Let's Encrypt and WebBroker

-
Let's Encrypt and WebBroker

Hello, I have a WebBroker application over SSL with this initialization code

FServer := TIdHTTPWebBrokerBridge.Create(Self);
LIOHandleSSL := TIdServerIOHandlerSSLOpenSSL.Create(FServer);
LIOHandleSSL.SSLOptions.CertFile := '..\keystore\certificat.crt';
LIOHandleSSL.SSLOptions.RootCertFile := '..\keystore\rootCA.crt';
LIOHandleSSL.SSLOptions.KeyFile := '..\keystore\private.key';
LIOHandleSSL.OnGetPassword := OnGetSSLPassword;

this works well but with this auto generated certificat the browser raise a warning.

Is it possible to use Let's Encrypt with a Delphi standalone WebBroker application ?

Thanks

Comments

  1. Edwin YipJuly 25, 2018 at 3:45 AM

    If I understand it correctly, you'll have to implement an ACME client in Delphi, which as far as I know, it's an non-existent in the Delphi/Pascal community as of now. https://letsencrypt.org/docs/client-options/

    ReplyDelete
  2. Paul TOTHJuly 25, 2018 at 3:47 AM

    Edwin Yip yes, that's why I ask :)

    ReplyDelete
  3. Roland KossowJuly 25, 2018 at 1:59 PM

    Hi Paul, it should be no problem to use Let's Encrypt with a standalone webroker app. At least it is no problem to do so with a standalone Intraweb app and I do not really see the difference. The most difficult part if probably the openssl commandline you need to get the certificates as such as IOHandleSSL needs them ... let me check.

    ReplyDelete
  4. Roland KossowJuly 25, 2018 at 2:10 PM


    Depending on the way the ACME service/client you use gives you the certificates the following openssl commands should be of help:


    How to combine crts to pkcs12:
    openssl pkcs12 -export -out "certificate_combined.pfx" -inkey "private.key" -in "certificate.crt" -certfile ca_bundle.crt

    How to convert x509 crt to pem
    openssl x509 -in certificate.crt -out mycert.pem -outform PEM

    How to convert pfx to pem:

    openssl pkcs12 -in certificate_combined.pfx -out client_ssl.pem -clcerts

    openssl pkcs12 -in certificate_combined.pfx -out root.pem -cacerts

    ReplyDelete
  5. Alexandre MachadoJuly 25, 2018 at 6:57 PM

    By "auto generated" certificate do you mean "self signed" certificate? If yes, that's how browsers work. They all will generate a warning saying that the certificate is not really valid in a real scenario because it can't be trusted, i.e. its origin is not certain (however all HTTPS functions like encryption will work perfectly fine). Indy HTTPS servers work just fine with Let's Encrypt certificates (both, self-signed and the "real" ones). PS: when using the real certificate you will very likely have to copy the root certificate to the same folder where your certificate is.

    ReplyDelete
  6. mezenJuly 26, 2018 at 12:56 AM

    Are the clients under your control? If so, just install your self signed ca cert on them, so they can trust it (and trust all certs which are signed by that ca cert).
    Much easier than managing certs which are signed by a global trusted ca (like Let's Encrypt) unless you have no control over the clients and cant install your root cert ( = the ca cert).

    ReplyDelete
  7. Roland KossowJuly 26, 2018 at 12:59 AM

    If you do not use some sort of public accepted SSL provider (of which the CA root cert is accepted by browser providers) you will always end up in the problem paul faces (browser warning). Lets encrypt is the best way to go - especcially considering trends favoring short lived certificates. Paul - go with letsencrypt it should all be no problem. I am happy to help with any specific questions.

    ReplyDelete
  8. Paul TOTHJuly 26, 2018 at 1:41 AM

    Ok, the perfect solution would be a TLetsEncrypt component with a DomainName property and voilà ! I'll try to make one :)

    if I understand well, this component will generate a certificat and implement the ACME protocol to deal with Let's Encrypt registration.

    ReplyDelete
  9. Edwin YipJuly 26, 2018 at 2:12 AM

    Paul TOTH Would LOVE to see such a component, then we'll be able to make a mORMot httpS server, without having to use IIS in the front!

    ReplyDelete
  10. Roland KossowJuly 26, 2018 at 2:14 AM

    That's Paul :-) The quick (interim) solution would be to get a sslforfree certificate bundle and exploit that with the commmandlines above. Besides of that - you are right - TLetEncrypt is a great idea - and would need to be exactly what you suggest - an ACME client. You might as well write a Python4Delphi wrapper around https://github.com/diafygi/acme-tiny - or so. But I would love to see and use your TLetsEncrypt. I would even buy it with source :-)

    ReplyDelete
  11. Geoff SmithAugust 5, 2018 at 3:04 AM

    Another option to deal with it
    blog.ligos.net - Reverse Proxy With IIS and Lets Encrypt

    ReplyDelete

Post a Comment