SSLVersions = [sslvTLSv1_2]

That's it. I recommend the use of NoIP.COM if you need a Dynamic IP-Service. It's free and easy to install.

I hope, this helps a bit to handle the SSL-stuff with UniGui.
Regards
Mike

  • Like 3
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
×
×
  • Create New...