Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
INTRAWEB ACME
#11
Hi, here are a few tips that might help.

You need to have a domain name and a Let's Encrypt account to get a certificate.

The certificate manager is working well now and there is a good documentation (Intraweb Certificate Manager.pdf).
In the Let's Encrypt URL edit you have to specifiy the staging environment for testing or the V2-Environment to get a real certificate.
The directoy ..\YourApplication.exe\acme-challenge\ has be located below your application, NOT in root or below !!!

You don't need to have your own ACME content handler, the intern IW content handler is working well.

Enable ACME in the server controller:
TIWServerController::SC_Config() : this->SSLOptions->EnableACME = true;

ACME is using HTTP Port 80 therefore you need to set
In TIWServerController::SC_Config() : this->SSLOptions->NonSSLRequest = TIWNonSSLRequest::nsAccept;

You can use an Indy server or HTTPS server without variable reservation.

Your antivirus software could block your firewall while you are testing ACME Wink

Good luck
Reply
#12
(02-23-2024, 08:41 PM)JuergenS Wrote: Hi, here are a few tips that might help.

You need to have a domain name and a Let's Encrypt account to get a certificate.

The certificate manager is working well now and there is a good documentation (Intraweb Certificate Manager.pdf).
In the Let's Encrypt URL edit you have to specifiy the staging environment for testing or the V2-Environment to get a real certificate.
The directoy ..\YourApplication.exe\acme-challenge\ has be located below your application, NOT in root or below !!!

You don't need to have your own ACME content handler, the intern IW content handler is working well.

Enable ACME in the server controller:
TIWServerController::SC_Config() : this->SSLOptions->EnableACME = true;

ACME is using HTTP Port 80 therefore you need to set
In TIWServerController::SC_Config() : this->SSLOptions->NonSSLRequest = TIWNonSSLRequest::nsAccept;

You can use an Indy server or HTTPS server without variable reservation.

Your antivirus software could block your firewall while you are testing ACME Wink

Good luck
So, what I did:
1. Created a Let's Encrypt account using Certbot with command line: certbot register
2. I have my Intraweb application running on port 80
3. SSLOptions.EnableACME := true;
4. SSLOptions.NonSSLRequest := nsAccept;
5. In iwCertificateManager, I set Let's Encrypt URL to: https://acme-v02.api.letsencrypt.org/acme
6. My Intraweb application executable is inside folder C:\MyCompany\MyApplication
7. Created acme folder like this:
       C:\MyCompany\.well-known\acme-challenge (the name is this or without the dot before well-known?) 
    Is it here or inside C:\MyCompany\MyApplication ?
8. I'm using an http.sys server

Whenever I hit execute button of iwCertificateManager, I always get error message: "Error executing requesting LE certificate: TIWLetsEncrypt.New_Order: Could not finalize certificate challenge within specified timeout.

My server is a Windows server and it not a registered web server, it is the my company server (connected to the internet, of course). So, my domain is not registered on the web)
I deactivated Antivirus and firewall.

What am I missing?
Reply
#13
Assuming your domain name is YourCompany.com, ACME will address your server at the following address:

http://YourCompany.com:80/.well-known/acme-challenge

But you don't have to set up the ./root/.well-known/acme-challenge directory!

Instead, you should set up the following directory:

C:\MyCompany\MayApplication.exe\acme-challenge

This directory must then also be specified in the Certificate Manager (Challenge Directory)

Intraweb probably has a handler installed for the original directory:

e.g: THandlers::Add(L"/.well-known/acme-challenge/", L"", new TIWClass_Acme());

If your company server has an Internet connection, then it should already have a domain name and a certificate and can be reached under
https://YourCompany.com
Reply
#14
(02-26-2024, 05:56 PM)Comograma Wrote:
(02-23-2024, 08:41 PM)JuergenS Wrote: Hi, here are a few tips that might help.

You need to have a domain name and a Let's Encrypt account to get a certificate.

The certificate manager is working well now and there is a good documentation (Intraweb Certificate Manager.pdf).
In the Let's Encrypt URL edit you have to specifiy the staging environment for testing or the V2-Environment to get a real certificate.
The directoy ..\YourApplication.exe\acme-challenge\ has be located below your application, NOT in root or below !!!

You don't need to have your own ACME content handler, the intern IW content handler is working well.

Enable ACME in the server controller:
TIWServerController::SC_Config() : this->SSLOptions->EnableACME = true;

ACME is using HTTP Port 80 therefore you need to set
In TIWServerController::SC_Config() : this->SSLOptions->NonSSLRequest = TIWNonSSLRequest::nsAccept;

You can use an Indy server or HTTPS server without variable reservation.

