Hello all,
yesterday I tinkered my first https-webserver and I want to share the experiences I made on that journey.
It started with a regular sever. I added all the usual controls, like Logging, Performance and that new one to fetch the certificate.
When I pressed that "Certificates"-button to fetch the certificates (Testing was on!) I got some responses, like the textfiles a/b/c.txt could not be created. They have something to do with the generating of the keys. Big mystery, but once you get it going, you do not have to care. Those a.txt, b.txt. c.txt contain the random generated values, on which base the encryption of the certificates are made.
During compile the IDE told me, that OpenSSL.EXE has not been found in the path, therefore it did not get copied. So I thought, this program is needed.
Based on my experience on making a self-signed web-certificate before with Nettalk 9, I searched for the most recent version of OpenSSL.EXE on my LAN and found one in an Apache. The most recent version, because the output of old versions of OpenSSL.EXE provided by SC and Capesoft are utilizing deprecated protocolls, like SSL.
Copied that one I found to my folder where the new server resides, but when I tried to fetch the certificates, OpenSSL.EXE issued an error-mesage, saying that VCruntime140.DLL was missing.
So I tried an older one. I picked the one I found in drive:\\Clarion10\accessory\bin, which was from 09. July 2015.
However, from issuing my own certificates in the past, I knew this will probably not work.
Pressed that "Certificates"-button again, now I got the message(s) that LIBEA32.DLL and SSLeay32.DLL are missing.
So I copied them, and <bam> the certificates all got created!
H_o_w_ever, when trying to reach my new certified server, FireFox tells me: SSL_ERROR_NO_CYPHER_OVERLAP.
Edge returns DLG_FLAGS_INVALID_CA, later also DLG_FLAGS_SEC_CERT_CN_INVALID.
Here happened what I mentioned before, that this OpenSSL.EXE creates either SSL or TLS 1.1 or whatever these old standardws were called. That was the reason why I tried a recent version. Tried that recent version with the date of 28.03.2018 again (which is not necessarily the compile date, more the date when I unzipped this Apache 2).
Okay, searching, wheteher I have this VCruntime140.DLL somewhere on my disk. And indeed, there was one. Its codesigned by Microsoft, so I thought its okay.
Now I re-fetched the certificates, ...... and I saw the communication between my server and the certificate issuer flowing in! Called the site with FF and <tataaa> got SEC_ERROR_UNKNOWN_ISSUER - because this is a testing-certificate. Right? Very probably, because the cert page info says "Validated by: CN=Fake LE Intermediate X1".
But it worked!
Details: Connection encrypted (TLS_ECDHE_RSA_WITH_AES_128_CGM_SHA256, 128-Bit-Key, TLS 1.2)
Well, the responses are in german, its all translated by me.
But, with jumping through some loops, it finally runs.....
Conclusion: We have to find a way to provide compatibility of the tools, so that not everyone has to repeat this frustrating process of try-and-error to find the correct tool du jour. Perhaps at least a list with the correct names and dates of the missing EXE/DLLs.
For now I keep this test-certificate, while continuing work on this server on my decvelopment machine, before I move it to the projected destination.
Thanks for reading and have a good start into the week
Wolfgang
Topic: My experience with "Let's Encrypt" (Read 4040 times)