Hosting & Cloud
Automatic Certificate
Bror-Erik Kotiranta
11-26-21
Operating system: macOS
From 8.5 2021 11 02

Overview

Auto certificate automatically fetches a valid SSL certificate from letsencrypt.org to a HW server and installs it as the current certificate for HTTPS. It will only fetch a certificate in case one is needed.

If a manual certificate is installed (TC>>Program Mode>>Web>>Certificate and Private Key) this is checked for validity. If it is valid nothing is done, if it is invalid an automatic certificate is fetched.

If a manual certificate is installed, the server will validate it on startup and use it if it is valid. If it is invalid it will look for a valid auto certificate. If there is none, or an invalid auto certificate, it will use an invalid (e.g. expired or self signed) manual certificate if present.


Requirements

-The server must be reachable on the internet
-The server must run HTTP (not HTTPS) on port 80
    - Check that you run on correct ports in server log
-There must be a domain name connected to the IP address
    - use parameters.txt if you are unsure
        --Public-hostname=[dns-here]
-The server must know about this domain name. "Public Host Name" in CC/mystandard.

-To actually use the certificate it needs to use HTTPS and an HTTPS port configured
    - TC>>Program mode>>web>>Tick “use https”
    - mark https port here or use httpsport=xxxx parameter
   
-

To test requirements except knowledge of the public host name

    - You must be able to navigate to http://my.test.domain.com and get some response from the HW server. "File not found" is sufficient.

    - To test a current (invalid) certificate navigate to https://my.test.domain.com and note the SSL warning. (server must be configured for port 443 to perform this test)


How to use this feature:

TC>>Program Mode>>Operations>>Fetch Certificate


This will be automated to check daily


Debug

Debug options exist in

TC>>Program Mode>>Web>>Auto certificate
Disable - does nothing, will disable automatic job
Debug - Web API calls to ACME will pop up on screen
Test/Staging - Use the Test/Staging server of letsencrypt.org. Otherwise the live server is used and this is rate-limited so you can perform unlimited tries. Test/Staging certificates will not be considered valid so a new one will always be fetched and they will not actually be loaded.

Where certificates are stored(records):

TC>>Settings>>ACME Workspaces (test)

A new record is created for each request. Interesting files (for debugging) in the attachments.

On the server:

You´ll see a cert and privkey added to the root of the server

And after that you can go to https://yourServer and see that it is using https and is encrypted (lock on the left of your dns)


Reply
Neil
8-3-22
Is this feature ready for production? I was only able to get it to work by uncommenting the check for http-01 in ACMEGetAuthTokens.

Thanks,
Neil.
Reply
Bror-Erik Kotiranta
8-4-22
Hi,

yes it is - if you find problems please report bugs as per routine :)
Reply
Leave Comment
You can subscribe to notifications for this post by selecting the 'star' icon on the top right corner of the post.
Back to the list
Latest Posts
Re: Re: COMMUNICATION PROTOCOL VIOLATION
Reino Botha
Please check your version of android if it is the same as the server you are connecting too. ...
08:24 21 Nov 2024
Re: Folder
Bror-Erik Kotiranta
In NC you hace operations>>ai chats. They are used for these Br, Bror-Erik...
05:12 21 Nov 2024