Your antivirus software could block your firewall while you are testing ACME Wink

Good luck
So, what I did:
1. Created a Let's Encrypt account using Certbot with command line: certbot register
2. I have my Intraweb application running on port 80
3. SSLOptions.EnableACME := true;
4. SSLOptions.NonSSLRequest := nsAccept;
5. In iwCertificateManager, I set Let's Encrypt URL to: https://acme-v02.api.letsencrypt.org/acme
6. My Intraweb application executable is inside folder C:\MyCompany\MyApplication
7. Created acme folder like this:
       C:\MyCompany\.well-known\acme-challenge (the name is this or without the dot before well-known?) 
    Is it here or inside C:\MyCompany\MyApplication ?
8. I'm using an http.sys server

Whenever I hit execute button of iwCertificateManager, I always get error message: "Error executing requesting LE certificate: TIWLetsEncrypt.New_Order: Could not finalize certificate challenge within specified timeout.

My server is a Windows server and it not a registered web server, it is the my company server (connected to the internet, of course). So, my domain is not registered on the web)
I deactivated Antivirus and firewall.

What am I missing?

If you have an Indy or Http.sys server inside folder C:\MyApplication, the challenge directory should be:

C:\MyApplication\acme-challenge\

That's all you need. Drop the .well-known part.

Also, the IW certificate manager has a test button. Use it to verify if your server is responding correctly. If the IWCertManager can't access it correctly, likely Let's Encrypt servers can't do it either.


   
Reply
#15
(02-26-2024, 06:53 PM)JuergenS Wrote: Assuming your domain name is YourCompany.com, ACME will address your server at the following address:

http://YourCompany.com:80/.well-known/acme-challenge

But you don't have to set up the ./root/.well-known/acme-challenge directory!

Instead, you should set up the following directory:

C:\MyCompany\MayApplication.exe\acme-challenge

This directory must then also be specified in the Certificate Manager (Challenge Directory)

Intraweb probably has a handler installed for the original directory:

e.g: THandlers::Add(L"/.well-known/acme-challenge/", L"", new TIWClass_Acme());

If your company server has an Internet connection, then it should already have a domain name and a certificate and can be reached under
https://YourCompany.com
My company server is connected to the internet, but as I said, it is not a Web Server, his domain is not registered on the Web.
My intraweb app must be running on port 80, right?
My domain name is 'cpi.local' (I'm using local Active Directory domain). I created a Split DNS so that I can have a valid public suffix (TLD).
So, actually my subdomain is 'app.cpi.pt'.
Still getting the same timeout error.
I attached the servercontroller file for you to see if something is missing, please!!

(02-27-2024, 06:33 AM)Alexandre Machado Wrote: If you have an Indy or Http.sys server inside folder C:\MyApplication, the challenge directory should be:

C:\MyApplication\acme-challenge\

That's all you need. Drop the .well-known part.

Also, the IW certificate manager has a test button. Use it to verify if your server is responding correctly. If the IWCertManager can't access it correctly, likely Let's Encrypt servers can't do it either.

Ok, acme-challenge folder was created like you said.
My Intraweb app is running on port 80.
My Intraweb app is an Http.sys server. All done, like you said, in IWCertManager. When I hit the test button it gives "Domain test succeeded".
As I said to JuergenS, my Windows Server domain name is 'cpi.local' (I'm using local Active Directory domain). I created a Split DNS so that I can have a valid public suffix (TLD).
So, actually my subdomain is 'app.cpi.pt'.
I did deactivate the server antivirus program, add rules to the server firewall to accept income calls to port 80 and also tried to disable router firewall, but still getting the timeout error.
What can possible be blocking Let's Encrypt site to connect to my Windows Server?
Please advise!!
I attached the servercontroller file for you to see if something is missing, please!!


Attached Files
.zip   ServerController.zip (Size: 4.43 KB / Downloads: 1)
Reply
#16
the test is actually simple:

Can you connect to your application from an external address when it is online? Using HTTP?

You can check the name of the challenge file that IWCertManager saves into the C:\MyApplication\acme-challenge\ folder and try to retrieve it from your browser.

Let's say the file is named 123456789

Then you can try to as:

"http://yourdomain.com/.well-known/acme-challenge/123456789"

If you can't receive the file, nor Let's Encrypt can.

But it is important to use a machine that is outside your domain/network.
Reply
#17
Well, I still think you are not understanding me, my simple problem, I think.
My Windows Server machine is not connected to the Web, e.g, the dmain is not registered, so, I can't connect to my application from an external address using HTTP, that's the problem.
The SSL certificate aren't intended to be used only on a machine that is connected to the internet. I want that on my company network, or my clients networks, when someone connects to an Intraweb application, it won't receive the untrusted message that the browsers will show. Simple as that.
Is this possible?
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)